This blog post will walk you through on how to identify and extract encrypted contents hidden in the Resource section of the Kronos malware. It's not a uncommon technique by malware authors to make analysis difficult by using encruption and hiding malware in the resource section.
Tools used:
pestudio (intial static analysis)
signsrch (Id encryption)
hxd (static analysis)
x64dbg (dissasembler)
Read the disclaimer in the previous post (unpacking bokbot) before proceeding. You will be using a real malware sample that should be in a controlled environment (sandbox) without access to internal or external network. I am not responsible for any damage(s) caused.
Hash:
MD5- 2a550956263a22991c34f076f3160b49
Analysis:
Static analysis of the Kronos malware using PEStudio shows a suspicious resource section thats called J, is over 306 KB in size and has entrophy level which means its encrypted or packed.
Dump the file with the unknown signature as a raw file.
Open the raw file in hex-editor (HXD) to see the file contents in ASCII and HEX views and the contents sure look encrypted.
Take note of the first few bytes of the file header for cross reference in process memory when Kronos is debugged. Next, use signsrch tool for checking to see what encryption or compression algorithms are used in the malware. As we observe per image below, the malware uses Tiny Encryption Algorithm (TEA) and has an anti-debbugging API that checks to see if its being debugged.
Next load the malware into a x64 debugger and use the second constant in memory from the TEA (In CPU window, right click > Search for> current module> constant and paste the constant-). Double click on it and once loaded, it will take you back to the CPU window where you will place a breakpoint (click F2) on it.
After placing a break point, click F9 to run the malware. The debugger will halt at the set breakpoint. With TEA, EAX is used to store the key to encrypt or decrypt the malware and EDX is used to store the message that you are encrypting or decrypting. We will go to the registers window and check the content of EDX register by right clicking on it and chose follow in dump.
On the dump windows, we see that the unknown resource (j) section is then loaded into memory. As we already have a set break point, keep on running the malware (F9) and you will see that malware decryption slowly takes place in the dump section.
As it will take forever to decrypt the malware byte by byte, scroll down through the instrctions in the CPU window to find the ret 8 (return -exit code in programmig) instruction, set a breakpoint at this ret 8 instruction then remove the break point that had been set on 0041FB10 from the TEA constant.
Next run the malware (F9) and it should stop at ret 8 instruction break point and the malware will be decrypted (see dump window).
Next we remove the breakpoint set at ret 8 instruction and hit F8 (step over) to break out of the loop that ends at ret 8 and set a breakpoint on next instruction (mov esp ebp) after/outside of the loop and then run the malware (F9).
The debugging process will run and stop at the new set breakpoint then follow the dump (in dump window) in memory map and select dump memory to file in the CPU windows in order to dump the loaded and decrypted unknown J resource.
Next we open the dumped file in HXD hex editor to and look for the Hex value 4d 5a which is ASCII for MZ header or presence of an executable. We remove the content above the 4d 5a (MZ), save it as a new executable which will be the actual Kronos executable in it's raw state.
Next we stick the new executable (kronos) in x64 disassemble and check for the strings in it (CPU window, right click > search for> current module > string references). We see %BOTID% which indicates bot and c2 related activity, local host IP, HTTP GET, and also that kronos maintains persistence by making an entry into the Run key etc.
You can also use PESudio to check the strings and APIs imports as well.Dynamic analysis of the PE can further yield network IOC's (IP's and Domains) needed to be blocked in a corporate environment.
Shout out to @cybercdh, MalwareAnalysisForHedgehogs and OA labs for their pioneer work.
Comments
Post a Comment