Category Archives: Malware Analysis

Anti-forensics – live examples, Part 2

Posted on by

I wrote about malware using anti-forensics tricks back in 2012. Recently I have been seeing quite a few (I believe CryptoWall) samples coming to my spambait mailbox that use anti-forensics and evasion tricks that I believe is worth documenting.

The malware arrives as one of the typical VOICE<phone number>.zip packages embedding unencrypted VOICE<phone number>.scr file which when executed, delivers the payload.

The payload is delivered in an evasive way

  •  a new suspended explorer.exe process is created and a malicious thread is injected into it
  • the code injected into explorer.exe decrypts the second stage of the payload and drops a file into a directory directly on c:\ drive (c:\<hex-digits>\<hex-digits>.exe);

this is the first (kinda light) anti-forensic trick I want to talk about; it would seem malware authors try to avoid dropping the copies of malware into %APPDATA% folder (or to this folder only) as it is the place where it’s the easiest to find it

dropping the file into more than one folder and especially into folders that are less prone to be inspected is (I believe) an attempt to evade early detection

  • the malware also copies itself to
    • %APPDATA%\Start Menu\Programs\Startup\<hex digits>.exe – a typical, old-school persistence mechanism
    • %APPDATA%\<hex digits>.exe

      and then adds 2 Run Keys under HKCU to ensure its persistence on the system
  • the 2 keys point to
    • %APPDATA%\<hex digits>.exe
    • c:\<hex-digits>\<hex-digits>.exe (the location described earlier)
  • so, there are 3 autostart entries total and 3 copies of malware; that’s the second one – clean up of such infections may be a bit tricky and it highlights the importance of checking all the possible persistence mechanisms
  • next, the malware creates another suspended process, this time svchost.exe and injects code into it the same way as previously into explorer; it will be used to connect out to C&C
  • in the meantime, the explorer.exe launches vssadmin tool with a destructive command line arguments as follows:
    • vssadmin.exe Delete Shadows /All /Quietthat’s the third anti-forensic trick which basically deletes all the shadow copies (note, it doesn’t work under XP)
  • malware also disables the System Restore by setting the following key
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
      DisableSR (REG_DWORD) = 1that’s the fourth anti-forensic trick used by this malware
  • and then also tries to kill a couple of services
    • wscsvc
    • WinDefend
    • wuauserv
    • BITS
    • ERSvc
    • WerSvc
  • finally, it tries to connect out to the C&C (from the hijacked svchost.exe process)
    • bolizarsospos(.)com
    • covermontislol(.)com
    • milimalipali(.)com
    • torichipinis(.)com
    • vivatsaultppc(.)com

Some variants also disable Startup Repair using the following command

  • bcdedit /set {default} recoveryenabled No

Beyond good ol’ Run key, Part 13

Posted on by

Today we will look at yet another less-known persistence mechanism, and as a bonus – I will be talking about it twice. It only affects Windows XP so it’s a bit old, but there are still plenty of XP systems out there so I guess it still counts 🙂

The mechanism relies on the following Registry key:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\RunGrpConv

The presence of the key and its non-zeroish value tells the system (userinit.exe to be precise) to launch grpconv.exe when user logs on.  The grpconv.exe program itself is one of the migration applications designed to help converting Windows 3.1 groups to folders while upgrading to Windows 95+ – and now is obviously obsolete.

Persistence mechanism #1

Since the program is old and obsolete, most of people won’t even notice if it is gone. It’s also not protected by Windows File Protection so one could simply delete the legitimate grpconv.exe, replace it with a malicious program and set the registry key to ensure the program is launched every time user logs on.

This trick was successfully used by a malware family called Bredolab. The malware was also placing the file in a different location (%system%\­wbem\­grpconv.exe). You can see example malware report here.

You can experiment with this trick by replacing grpconv.exe on your test XP box with e.g. calc.exe. Once you restart the system (and log on) or simply log off and log on again you will notice that Calculator was launched…

RunGrpConv1

and it’s even before Windows Explorer is loaded:

RunGrpConv2

Persistence mechanism #2

The fact that grpconv.exe can be loaded every time user logs on is cool. Even cooler is the fact that it is an old school app and as such it relies on external libraries that are no longer present on the system. When executed, grpconv.exe attempts to load a non-existing imm.dll DLL.

So, adding the RunGrpConv key and dropping a malicious imm.dll will lead to its loading and execution anytime user logs on.

RunGrpConv3

A variant of this trick was previously described here.