Trojan TR/Offend.66568521 analysis process

It seems that everyone has been busy with the winter vacation recently, so the popularity is obviously cold. To increase popularity, I will share with you the process of analyzing a Trojan horse over the past two days. The purpose of writing this article is not to mention the functional nature of this sample. After all, this Trojan has been widely detected and killed. I just want to discuss the code analysis process with you through this example. If you have any mistakes, please correct them. 1. The analysis environment and TOOLS first introduce my analysis environment: OS: XP SP3 Virtual Machine Vmware. TOOLS:

The first two tools are mainly used for shelling. The analysis mainly uses sandbox BSA and IDA Pro. Of course, MD is used to prevent the virus infection system generated by dynamic analysis from being easily cleared. 2. The sample source does not remember, as if it was a non-inactivated sample under which forum, I will provide it in the attachment. Name: virussign.com_0a9f170cfa142b42cc8e8e5c9b47057a.exe. This sample is added with an upx shell. To facilitate analysis, the sample is shelled first. Not much about the shelling process, because it is upx, the simplest one, so I now read the shelling tutorial in the Forum and use the tools in the first two rows to find popad, re-create the imported table or something, and everything went smoothly (we recommend that you start with upx if you want to learn more about it ). Name after shelling: dumped_1.exe, which is the target for analysis. 3. anti-virus software installed 360 on the host to define the sample, and scanned and killed the two samples before and after shelling. The virus was reported as follows: Warning: (because 360 uses the AntiVir engine), it is called: TR/Offend.66568521 (for more details, see: https://www.virustotal.com/file/aa63f063e907c0cfbe4b44bce2e713ff0f70e7e3cd43635341f1b6587fbcfdc1/analysis/ ). Dumped_1.exe: Backdoor. Win32.Gh0st. CV. The difference reported by 360 before and after shelling is due to feature changes after shelling. 4. When you get a sample through the dynamic analysis process, you should first consider whether it is a malicious code. Of course, the premise is that your software kill has no alarm. Although we know it is a Trojan, we may also ask: what malicious behaviors are considered as Trojans? To view behaviors, the most intuitive one is API monitoring or environmental monitoring. The tool is recommended by me: sandboxie & BSA. I will not talk about how to use it here. Let's take a look at the report generated after running the sample in the sandbox. It is prompted that all samples running in the sandbox can be shelled before and after, because they behave the same. I usually pay attention to two reports: (1) API log: Executing: c: \ sample 106 \ upx \ 1 \ dumped_1.exeLoadLibrary (gdi32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (kernel32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (msvcrt. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (netapi32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (oleaut32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (ole32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (shell32.d Ll) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (shlwapi. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (user32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (winmm. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (ws2_32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (ws2help. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (wtsapi32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (winsta. dll) [c: \ sample 106 \ upx \ 1 \ dumped _1.exe] GetModuleHandle (lz32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (lz32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (kernel32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (Kernel32) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (comctl32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] OpenProcessToken (C: \ sample 106 \ upx \ 1 \ dumped_1.exe) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (LPK) [c: \ sample 106 \ upx \ 1 \ dumpe D_1.exe] GetModuleHandle (LPK. DLL) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (USER32) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (imm32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateEvent (DINPUTWINMM) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateEvent (SBIE_BOXED_ServiceInitComplete_RpcSs) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (advapi32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (urlmon. dll) [c: \ sample ya 106 \ upx \ 1 \ dump Ed_1.exe] GetModuleHandle(iexplore.exe) [c: \ sample 106 \ upx \ 1 \ samples) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateMutex (ZonesCounterMutex) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateMutex (ZonesCacheCounterMutex) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateMutex (ZonesLockedCacheCounterMutex) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (version. dll) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (shlw Api. