Debugging

Debugging, an interactive approach to malware analysis, enhances understanding of code behavior by enabling real-time examination. By uniting static analysis insights from tools like IDA with debugging techniques, analysts gain a holistic view of malware functionality, sandbox evasion mechanisms, and Indicators of Compromise (IOCs).

Tools for Debugging

1. x64dbg - A debugger for analyzing and controlling 64-bit executables, complete with:

   • Disassembly View: Shows the program’s assembly code.

   • Registers and Stack View: Reveals current CPU register values and stack frame.

   • Memory Dump: Visualizes program memory for analyzing data structures and variables.

2. INetSim - Simulates internet services in a controlled environment, enabling malware to interact with fake DNS, HTTP, and other services safely.

Setting Up Debugging in x64dbg

Loading shell.exe in x64dbg

1. Launch x64dbg and select File > Open.

2. Navigate to and open shell.exe.

3. The program halts at its entry point in the disassembly view, with the default breakpoint set.

4. To begin, press F9 or click Run.

Simulating Internet Services with INetSim

INetSim configures fake internet services, capturing and responding to network requests from the malware sample.

Configuring INetSim

1. Edit Configuration:

   sudo nano /etc/inetsim/inetsim.conf

   • Set service_bind_address and dns_default_ip to the machine’s IP.

   • Configure DNS defaults:

     dns_default_hostname www
     dns_default_domainname iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

2. Start INetSim:

   sudo inetsim

3. Ensure the target’s DNS is pointed to the INetSim-running machine.

Bypassing Sandbox Checks

Malware frequently checks for virtual or sandbox environments before execution. Here, we patch these checks in x64dbg.

Step-by-Step Sandbox Bypass

1. Copy Address from IDA:

   • In IDA, identify the address of the cmp instruction for registry checks.

   • Use Go to > Expression in x64dbg (Ctrl+G) to locate this address in x64dbg.

2. Identify and Patch Comparison Instruction:

   • Find the cmp instruction related to Sandbox detected (e.g., address 0x4032C8).

   • Modify cmp [rsp+148h+Type], 1 to cmp [rsp+148h+Type], 0 using Spacebar to edit.

3. Patch Sandbox Strings in String References:

   • Search for > Current Module > String references to find Sandbox detected.

   • Set breakpoints on strings like 0x4032F13, and change conditional jumps (e.g., je to jne).

Patching and Saving the Bypassed Executable

After successful patching:

1. Save the Patched Executable:

   • Press Ctrl+P in x64dbg and select Patch File.

The saved file will bypass sandbox checks in future executions, allowing all behaviors to manifest.

Network Traffic Analysis

Capturing Malware Traffic with Wireshark

1. Start Wireshark to capture all network traffic generated by the malware.

2. Analyze:

   • DNS Requests: Observing connections to domains like ms-windows-update[.]com.

   • HTTP Requests: Malware appends the computer hostname to the User-Agent.

   • HTTP Response: INetSim’s response, like the default binary, will trigger messages in malware.

Process Injection Analysis

Process injection is a common technique where malware injects code into another process (e.g., notepad.exe).

Setting Breakpoints for Injection Functions

1. In x64dbg:

   • Search and set breakpoints on VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

2. Attach to notepad.exe:

   • Open another x64dbg instance, Attach to Process (Alt+A), and select notepad.exe.

   • Monitor injected code in notepad.exe’s memory using memory dumps.

3. Verify Shellcode Injection:

   • Examine WriteProcessMemory’s lpBaseAddress parameter to identify injection address.

   • Copy and paste this address into notepad.exe's memory dump view.

4. Inspect Injected Shellcode:

   • Run shell.exe, observe the populated memory, and save the shellcode for analysis.