Static analysis of a packed malware sample with Cuckoo Part2 ~ Hacking while you're asleep

If you have not read the previous post of this topic, you can see it here: Static analysis of a packed malware sample with Cuckoo Part1

In the second post on this topic, I am going to talk about how to research some imports that we have got, to try to figure out what the malware does. Notice it is really difficult to know what the program exactly does by only performing only a basic static analysis, but it offers us a real insight into its goal.

To see the imports that I am going to talk about, you can visit the Cuckoo's report of the unpacked sample here and go to the Static Analysis section.

Library KERNEL32.DLL

We can see an import called CreateProcessW which it is able to create new processes.

The VirtualAllocEx, WriteProcessMemory imports would be a hint of it will lead with some form of process injection.

A lot of API related with file management can be seen. This program can read, write, create files...

CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, SetFileTime, GetFileAttributesW, FindClose, DeleteFileW, , MoveFileW, CopyFileW, GetTempFileNameW, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNames, SetFileAttributesW, GetFileSize, GetModuleFileNameW

With FindFirstFileW, FindNextFileW API the program searches in the filesystem and copies files.

IsDebuggerPresent This API detects if the program is being debugged and if it is, it can change its behaviour... It is common to find this API in malware samples... With this technique the malware developers are trying to make the malware analyst’s task more difficult.

Library ADVAPI32.dll

Here we can see that the program call to the functions below in order to create, edit or remove register keys:

RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, RegConnectRegistryW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey.

COMCTL32.dll and GDI32

These imports are related to the use of images...

ImageList_Create, ImageList_Remove, ImageList_Destroy, ExtCreatePen, SetPixel ...

MPR.dll

These imports are related with network connections. Two of them draws our attention.

WNetGetConnectionW: This import retrieves the name of the network resource associated with a local device and it could have three parameters; lpLocalName, lpRemoteName and lpnLengt.
WNetGetConnectionW: This import makes a connection to a network resource and can redirect a local device to the network resource.

USER32.dll

This DLL is involved in the manage of user-interface components like button, scroll bar, etc ...

GetCursorInfo, ClientToScreen, GetMenuStringW, GetSubMenu, SetWindowLongW, FrameRect, CharNextW, IsDlgButtonChecked, IsMenu...

WININET.dll

With this DLL the program could implement high level network functions like FTP or HTTP.

The program could be able to read files just downloaded from the Internet. Also it could make requests to an URL like it were a browser.

InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable.

I want to remark these two imports:

FtpOpenFileW: "This function initiates access to a remote file for writing or reading."
FtpGetFileSize: "This function retrieves the file size of the requested FTP resource."

But why am I remarking on these imports? If we run this sample malware in a lab machine which is running a sniffer, we could get the username and password of the remote FTP (if it has it) which the malware is connecting with to upload or download information. Notice the FTP protocol sends the username and password to the server througth the network in clear text... It could be really interesting...

WSOCK32.dll

It is a network DLL but we can not see the imports. We would need to research in deep...

CONCLUSION

As mentioned above, it is really difficult to know what the malware does only with a basic analysis but we can say about the sample which we have analyzed...

It is a malware sample because the majority of the anti-virus vendors have detected it as Backdoor.
The malware developers try to hide the program's code packing the file.
The developer tries to make malware analysis a difficult task by using IsDebuggerPresent API. (You can learn a trick about how to not be detected by the malware when you open the executable in a debugger).
When the program is executed, it calls to a lot of APIs in order to read and search files. Maybe the program steals private information reading documents or writing the password captured by a possible keylogger.
It has graphical capabilities. It is possible that it has a GUI.
Network resources API calls have been found in the malware imports. There are possibilities that the malware will try to steal information from our local network or trying to infect to other users through the shared resources.
It has network functions such as HTTP and FTP. The malware could get into a botnet network and receive the orders through the Internet. Also, it is possible that the program uploads the data that has been stolen via HTTP or FTP to the hacker servers.

Hacking while you're asleep

BehindTheFirewalls is a blog where you can find all the latest information about hacking techniques, new trends in IT security and the recent products offered by security manufacturers. We'll talk about Firewalls, IPS, Botnets...

Tuesday, October 15, 2013