A malware analysis challenge

From Hackfest 2020

Idea behing the challenge

I wanted to create a challenge focussed on malware analysis rather than "pure" reverse engineering challenge.
I came up with a mini track splitted in 4 challenges.
We will focuss on the last one today.

Challenge background

Challengers were giving a pcap file and this description:

I think I was attacked by a sophisticated malware! I'm pretty sure it was higly targetted! Please help me, I need to know what the malware did.

They had to analyze the pcap, understand each step and decrypt the communication with the CnC.
The CnC server is out of scope: don't attack it.

Malware infection process

We will begin at the DLL step.

How to approach this kind of challenge?

Rather than finding a password validation, we will want to ask ourselves "What does the malware do?".
We will take a look at the pcap file; as a malware will always communicate with a remote Command and Control server.
We will try to make assumptions from static analysis before digging in the assembly code.

Don't reverse engineer something if you don't have to.
It is a tedious job and we might take shortcuts.

Before we begin...

This malware is safe to run; it won't break your computer.
However, there might be memory leak and at worse, it will cause a BSOD.

Better be safe than sorry, use a virtual machine!
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Wireshark

• Look at the traffic
• Export the DLL file from the pcap file

Basic static analysis

Quick win

What's a DLL?

DLL means Dynamic-Link Library. It exposes functions to be used consumed by other binaries. These are called exports.

Ref: https://www.codeguru.com/cpp/cpp/cpp_mfc/tutorials/article.php/c9855/DLL-Tutorial-For-Beginners.htm

VS a Portable Executable

There's not much difference between PE files and DLL. A DLL will often expose a few functions meanwhile a PE file usually only exposes one.

Both have a main function. When a DLL is load, its main function is called.

You can call a DLL using rundll32.exe myDll,MyExport arg1 arg2, or regsvr32.exe myDll and more.

rundll32.exe add.dll,Add 1 2

Strings

Can we find interesting strings?

Imports

A binary will require functions to work, these must be imported.
In Linux, it would look like #include <string.h>.
It there's an import called CreateFile or ShellExecute, you can guess what the malware might do.

A malware will often try to hide what it can do; it will do dynamic imports resolution.

Dynamic analysis

Sometimes, dynamic analysis will be faster. xdbg is a free and open source for Windows. You can load and debug a DLL.

Useful shortcuts

F7: step into (goes into the function)
F8: step over (if you don't want to debug a function called)
bp Add: put a breakpoint to a specific function
bpc Add: remove that breakpoint

IDA

Useful shortcuts

<x>: to get the cross references of variables/functions
<n>: to rename a function/variable
<y>: change the type of a function/variable
<g>: goto some address
<esc>: go back
</>: add a comment in decompilation view
<;>: add a comment in disassembly view

Your turn! (~30 minutes)

Now that we've seen basic concepts, time to put it into practice

• Retrieve the dll from Wireshark (https://niclov.in/montrehack/montrehack.pcap)
• Find interesting strings
• Look at the exports
• Look at the imports: visualize what the binary can do
• There are anti-disassembly and anti-debug: have fun

Hint: https://niclov.in/montrehack/hint_PzH1.md

Slides so far: https://niclov.in/montrehack/slides_PzH1.html

Ghidra might lag: disable the decompiler