Code Analysis
Reverse Engineering allows analysts to understand a malware’s functionality and behavior by dissecting its compiled machine code. This often involves converting machine code into assembly language and interpreting the operations without executing them.
In code analysis, we aim to:
Disassemble the code to review structure and logic without triggering any actions.
Identify key functions and potential Indicators of Compromise (IOCs).
Explore control flow for critical functions, such as sandbox detection and persistence mechanisms.
Tools for Code Analysis
Disassemblers - Used for static analysis of machine code (e.g., IDA, Ghidra, Cutter).
Debuggers - Enable interactive code execution and control (e.g., x32dbg, x64dbg, OllyDbg).
Code Analysis Example: Analyzing shell.exe
The shell.exe malware sample demonstrates various techniques, such as sandbox detection and process injection, which can be decoded via disassembly in IDA.
Importing and Disassembling shell.exe in IDA
Load shell.exe into IDA:
Open IDA as an administrator.
Load the executable and let IDA analyze the binary.
Navigate Views:
Graph View: Visualizes function control flow, helping to identify execution paths and relationships.
Text View: Presents the assembly code line-by-line with memory addresses, useful for detailed instruction review.
Key Analysis Areas
Identifying Main Function:
IDA’s start function shows initial setup. Track calls and jumps to find the main function.
This may include initialization tasks and setup of stack frames.
Sandbox Detection Techniques:
The shell.exe sample queries the registry for VMware Tools (indicative of a virtual environment). The RegOpenKeyExA and RegQueryValueExA functions in the disassembly reveal registry-based sandbox detection.
IDA reveals the function path:
lea rdx, aSoftwareVmware mov rcx, 0FFFFFFFF80000002h call cs:RegOpenKeyExAPossible IOC:
SOFTWARE\\VMware, Inc.\\VMware Toolsregistry path.
Timing Mechanisms:
Calls to GetSystemTimeAsFileTime, GetCurrentProcessId, and QueryPerformanceCounter may indicate timing mechanisms, possibly for sleep delays or checks.
IDA also displays sleep instructions or delay loops that the malware may use to evade detection.
Network Connections:
The shell.exe sample uses getaddrinfo and WSAStartup for internet-related operations. It may check for network connectivity to avoid sandbox restrictions.
Example IOC: Domain
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
Persistence Mechanisms:
The sample writes entries into the Windows registry key
SOFTWARE\Microsoft\Windows\CurrentVersion\Runfor persistence.Potential IOC: Registry key path with entry for
svchost.exeunderWindowsUpdater.
Process Injection:
shell.exe spawns a notepad.exe process, allocating memory within it using VirtualAllocEx, and injects shellcode using WriteProcessMemory followed by CreateRemoteThread.
Injection functions observed:
call VirtualAllocEx call WriteProcessMemory call CreateRemoteThread
Using IDA’s Function Flow and Xref Graphs
Generating Function Call Flow Graph:
IDA can visualize inter-function relationships via View → Graphs → Function calls.
Function-specific graphs: Right-click in disassembly view, select either Xrefs graph to... or Xrefs graph from... to see specific function calls.
Debugging Strategy for shell.exe
Setting Breakpoints:
Place breakpoints on key API calls (e.g., RegOpenKeyExA, VirtualAllocEx).
Execution Flow Control:
Step through code execution to observe behavior in real-time, validating suspected sandbox checks or persistence mechanisms.
Dynamic Analysis Follow-up:
Debugging after disassembly allows validation of initial findings and confirms IOC behaviors.
Key IOCs Identified
Registry-Based Sandbox Detection:
SOFTWARE\VMware, Inc.\VMware Tools
Network Connectivity Check:
Domain:
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]comIP Address:
45.33.32.156Port:
31337
Persistence Technique:
Registry Path:
SOFTWARE\Microsoft\Windows\CurrentVersion\RunExecutable:
svchost.exein TEMP directory.
External Network Resource:
URL:
http[:]//ms-windows-update[.]com/svchost[.]exe
Last updated