Configuration Analysis, Run Time Analysis & Editing

by Coleman Kane

During week 2 we put together a malware sample by authoring a custom configuration. In week 3 we analyzed the VM that we ran it within for forensic evidence of the malware. In week 4, we took another backdoor that was compiled in C and decided to analyze aspects of its control flow to learn more about how it worked and also introduce you all to the Ghidra decompiler.

This week we will introduce new topics that build on these others:

• Static configuration extraction
• Some analysis evasion techniques
• Run-time analysis w/ a debugger
• Run-time patching

Static configuration extraction

The following is a snippet of the macros that you can modify in the source code from revolution_backdoor_windows.cpp in order to change the behavior of the backdoor:

#define BUFFER_SIZE 4096
#define REMOTE_HOST "192.168.1.71"
#define REMOTE_PORT 444
#define FTP_SERVER "192.168.1.71"
#define FTP_USER "unamed"
#define FTP_PASS "test123"

The above is relatively simplistic, and in class we will explore a slightly modified version of this backdoor to extract the configuration from. There are a lot of existing projects out there that can do this work on a range of malware families. In class we will experiment with doing this work from scratch.

Some open source projects:

• JPCERT/CC MalConfScan
• DC3 Malware Configuration Parser
• Team T5 MalCfgParser
• RAT Decoders Project

Here is a good write-up of how someone used analysis utilities to analyze and extract the configuration from an REvil ransomware malware:

• REvil/Sodinokibi Ransomware

Evasion Techniques

There are a lot of evasion techniques out there - often these may come in the form of VM detection, debugger detection, or both. I will work off of some VM detection routines I have collected that are implemented in C and posted here:

• vm-detection project

Review the above to familiarize yourself with the available techniques I will be working from. This is definitely not and all-encompassing list, and you are likely to find malware in the wild that uses more than just these techniques to accomplish this goal.

Some further reading on the topic:

• Cyberbit: Anti-VM and Anti-Sandbox Explained
• Joanna Rutkowska: Red Pill… or how to detect the VMM using (almost) one CPU instruction

As well, a tool to keep in your defensive pocket:

• AntiVMDetection Project

Run-time Debugger Analysis

We will be using the ImmunityDebugger to perform the run-time analysis of malware in this week’s class. You’ll likely notice some similarity between the view you get with Immunity and that which you got with Ghidra in last week’s class. The big difference will be that Immunity Debugger is analyzing a program that has already been loaded into memory by the OS, while Ghidra is (as of 2020) relegated to simply analyzing files at rest on your hard drive.

I found a really good write-up that gives 3 examples of analyzing different programs, distributed by SANS, and authored by Roberto Nardella:

• Basic Reverse Engineering with Immunity Debugger local copy

The above PDF has 3 C programs embedded within it. Since extracting these and compiling them could take a bit of work, I have taken the trouble to do so for you all:

• Example 1: C code Win32 EXE
• Example 2: C code Win32 EXE
• Example 3: C code Win32 EXE

Please take some time to go through one or more of these examples to familiarize yourself with the Immunity Debugger.

home