Malware Analysis

Subject Code: FOR0010a Version 1.0 – 25/10/2021

INSTRUCTURE GUIDES MODULE 5
PART III
Course Goals
• Participants will be able to perceive malware analysis with open
source.
• Able to analyze and recognize malware with basic analysis
techniques, dynamic analysis techniques, and static analysis
techniques.

2
Course Objectives
Module 1:
• Able to build an isolated and controlled laboratory environment
to analyze code and behaviour of malicious programs.
• Able to list up basic analysis techniques.
• Able to explain basic flow of malware analysis.
Module 2:
• Able to use network and system monitoring tools for basic
static analysis of how malware interacts with file systems, the
registry, networks, and other processes in a Windows
environment.

3
Course Objectives
Module 3:
• Able to reveal and do basic dynamic analysis of malicious
JavaScript and other components of web pages, which are
often used by exploit kits for drive-by attacks.
• Able to control the relevant aspects of malicious program
behaviour through network traffic interception.

4
Course Objectives
Module 4:
• Able to explain code debugging and reverse engineering to
carry out effective malware analysis.
• Able to use disassemblers and debuggers to check how
dangerous Windows executables work.

5
Course Objectives
Module 5:
• Able to explain various features/packages of self protected
malware and other defense mechanisms designed by malware
makers to direct, confuse, and slow down analysts.
• Able to defend systems from various self protected malware.

6
Prerequisites
In this course, the handling of digital artifacts will be learned by
analyzing cyber incidents and crimes involving computers so that
basic knowledge about computer systems and digital storage
media is needed.

In this module, assembler skill is also required.

7
Content
Malware Analysis
• Pre Test
• Module 1: Basic Analysis Techniques
• Module 2: Basic Static Analysis
• Module 3: Basic Dynamic Analysis
• Module 4: Advance Static Analysis
• Module 5: Self Defending Malware
• Post Test

8
Anti Virtual Machine
Malware authors use anti-virtual machine (anti-VM) techniques to
thwart attempts at analysis.
The malware attempts to detect whether it is being run inside a
virtual machine.
If a virtual machine is detected, it can act differently or simply not
run, cause problems for the analyst.
Anti-VM techniques are most commonly found in malware that is
widely deployed, such as bots, scareware, and spyware.
The malware typically targets the average user’s machine, which
is unlikely to be running a virtual machine.

9
Anti Virtual Machine
Multiple Protection Mechanism
Example: rep.exe
• Reptile bot has several protection mechanisms
• Build on our skill of behavior and code analysis
• Practice working with unknown protections

10
Anti Virtual Machine
Initial Reptile Bot Analysis
• File rep.exe with md5sum
edb2ade8bca0a6b82b9d160c.
a4Odb8e5
• PEiD says packed with SVKP
1.3x -> Pavol Cerven
• Potential OllyScript script on
the Web
• Does not appear to work
• Probably have to unpack
manually

11
Anti Virtual Machine
Initial File System Findings
Process Monitor, RegShot
• Don't forget a VMware snapshot!
• Run System monitoring tools (ProcMon)
• Take a snapshot of the system using RegShot
• Creates and removes a temporary file removeMe4785,bat.
• Adds ¥system32¥SVKP.sys
• Removes Desktop¥rep.exe

12
Anti Virtual Machine
Initial File System Findings
Process Monitor, RegShot

13
Anti Virtual Machine
Initial Registry Findings
Process Monitor
• Enumerates VMware registry keys.
• Detecting the analysis sandbox?

14
Anti Virtual Machine
Removing VMware Tools "Signature"
• Revert to a pristine
VMware snapshot.
• Remove VMware
registry keys under
HKLM¥Software¥VMwar
.
• Take a new VMware
snapshot.
• Take a Regshot
snapshot and re-infect.
15
Anti Virtual Machine
New Behavioral Findings
• Without VMware registry keys, the specimen behaves differently.
• No longer removed from the desktop.
• Copies itself to C:¥WINDOWS¥win32ssr.exe
• Launches Win32Sr service

16
Anti Virtual Machine
Initial Analysis Results
• The specimen is packed.
• Process behaves differently if VMware registry keys exist.
• Automated unpacking (e.g., via OllyScript) wasn't helpful.
• Aware of analysis tools.

17
Anti Virtual Machine
Preparing OllyDbg
• Make sure OllyDbg is
configured to ignore exceptions.
• Don't enable HideOD
• Uncheck all options
• So we can manually bypass this
• defense for training purposes

18
Anti Virtual Machine
OllyDbg Error Loading
rep.exe
• Ignore the error message
• OllyDbg is still able to load
the file.
• Say "No" when OllyDbg asks
about analyzing compressed
code.

