Makta.exe (encrypted, first stage decrypted, payload)īlackhole.exe (encrypted, first stage decrypted, payload) Magnitude.dll (encrypted, first stage decrypted, payload) Similar patterns are present in all three files: At the third position, you can see the visualization of the dumped payload. You can see this stages on the first and second pictures in the row. I have decided to dump the allocated memory before each stage of decryption + the revealed payload (new PE file). Visual analysis may help in discovering the algorithm by which the data is packed. The decrypting procedure is heavily obfuscated, but by having memory dumps made before and after each stage of decryption, we can try to get some hints of what is going on by comparing the changes. Finally, we see the shellcode to be executed (loading the payload by the RunPE technique).īelow is the encrypted payload on the left and its decrypted version on the right: Next, we see an encrypted payload (independent PE file). At the beginning, we can see a list of functions to be loaded. The above content consists of the same elements in the same order. This is how the content unpacked to the allocated memory looks for each respective samples (after the stage 1 decryption): This same shellcode is responsible for decrypting the actual payload-this is now stage 2 decryption-and loading it into memory. After this, some of the shellcode is revealed. Unpacking usually includes two stages: Some encrypted content is copied from the original image then stage 1 decryption is applied. Let's set a breakpoint at VirtualAlloc/VirtualAllocEx and follow execution to see what is written into this newly allocated memory. It all happens with the shellcode that is first unpacked into allocated memory. We can guess that all of the samples use the RunPE technique to overwrite the image of the original file with the payload. However, it now executes code that was not present before (the code images have been overwritten). After some time, execution comes back to the memory space of the original image. They unpack something into this memory and redirect execution there. Then, they call a function to allocate memory (VirtualAlloc or VirtualAllocEx). trying to read some random keys from the registry). At the beginning of execution, all of the samples make some meaningless API calls (i.e. Tracing the flow of execution, we notice similarities. carrying payload: 5a58395fda49c8f3f4571a007cf02f4dīefore we start unpacking, let's have a look at similarities in the code that made me to believe that the above three samples (captured in different distribution campaigns) are all packed by the same tool.1afb93d482fd46b44a64c9e987c02a27 - an executable delivered by Blackhole Exploit Kit (will be referred as: blackhole.exe).bbcfb9db21299e9f3b248aaec0a702a5 - an executable captured under the name: makta.exe.27b138e6bed7acfe72daa943762c9443 - a DLL delivered by Magnitude Exploit Kit (will be referred as: Magnitude.dll).As an example, I would like to present you several different malware samples packed by the same/similar crypter. That's why knowing the crypter that is used does not help in identifying the malware family. Cybercriminals can use it to protect any malware that they want to deliver. For example, it allows the configuration of the encryption method and key as well as where the payload should be injected.Īs you can see, a crypter is a completely independent module. That's why authors provide a GUI to configure all the options in a very easy way. These products are designed to cater to simple criminals, those who do not need (or want) a deep technical knowledge. Below, you can see examples of crypters being advertised on the black market and the tricks they use: Underground crypters, created to defend malware against antivirus/anti-malware products, are sold in typical cybercriminal hangouts. They may also add some icons and metadata that make the sample look like a legitimate product. They try to deceive pattern-based or even behavior-based detection engines - often slowing down the analysis process by masquerading as a harmless program then unpacking/decrypting their malicious payload. A crypter's role is basically to be the first - and most complex - layer of defense for the malicious core. Most modern malware samples, in addition to built-in defensive techniques, are protected by some packer or crypter. We will also present some example of identifying and unpacking a malware crypter. Today, we will study some examples to make sure that everyone knows what this type of tools are and why they are dangerous. Recently, two suspects were arrested for selling Cryptex Reborn and other FUD tools (helping to install malware in a Fully UnDetectable way).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |