You are browsing the archive for Batch Analysis.

Enter Sandbox – part 14: Reading the old Delphi Scrolls…

March 16, 2017 in Batch Analysis, Clustering, File Formats ZOO, Reversing, Sandboxing

Sandboxing regular PE (not .NET) files is easy and tricky at the same time. API monitoring is trivial. What is not is not is this:

  • The crazy number of API functions (Native, Win32)
  • Function calls that are a bit harder to monitor, because the functionality is delivered via a complex maze of virtual tables f.ex. COM
  • Monitoring of functions or methods that are placed on a higher level of abstraction f.ex. scripts (AutoIT, VBS, VBA), as well as installers (f.ex. NullSoft)
  • The variety of library functions that are included inside the executables (statically)

The last item on the list requires a bit more attention.

Hooking API, or intercepting their calls any other way is relatively easy as long as you know where they are (and perhaps can handle the stolen bytes well since some malware is using this trick). With code embedded directly inside the executable there is no import table, no list of pointers of any kind, no virtual tables, no RTTI, nothing. Of course, using tools like IDA, or a good disassembly library, or perhaps instrumented execution it may be possible to determine the exact location of these functions, but it’s a pretty complex and time consuming task, especially for commercial sandboxes that must run FAST.

On top of that, there is another issue. The code is not located at a fixed address, but can be placed all over the place. No, I am not talking about ASLR. I am talking about wrappers that use RunPE to run executables from memory. If you intercept Windows API calls, running programs via RunPE doesn’t make a difference – the APIs will eventually be executing from a known location inside the system libraries in memory. With relocated code the statically linked functions need to be found _every_ time the executable is loaded, mapped to a different processes, or simply relocated (direct code inject, process hollowing, some unpackers, etc.). Yes, for the malware that spawns a number of child processes and plays with RunPE a number of times during the session it will significantly slow down the tagging of functions in memory.

So… after a bit of scaremongering let’s have a look at a very good example.

The enfant terrible of programs that are truly annoying for analysis are Delphi executables (and all the other brands of Delphish executables f.es. Embarcadero). They rely heavily on the custom Delphi libraries and as such are hard to understand no matter whether they are debugged, or disassembled. Of course, there exist good decompilers that can help a lot, and flirt signatures for Delphi executables do a lot of magic during static program analysis as well. However, I am not aware of any of the available sandboxes or monitors doing dynamic analysis of Delphi code during the run-time.

I remember the moment when I tested the first Delphi function hooking that I implemented a few years ago. My mind was blown. The sudden insight into the program business logic that the hooking gave me was incredible… !!!

I hope this functionality will be implemented in commercial sandboxes soon. There is a tremendous amount of metadata just waiting to be discovered…

Let’s have a look at a couple of examples – the one below shows a progressive parsing of the config for a trojan:

LStrPos |, <someip>|1337|IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, <someip>|1337|IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, <someip>|1337|IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, 1337|IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, 1337|IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, 1337|IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, IPKServer|IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, IPKMutex|encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, encpassword|-1|AdobeART.exe|AdobeART|-1|
LStrPos |, -1|AdobeART.exe|AdobeART|-1|
LStrPos |, -1|AdobeART.exe|AdobeART|-1|
LStrPos |, -1|AdobeART.exe|AdobeART|-1|
LStrPos |, AdobeART.exe|AdobeART|-1|
LStrPos |, AdobeART.exe|AdobeART|-1|
LStrPos |, AdobeART.exe|AdobeART|-1|
LStrPos |, AdobeART|-1|
LStrPos |, AdobeART|-1|
LStrPos |, AdobeART|-1|
LStrPos |, -1|
LStrPos |, -1|
LStrPos |, -1|
LStrPos |,

This example shows a comparison of characters and the string ‘apocalypse’ can be read from a series of string comparisons:

LStrCmp2 (substring=a, string=|)
LStrCmp2 (substring=p, string=|)
LStrCmp2 (substring=o, string=|)
LStrCmp2 (substring=c, string=|)
LStrCmp2 (substring=a, string=|)
LStrCmp2 (substring=l, string=|)
LStrCmp2 (substring=y, string=|)
LStrCmp2 (substring=p, string=|)
LStrCmp2 (substring=s, string=|)
LStrCmp2 (substring=e, string=|)

Another example almost instantly tells me that the program requires a command line parameter:

WStrCmp (substring=, string=/debug)

What about Delphi-based Anti-routines? This is a whole new unexplored of area !!!