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (psapi. dll) [c: \ 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (wininet. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (crypt32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (msasn1.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateEvent (Global \ crypt32LogoffEvent) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (avicap32.dll) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (msvfw32.dll )[ C: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateMutex (aa0533.3322.org) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateRemoteThread (c: \ sample samples 106 \ upx \ 1 \ dumped_1.exe) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] CreateProcess (null), c: \ Windows \ svchest000.exe, (null) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (winlogon. EXE) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (c: \ windows \ system32 \ mswsock. dll) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (mswsock. Dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (apphelp. dll) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (hnetcfg. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (rpcrt4.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (c: \ windows \ system32 \ wshtcpip. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (wshtcpip. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (dnsapi. dll) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (advap I32) [c: \ sample ya 106 \ upx \ 1 \ dumped_1.exe] Executing: c: \ windows \ svchest000.exeLoadLibrary (c: \ windows \ system32 \ winrnr. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (winrnr. dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (wldap32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (gdi32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (kernel32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (msvcrt. dll) [c: \ windows \ svchest000. Exe] LoadLibrary (netapi32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (oleaut32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (ole32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (shell32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (shlwapi. dll) [c: \ windows \ svchest000.exe] LoadLibrary (user32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (winmm. dll) [c: \ windows \ svchest000.exe] LoadLibrary (rasadhlp. dll) [c: \ sample 10 6 \ upx \ 1 \ dumped_1.exe] GetModuleHandle (ws2_32.dll) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] connect (221.130.179.36: 1379) [c: \ sample 106 \ upx \ 1 \ dumped_1.exe] LoadLibrary (ws2_32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (ws2help. dll) [c: \ windows \ svchest000.exe] LoadLibrary (wtsapi32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (winsta. dll) [c: \ windows \ svchest000.exe] GetModuleHandle (lz32.dll) [c: \ windows \ svchest000.exe] L OadLibrary (lz32.dll) [c: \ windows \ svchest000.exe] GetModuleHandle (kernel32.dll) [c: \ windows \ Handler] GetModuleHandle (Kernel32) [c: \ windows \ svchest000.exe] LoadLibrary) [c: \ windows \ svchest000.exe] OpenProcessToken (C: \ WINDOWS \ svchest000.exe) [c: \ windows \ svchest000.exe] GetModuleHandle (LPK) [c: \ windows \ svchest000.exe] GetModuleHandle (LPK. DLL) [c: \ windows \ svchest000.exe] GetModuleHandle (U SER32) [c: \ windows \ svchest000.exe] LoadLibrary (imm32.dll) [c: \ windows \ svchest000.exe] CreateEvent (DINPUTWINMM) [c: \ windows \ svchest000.exe] CreateEvent (events) [c: \ windows \ svchest000.exe] LoadLibrary (advapi32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (urlmon. dll) [c: \ windows \ svchest000.exe1_getmodulehandle( I %e.exe) [c: \ windows \ svchest000.exe] GetModuleHandle (explorer. e Xe) [c: \ windows \ svchest000.exe] CreateMutex (ZonesCounterMutex) [c: \ windows \ svchest000.exe] CreateMutex (kernel) [c: \ windows \ svchest000.exe] CreateMutex (kernel) [c: \ windows \ svchest000.exe] LoadLibrary (version. dll) [c: \ windows \ svchest000.exe] GetModuleHandle (shlwapi. dll) [c: \ windows \ svchest000.exe] LoadLibrary (psapi. dll) [c: \ windows \ svchest000.exe] LoadLibrary (wininet. d Ll) [c: \ windows \ svchest000.exe] LoadLibrary (crypt32.dll) [c: \ windows \ libraries] LoadLibrary (msasn1.dll) [c: \ windows \ svchest000.exe] CreateEvent (Global \ crypt32LogoffEvent) [c: \ windows \ svchest000.exe] LoadLibrary (avicap32.dll) [c: \ windows \ svchest000.exe] LoadLibrary (msvfw32.dll) [c: \ windows \ svchest000.exe] CreateMutex: \ windows \ svchest000.exe] GetModuleHandle (mscoree. dll) [c: \ window S \ svchest000.exe] We can see which dynamic libraries, mutex, files, registry, and so on are loaded to this sample. Of course it is not very clear. In fact, my goal is to see that some key functions are called, such as CreateMutex, OpenProcessToken, CreateProcess, and CreateRemoteThread. These will provide good clues for static analysis. If you think this is not intuitive enough, we can also take a look at the report generated by it, which is very clear. (2) Report [Changes to filesystem] * Creates file C: \ WINDOWS \ BJ.exe * Creates file (hidden) C: \ WINDOWS \ SbiePst. dat * Creates file (hidden) C: \ WINDOWS \ svchest000.exe [Changes to registry] * modifielvalue "NukeOnDelete = 00000001" in key HKEY_LOCAL_MACHINE \ software \ microsoft \ Windows \ CurrentVersion \ Explorer \ BitBucket old value empty * Modifies value "Common desktop = C: \ Documents and Settings \ All Users \ Lhb? "In key HKEY_LOCAL_MACHINE \ software \ microsoft \ Windows \ CurrentVersion \ Explorer \ Shell Folders old value" Common Desktop = C: \ Documents and Settings \ All Users \ Desktop "* Creates value" Kris = C: \ 7 h, g106 \ upx \ 1 \ dumped_1.exe "in key HKEY_LOCAL_MACHINE \ software \ microsoft \ Windows \ CurrentVersion \ Run * Creates Registry key HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Control \ MediaResources \ msvideo * Creates value" sy MbolicLinkValue = keys "in key HKEY_CURRENT_USER \ software \ classes * Modifies value" Desktop = C: \ Documents ents and Settings \ Administrator \ Lh B? "In key HKEY_CURRENT_USER \ software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Shell Folders old value" Desktop = C: \ Documents and Settings \ Administrator \ Desktop "* Creates value" FolderType = Documents "in key HKEY_CURRENT_USER \ software \ Microsoft \ Windows \ ShellNoRoam \ Bags \ 45 \ Shell [Network services] * Connects to "221.130.179.36" on port 1379. [Process/window information] * Creates an event named "SBIE_ B OXED_ServiceInitComplete_RpcSs ". * Creates a mutex "ZonesCounterMutex ". * Creates a mutex "ZonesCacheCounterMutex ". * Creates a mutex "ZonesLockedCacheCounterMutex ". * Creates a mutex "aa0533.3322.org ". * Creates process "(null), c: \ Windows \ svchest000.exe, (null )". you can see that the sample has an impact on the file system, registry, network, and system environment. It is clear, intuitive, and clear. It is not easy to say that it is a trojan. 5. The static analysis shows that the dynamic analysis is clear. This is a trojan. For example, to release the bj.exefile, svch0st080.exe, change the Registry's Run entry to connect to the xxxx port of a domain name. So what should we do with static analysis? The answer I want to answer is... learning ..... Haha, I just laughed. On the one hand, this forum does not want to improve everyone through analysis, so it is better to share the static analysis process. But in fact, my goal is not just learning, .... Looking for a different one is not a game looking for a different one, but we all know that dynamic analysis only shows part of the code, and many hidden behaviors are not displayed. Static analysis is more comprehensive in theory. Therefore, static analysis aims to find out What behaviors are not displayed and how they are organized. It turns out that static analysis is completely necessary, because many of the Trojan's behaviors are executed only by sending commands by the control side (attacker), which will be reflected in later analysis. Tool: IDA Pro 5.5. Unfortunately, I don't have a decompilation Plug-In hex rays that can be used till now, so I can only read the assembly code. The Static Analysis of the shell code dumped_1.exe is as follows. (1) tip 1: I have to say that this sample has brought me some difficulties during analysis. The first problem I encountered was the dynamic loading of