19
Anti Virtual Machine
Tracing Initial Flow of Execution
With F8
• Repeatedly press F8 to quickly
step through the initial execution
flow.
• Keep an eye out for interesting
strings in registers or memory.
• If stuck in a loop, "escape" by
setting a breakpoint outside of
it.
Then F9 to get to the breakpoint

20
Anti Virtual Machine
kernel32._lopen
The specimen checks for common analysis tools via "lopen”
Set breakpoint at the instruction call kernel32._lopen and run

21
Anti Virtual Machine
Observe the specimen also checking for other devices, associated with
common malware analysis tools, such as NTICE, Regmon and Filemon

22
Anti Virtual Machine
Check For Analysis Tools
What if it had Worked?
• Value in EAX indicate the presence of the analysis tools.
• In addition to checking for “¥¥ .¥TRW” the specimen checks for:
• ¥¥.¥SICE
• ¥¥.¥NTICE
• ¥¥.¥FILEVXD
• ¥¥.¥FILEMON
• ¥¥.¥REGVXD
• ¥¥.¥REGMON
23
Anti Virtual Machine
Check For Analysis Tools
What if it had Worked?

24
Anti Virtual Machine
Modify EAX Value
Patch to Trigger the Malware Defense
• If the defense had worked, you'd set EAX to a non-zero value.
• Hit F9 to run

25
Anti Virtual Machine
Error - Debugger/Monitoring Tools Detected

26
Anti Virtual Machine
Find OEP by Section Hop
Detect when code starts running from a different section

27
Anti Virtual Machine
Find OEP by Section Hop
OllyDump plugin feature aimed to locate OEP without having
many steps
Detecting when the program switches from running code in one
memory section to another.
This symptom is often indicative of a protected executable
unpacking itself into memory and starting to run the newly
unpacked code of the original program.

28
Anti Virtual Machine
Find OEP by Section Hop
Repeat “Section Hope” to trace specimen “Hops”

29
Anti Virtual Machine
Find OEP by Section Hop
• Help bypass some timing defenses
• Does’nt seem to help find the OEP for rep.exe
• It keeps alternating between the code of rep.exe and the
libraries (kernel32.dll)

30
Anti Virtual Machine
OllyDbg SFX Feature
Help Find The OEP
• SFX feature can help for attempting
to locate the OEP of packed
specimen
• SFX stand for Self Extracting
Executables
• Use memory breakpoints, hoping to
catch code that didn’t exist before.
• SFX bitwise more accurate but very
slow
• SFX blockwise faster but less
accurate
31
Anti Virtual Machine
SFX Feature Find OEP

SFX tries to detect the execution outside the original code section
Seems to find the OEP for rep.exe (at the offset 415E96)
We can dump the program to find partial unpacked 32
Anti Virtual Machine
Examine Anti Debugging
IsDebuggerPresent
• Once OllyDbg pauses at
415E96, specifically there’s a
defensive mechanism located
at 4159F6
• Set the breakpoint at 4159F6
🡪 Scroll up or use Ctrl+G
• Hit Run (F9) to go there

33
Anti Virtual Machine
IsDebuggerPresent
Specimen’s Function To Detect Debugger
• HideOD would bypass this defense
• We can also patch the code
• Right-click the register window and select “View Debug
Registers”

34
Anti Virtual Machine
Bypass The Defense
Changing the EAX Register
• Hit F8 to execute IsDebuggerPresent
• Set EAX to 0 before the TEST operation
• Step pas to JNZ at 4159FB

35
Anti Virtual Machine
Bypass The Defense

36
Anti Virtual Machine
Patching VMWare Detection
Patching rep.exe to bypass its vmware detection defense
• Revert to a pristine virtual machine.
• Follow the steps we have demonstrated so far.
• Look for VMware registry check we saw in ProcessMonitor.
• Bypass the defense via patching.

37
Anti Virtual Machine
Patching VMWare Detection
Patching rep.exe to bypass its vmware detection defense
• Could change the environment by removing the registry keys.
• An alternative could be to avoid using VMware.
• Bypass by patching the executable:
• Patch the string it looks for.
• Patch the results of the TEST

38
Anti Virtual Machine
Set Breakpoint
• Find instruction for VMware registry-checking call
• Set breakpoint when the first ASCII readable reference to
VMware occurs, use step into (F7)

39
Anti Virtual Machine
Set Hardware Breakpoint
• We found the ASCII readable reference to VMware at 415998
• Set Breakpoint > Hardware, on execution at 415998
• Hit Run (F9)

40
Anti Virtual Machine
VMWare Detection

OllyDbg will pause at breakpoint and we can step into the check or over it and
manipulate the results of the VMware check
Breakpoint is set when the first ASCII readable reference to VMware occurs
41
Anti Virtual Machine
Get To The Actual Registry Check
• Step into (F7) the
call 4159AB
• Step over (F8) until
411FF4

42
Anti Virtual Machine

43
Anti Virtual Machine

44
Anti Virtual Machine

45
Malware Defense Analysis Labs
Please see the handbook

46
Module 5 Test

Module 5 Test URL

47
Module 5 Practical Test

Module 5 Practical Test URL

48
Post Test

Post Test URL

49
Thank you