LStrPos (substring=SNIFFER, string=EXPLORER.EXE)

LStrPos (substring=WINDUMP, string=EXPLORER.EXE)

LStrPos (substring=NETPRYER, string=EXPLORER.EXE)

And last example – DarkComet config processing:

LStrCmp (substring=, string=GENCODE)
LStrCmp (substring=MUTEX, string=GENCODE)
LStrCmp (substring=SID, string=GENCODE)
LStrCmp (substring=FWB, string=GENCODE)
LStrCmp (substring=NETDATA, string=GENCODE)
LStrCmp (substring=GENCODE, string=GENCODE)
LStrCmp (substring=\, string=\)
LStrCmp (substring=, string=NETDATA)
LStrCmp (substring=MUTEX, string=NETDATA)
LStrCmp (substring=SID, string=NETDATA)
LStrCmp (substring=FWB, string=NETDATA)
LStrCmp (substring=NETDATA, string=NETDATA)
LStrCmp (substring=, string=SID)
LStrCmp (substring=MUTEX, string=SID)
LStrCmp (substring=SID, string=SID)
LStrCmp (substring=, string=MUTEX)
LStrCmp (substring=MUTEX, string=MUTEX)
LStrCmp (substring=, string=EDTPATH)
LStrCmp (substring=MUTEX, string=EDTPATH)
LStrCmp (substring=SID, string=EDTPATH)
LStrCmp (substring=FWB, string=EDTPATH)
LStrCmp (substring=NETDATA, string=EDTPATH)
LStrCmp (substring=GENCODE, string=EDTPATH)
LStrCmp (substring=OFFLINEK, string=EDTPATH)
LStrCmp (substring=, string=EDTPATH)
LStrCmp (substring=, string=COMBOPATH)
LStrCmp (substring=MUTEX, string=COMBOPATH)
LStrCmp (substring=SID, string=COMBOPATH)
LStrCmp (substring=FWB, string=COMBOPATH)
LStrCmp (substring=NETDATA, string=COMBOPATH)
LStrCmp (substring=GENCODE, string=COMBOPATH)
LStrCmp (substring=OFFLINEK, string=COMBOPATH)
LStrCmp (substring=, string=COMBOPATH)
LStrCmp (substring=, string=11)
LStrCmp (substring=, string=-1)
LStrCmp (substring=, string=0)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=2)
LStrCmp (substring=, string=3)
LStrCmp (substring=, string=4)
LStrCmp (substring=, string=5)
LStrCmp (substring=, string=6)
LStrCmp (substring=, string=7)
LStrCmp (substring=, string=8)
LStrCmp (substring=, string=9)
LStrCmp (substring=, string=10)
LStrCmp (substring=, string=GENCODE)
LStrCmp (substring=MUTEX, string=GENCODE)
LStrCmp (substring=SID, string=GENCODE)
LStrCmp (substring=FWB, string=GENCODE)
LStrCmp (substring=NETDATA, string=GENCODE)
LStrCmp (substring=GENCODE, string=GENCODE)
LStrCmp (substring=00df86ce377d71e66cb2451c446fede8, string=)
LStrCmp (substring=, string=INSTALL)
LStrCmp (substring=MUTEX, string=INSTALL)
LStrCmp (substring=SID, string=INSTALL)
LStrCmp (substring=FWB, string=INSTALL)
LStrCmp (substring=NETDATA, string=INSTALL)
LStrCmp (substring=GENCODE, string=INSTALL)
LStrCmp (substring=OFFLINEK, string=INSTALL)
LStrCmp (substring=, string=INSTALL)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=FAKEMSG)
LStrCmp (substring=MUTEX, string=FAKEMSG)
LStrCmp (substring=SID, string=FAKEMSG)
LStrCmp (substring=FWB, string=FAKEMSG)
LStrCmp (substring=NETDATA, string=FAKEMSG)
LStrCmp (substring=GENCODE, string=FAKEMSG)
LStrCmp (substring=OFFLINEK, string=FAKEMSG)