functions; the code after shelling shows many functions from the import table. However, in actual code, calling these functions is not a command like calling CreateProcessEx. In addition, you can avoid a dword in the data segment, and then write a Dynamic Loading Function to obtain the API address dynamically. For example, first: UPX0: 0040E015 push offset name; "Pushed" UPX0: 0040E01A push 0UPX0: 0040E01C push 0UPX0: 0040E01E call dword_478A90 what is the function? IDA didn't provide a cross reference, but you can see at this address: UPX0: 00478A90 dword_478A90 dd 0; data xref: sub_40D5B0 + 17wUPX0: 00478A90; WinMain (x, the commands x, x) + CEr indicate that the sub_40D5B0 function has modified this function. What is this function? Re-enter: UPX0: pushed using proc near; code xref: pushed: Pushed push offset limit; "CreateMutexA" UPX0: 0040D5B5 push offset LibFileName; "KERNEL32.dll" UPX0: 0040D5BA call limit: 0040D5C0 push eax; CLERK: 0040D5C1 call CLERK: 0040D5C7 mov clerk, clerk: 0040D5CC retnUPX0: 0040D5CC then endp. Actually, it is the address of CreateMutexA. Call CreateMutexA; Do not underestimate the dynamic loading (or indirect reference), which has a great impact on static analysis. If only one function is indirectly referenced, however, a large number of Apis do this. Therefore, I have to spend a lot of time adding annotation references to these function addresses in the data segment so that the program can read well. (2) technique 2 dynamic debugging in IDA. Program Analysis stops at the WinMain function. This function is our so-called entry point function, and it is also the place where the code really starts. You can use Graph view to view the Code. This process is more intuitive. The focus of the analysis is the API. You need to take a look at the API. This WinMain is very simple. Almost all the behaviors you dynamically monitor are reflected mainly by creating threads with different functions: for example, the thread that creates files bj.exeand svchost080.exe determines whether the system has installed 360, rising and so on (based on my preliminary judgment, it is estimated that it was written by Chinese people), generate a registry key, and connect to the target URL and port. There are many functions. I have detailed comments in idb and I will not explain them more. My personal experience is that the winmain code can be tracked and executed through the dynamic debugging provided by IDA. The advantage is that function parameters can be easily obtained, this is good for determining the target. However, you must work with MD to delete the new file registry after debugging. Next, you will find that the threads start to Sleep after dynamic F9 debugging is completed for all threads. At this time, the Winmain function you analyzed has basically the same function as the API monitored by dynamic analysis. There is no new event. Is the analysis so far ??????? (3) There must be something different. Next we will rely on experience. IDA has analyzed so many functions (1148) that many functions are not analyzed. As a matter of fact, we can see from our mind that the previously analyzed functions are self-protection (self-replication and startup) of Trojans. We have not analyzed what it will do, even dynamic execution is not displayed. The cause can be imagined. After it reaches the target domain name, the attacker did not issue the next command. However, the functions to be implemented by these commands and commands must still be in the code. Therefore, my goal is to find it .... I have to admit that although I finally found it, there is still a problem that has not been solved yet, that is, where the code called it, which I do not know yet, this issue is left for you to study again. I believe there are experts who can help you solve this problem. Aside from this, I have been depressed for a long time and have not solved the problem yet. I still want to see how to find the hidden code. The method is actually very simple. You should start with the API. There are many key APIs in the import table. These APIs are related to Trojan behavior, such as copyFile. Creating a file. The normal idea is to find the CopyFile in the import table, check where there is a reference in the code, and then analyze the reference context. If this is the case, you will find the following situations: UPX0: 0046B074; BOOL _ stdcall CopyFileA (LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL success) UPX0: 0046B074 CopyFileA dd?; Data xref: sub_40DC80 + 37r that