The following is the static analysis details that I found with the Sample Analysis 1 binary that we posted previously. If you have done static analysis of this file as well, follow along and see if you found similar details. We attempt to get as detailed as possible, but we do have day jobs so there may be things inside the malware that we do not discuss. This is meant more to analyze the sample until we are happy that we understand the basic functionality of the malware.
Sample Analysis 1 Report:
Virus Total Results: Show us 37 out of 41hits as a malicious file. Most of the descriptions call this fakeAV, surprise :)
Bin Text: When opening the file in BinText, it gave an error saying there was a problem reading the string resource file. The file may be compressed or in a non standard format. Looking though the strings that did show, didn't reveal much, though I did see references to the Delphi programming language. We also see some information mentioning use of the registry.
Just for kicks, I want to dump this unpacked file back into BinText to see if there are any new strings to be seen. This time when I dropped the file in BinText, no errors! There are a ton of readable strings now! This sample seems like it has a ton of options. Looking through the strings, one major thing I notice is there are a lot of functions with GUI context such as OnMouseActivate, OnMouseDown, OnMouseUp, and PopUpMenu.
I also see a lot of references to web browser. This application seems to be very GUI driven. There are still some obfuscated strings in the unpacked version so at this time, I'll take the file into Ollydbg.
This sample has some protection schemes even though we have unpacked it. I have been jumping around in Ollydbg in order to find some way to bypass them. I have attempted to use the HideOD plugin. I also noticed some SEH calls that would terminate the application. To fix these things I told Ollydbg to ignore exceptions. You do this by going into the Options menu, then choose Debugging Options. Click the exception tab. Put a check in all of the options. At the bottom, you will see a section called ignore also following custom exceptions or ranges. Click the Add range button and enter 00000000 as the beginning and FFFFFFFF as the ending address. Your screen should look like the following:
This seems to have allowed me to get further along. While stepping into instructions I noticed a file created called agtyjkj.bat in the stack section. This file contained the following code:
del "C:\Documents and Settings\installer\Desktop\adobeflashplayerv10.0.32.20.exe"
if exist "C:\Documents and Settings\installer\Desktop\adobeflashplayerv10.0.32.20.exe" goto dsfgdfh
del "C:\Documents and Settings\installer\Application Data\agtyjkj.bat"
This code looks like it tries to delete the original file and if it doesn't exist any more then it removes the bat file. While in that directory, I noticed another new file named hotfix.exe a quick hash of the file shows that it's the same as our original but renamed.
This also goes to show that sometimes even when you are doing static analysis, it might be more helpful to do a little dynamic analysis as well. This is especially true when you have a sample like this that has protections and obfuscation.
I decided at this time to dig through the stack section in Ollydbg to see what else might be learned from there. For those of you that might not be familiar with Ollydbg this is the window in the lower right hand side. I found a reference to at.exe as can be seen below:
That is about all I have time for today. I hope you saw from this analysis that it isn't always necessary to know assembly to statically analyze code. This is one of those samples where dynamic analysis would probably reveal more easier, but we see that we were able to come to the same conclusion just by looking at the code. Sure I used a little assembly to get out of some loops, but there were no ground breaking techniques done just simple register modification thanks to Ollydbg for allowing us to do so.
You can look for Jamy's post on what he found from dynamic analysis to come soon. In the mean time, we are trying to come up with a way to get these samples to you guys if the sites are taken down before you get them. I hope to have a solution before the next sample post.