LStrCmp (substring=, string=FAKEMSG)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=PDNS)
LStrCmp (substring=MUTEX, string=PDNS)
LStrCmp (substring=SID, string=PDNS)
LStrCmp (substring=FWB, string=PDNS)
LStrCmp (substring=NETDATA, string=PDNS)
LStrCmp (substring=GENCODE, string=PDNS)
LStrCmp (substring=OFFLINEK, string=PDNS)
LStrCmp (substring=, string=PDNS)
LStrCmp (substring=, string=FILEATTRIB)
LStrCmp (substring=MUTEX, string=FILEATTRIB)
LStrCmp (substring=SID, string=FILEATTRIB)
LStrCmp (substring=FWB, string=FILEATTRIB)
LStrCmp (substring=NETDATA, string=FILEATTRIB)
LStrCmp (substring=GENCODE, string=FILEATTRIB)
LStrCmp (substring=OFFLINEK, string=FILEATTRIB)
LStrCmp (substring=, string=FILEATTRIB)
LStrCmp (substring=, string=DIRATTRIB)
LStrCmp (substring=MUTEX, string=DIRATTRIB)
LStrCmp (substring=SID, string=DIRATTRIB)
LStrCmp (substring=FWB, string=DIRATTRIB)
LStrCmp (substring=NETDATA, string=DIRATTRIB)
LStrCmp (substring=GENCODE, string=DIRATTRIB)
LStrCmp (substring=OFFLINEK, string=DIRATTRIB)
LStrCmp (substring=, string=DIRATTRIB)
LStrCmp (substring=, string=CHIDEF)
LStrCmp (substring=MUTEX, string=CHIDEF)
LStrCmp (substring=SID, string=CHIDEF)
LStrCmp (substring=FWB, string=CHIDEF)
LStrCmp (substring=NETDATA, string=CHIDEF)
LStrCmp (substring=GENCODE, string=CHIDEF)
LStrCmp (substring=OFFLINEK, string=CHIDEF)
LStrCmp (substring=, string=CHIDEF)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=CHIDED)
LStrCmp (substring=MUTEX, string=CHIDED)
LStrCmp (substring=SID, string=CHIDED)
LStrCmp (substring=FWB, string=CHIDED)
LStrCmp (substring=NETDATA, string=CHIDED)
LStrCmp (substring=GENCODE, string=CHIDED)
LStrCmp (substring=OFFLINEK, string=CHIDED)
LStrCmp (substring=, string=CHIDED)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=BIND)
LStrCmp (substring=MUTEX, string=BIND)
LStrCmp (substring=SID, string=BIND)
LStrCmp (substring=FWB, string=BIND)
LStrCmp (substring=NETDATA, string=BIND)
LStrCmp (substring=GENCODE, string=BIND)
LStrCmp (substring=OFFLINEK, string=BIND)
LStrCmp (substring=, string=BIND)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=PLUGS)
LStrCmp (substring=MUTEX, string=PLUGS)
LStrCmp (substring=SID, string=PLUGS)
LStrCmp (substring=FWB, string=PLUGS)
LStrCmp (substring=NETDATA, string=PLUGS)
LStrCmp (substring=GENCODE, string=PLUGS)
LStrCmp (substring=OFFLINEK, string=PLUGS)
LStrCmp (substring=, string=PLUGS)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=PERSINST)
LStrCmp (substring=MUTEX, string=PERSINST)
LStrCmp (substring=SID, string=PERSINST)
LStrCmp (substring=FWB, string=PERSINST)
LStrCmp (substring=NETDATA, string=PERSINST)
LStrCmp (substring=GENCODE, string=PERSINST)
LStrCmp (substring=OFFLINEK, string=PERSINST)
LStrCmp (substring=, string=PERSINST)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH1)
LStrCmp (substring=MUTEX, string=SH1)
LStrCmp (substring=SID, string=SH1)
LStrCmp (substring=FWB, string=SH1)
LStrCmp (substring=NETDATA, string=SH1)
LStrCmp (substring=GENCODE, string=SH1)
LStrCmp (substring=OFFLINEK, string=SH1)
LStrCmp (substring=, string=SH1)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH3)
LStrCmp (substring=MUTEX, string=SH3)
LStrCmp (substring=SID, string=SH3)
LStrCmp (substring=FWB, string=SH3)
LStrCmp (substring=NETDATA, string=SH3)
LStrCmp (substring=GENCODE, string=SH3)
LStrCmp (substring=OFFLINEK, string=SH3)
LStrCmp (substring=, string=SH3)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH4)
LStrCmp (substring=MUTEX, string=SH4)
LStrCmp (substring=SID, string=SH4)
LStrCmp (substring=FWB, string=SH4)
LStrCmp (substring=NETDATA, string=SH4)
LStrCmp (substring=GENCODE, string=SH4)
LStrCmp (substring=OFFLINEK, string=SH4)
LStrCmp (substring=, string=SH4)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH5)
LStrCmp (substring=MUTEX, string=SH5)
LStrCmp (substring=SID, string=SH5)
LStrCmp (substring=FWB, string=SH5)
LStrCmp (substring=NETDATA, string=SH5)
LStrCmp (substring=GENCODE, string=SH5)
LStrCmp (substring=OFFLINEK, string=SH5)
LStrCmp (substring=, string=SH5)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH6)
LStrCmp (substring=MUTEX, string=SH6)
LStrCmp (substring=SID, string=SH6)
LStrCmp (substring=FWB, string=SH6)
LStrCmp (substring=NETDATA, string=SH6)
LStrCmp (substring=GENCODE, string=SH6)
LStrCmp (substring=OFFLINEK, string=SH6)
LStrCmp (substring=, string=SH6)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH7)
LStrCmp (substring=MUTEX, string=SH7)
LStrCmp (substring=SID, string=SH7)
LStrCmp (substring=FWB, string=SH7)
LStrCmp (substring=NETDATA, string=SH7)
LStrCmp (substring=GENCODE, string=SH7)
LStrCmp (substring=OFFLINEK, string=SH7)
LStrCmp (substring=, string=SH7)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH8)
LStrCmp (substring=MUTEX, string=SH8)
LStrCmp (substring=SID, string=SH8)
LStrCmp (substring=FWB, string=SH8)
LStrCmp (substring=NETDATA, string=SH8)
LStrCmp (substring=GENCODE, string=SH8)
LStrCmp (substring=OFFLINEK, string=SH8)
LStrCmp (substring=, string=SH8)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH9)
LStrCmp (substring=MUTEX, string=SH9)
LStrCmp (substring=SID, string=SH9)
LStrCmp (substring=FWB, string=SH9)
LStrCmp (substring=NETDATA, string=SH9)
LStrCmp (substring=GENCODE, string=SH9)
LStrCmp (substring=OFFLINEK, string=SH9)
LStrCmp (substring=, string=SH9)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=SH10)
LStrCmp (substring=MUTEX, string=SH10)
LStrCmp (substring=SID, string=SH10)
LStrCmp (substring=FWB, string=SH10)
LStrCmp (substring=NETDATA, string=SH10)
LStrCmp (substring=GENCODE, string=SH10)
LStrCmp (substring=OFFLINEK, string=SH10)
LStrCmp (substring=, string=SH10)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=MULTIBIND)
LStrCmp (substring=MUTEX, string=MULTIBIND)
LStrCmp (substring=SID, string=MULTIBIND)
LStrCmp (substring=FWB, string=MULTIBIND)