is to say, the Code calls CopyFile in the sub_40DC80 function. What does this function do? Following in, you will find that the token has been analyzed by winmain. now, the sample is copied to bj.exeand svchost080.exe. A Trojan only calls CopyFile in this place. Is this normal? Abnormal? Normal? It must be that we still have a place to look. Well, if you still remember clearly, as I mentioned earlier, many APIs do not directly call the import table, but LoadLibrary. So, in fact, you should do this: In the IDA menu "Search" --> text, input: CreateFile (here it is more intuitive to replace it with CreateFile, and CreateFile does not appear in the Import table ), listing all the locations in the code, you will find that there are still many references: UPX0: 00405520 sub_405520 push offset aCreatefilea; "CreateFileA" UPX0: 004074E0 sub_4074E0 push offset aCreatefilea; "CreateFileA" UPX0: 004074F7 sub_4074E0 mov dword_4781C0, eax; CreateFile UPX0: 004083C3 sub_408320 call dword_4781C0; CreateFile UPX0: 0040AEA0 sub_40AEA0 push Offset values; "CreateFileA" UPX0: 0040DC00 sub_40DC00 push offset values; "CreateFileA" UPX0: 0040F280 pushed offset values; "CreateFileA" UPX0: 0000002f8 sub_0000200 call values; CreateFileA UPX0: 00410560 sub_0000560 push offset aCreatefilea; "CreateFileA" UPX0: 00410577 sub_0000560 mov dword_478BDC, eax; CreateFileA UPX0: 00475618; char aCreatefilea [] UPX0: 004781C0 d Word_4781C0 dd 0; CreateFile UPX0: 00478BDC dword_478BDC dd 0; CreateFileA is my biggest headache. No, just a CreateFile. Many functions in the program can be dynamically obtained, in other words, sub_405520, sub_4074E0, sub_4074E0... it is a dynamic acquisition of the CreateFile address. If you want to analyze where CreateFile is called, you have to judge the location context of the above functions referenced in the Code. Isn't it exhausting? It doesn't matter. Try it. See UPX0: 004083C3 sub_408320 call dword_4781C0; CreateFile UPX0: 0000002f8 sub_0000200 call done; CreateFileA: This is the place where CreateFile is called directly. Let's take a look, ). (4) Find the source and then find UPX0: 004083C3 sub_408320 call dword_4781C0; The CreateFile location. Go in and check it out. Sub_408320 the specific code will not be listed, long, and will be dizzy. In my summary, it is to create a device driver (DeviceIoControl) and improve the permissions (OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges ). Typical Trojan behavior, behavior, and behavior. Then let's see who called it. Use cross-reference "xrefs to" and you will find that the original function is sub_40A300. Verify that there is another UPX0: 0000002f8 sub_0000200 call dword_478BDC; CreateFileA, just like above, sub_0000200 is a "receive a file from InternetUrl or IP address and there is a local" function. What is this? What is an update? Are there any new modules loaded? What is not a Trojan? Similarly, through xrefs to, you will find that, ha, the source is the same, the top is Sub_40A300. (5) unveil the veil. Since all the points point to sub_40A300, let's see who it is? Go to the sub_40A300 function. If you are still in Graph View mode, you will see it... Does the switch case flow chart have a structure? Hehe, jump table, typical switch case structure. What does this prove? If you are an attacker, do you want to send a command to execute a program? How to organize programs is of course the most convenient to switch case. Each of its branches is a thread, or an action. Of course, there are a lot of similar threads in it, such as network operations. I'm not sure whether it is for obfuscation or real difference. I simply added a comment to every behavior, which may not be completely accurate, but it may not be too bad. This is the source of the hidden behavior code that we are looking for. It relies on static analysis. (6) Summary when I spent nearly one night writing this article, I hope it is worthwhile because many children's shoes are confused about where to start analysis, my ability is limited, and my analysis may be very simple, but I think it is useful for beginners, So I share it with you. Of course, now I still have a pity, that is, the problem mentioned above: I have not figured out where the sub_40A300 is called in the Code. If someone has analyzed it, now, let me know. Thank you! In the last sentence, we should not be afraid to say that we are at a low level. Instead, we should be bold in analyzing and sharing. Only in this way can we make progress. Finally, good night !!!!!!!!!!!!!!!