LStrCmp (substring=NETDATA, string=MULTIBIND)
LStrCmp (substring=GENCODE, string=MULTIBIND)
LStrCmp (substring=OFFLINEK, string=MULTIBIND)
LStrCmp (substring=, string=MULTIBIND)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=MULTIPLUGS)
LStrCmp (substring=MUTEX, string=MULTIPLUGS)
LStrCmp (substring=SID, string=MULTIPLUGS)
LStrCmp (substring=FWB, string=MULTIPLUGS)
LStrCmp (substring=NETDATA, string=MULTIPLUGS)
LStrCmp (substring=GENCODE, string=MULTIPLUGS)
LStrCmp (substring=OFFLINEK, string=MULTIPLUGS)
LStrCmp (substring=, string=MULTIPLUGS)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=FWB)
LStrCmp (substring=MUTEX, string=FWB)
LStrCmp (substring=SID, string=FWB)
LStrCmp (substring=FWB, string=FWB)
LStrCmp (substring=0, string=1)
LStrCmp (substring=, string=GENCODE)
LStrCmp (substring=MUTEX, string=GENCODE)
LStrCmp (substring=SID, string=GENCODE)
LStrCmp (substring=FWB, string=GENCODE)
LStrCmp (substring=NETDATA, string=GENCODE)
LStrCmp (substring=GENCODE, string=GENCODE)
LStrCmp (substring=, string=PERS)
LStrCmp (substring=MUTEX, string=PERS)
LStrCmp (substring=SID, string=PERS)
LStrCmp (substring=FWB, string=PERS)
LStrCmp (substring=NETDATA, string=PERS)
LStrCmp (substring=GENCODE, string=PERS)
LStrCmp (substring=OFFLINEK, string=PERS)
LStrCmp (substring=, string=PERS)
LStrCmp (substring=, string=1)
LStrCmp (substring=, string=PWD)
LStrCmp (substring=MUTEX, string=PWD)
LStrCmp (substring=SID, string=PWD)
LStrCmp (substring=FWB, string=PWD)
LStrCmp (substring=NETDATA, string=PWD)
LStrCmp (substring=GENCODE, string=PWD)
LStrCmp (substring=OFFLINEK, string=PWD)
LStrCmp (substring=, string=PWD)
LStrCmp (substring=, string=OFFLINEK)
LStrCmp (substring=MUTEX, string=OFFLINEK)
LStrCmp (substring=SID, string=OFFLINEK)
LStrCmp (substring=FWB, string=OFFLINEK)
LStrCmp (substring=NETDATA, string=OFFLINEK)
LStrCmp (substring=GENCODE, string=OFFLINEK)
LStrCmp (substring=OFFLINEK, string=OFFLINEK)
LStrCmp (substring=1, string=1)
LStrCmp (substring=Unknow, string=Unknow)

DeXRAY 2.0 released

March 9, 2017 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Recently I was contacted by two fellow DFIRers (thx @JamesHabben and @bmmaloney97) who suggested some improvements to the tool.

James mentioned to me a type of Quarantine files that I never heard of (Lumension LEMSS) and was kind enough to provide the recipe on how to handle them which I implemented in the tool (hope it works!).

Brian wrote some piece of code to integrate it with DeXRAY. Thanks to his efforts McAfee BUP files are now finally properly handled (the older version of DeXRAY required the user to carve out the decrypted malware, because DeXRAY didn’t handle OLE files). Thx!

In the effort to better parse some troublesome files I have added an additional routine to carve the files out (and I use it for Symantec ccSubSdk files).

Lo and behold the DeXRAY is now 2.0.

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)