Skip to content

Latest commit

 

History

History
119 lines (102 loc) · 3.81 KB

report.md

File metadata and controls

119 lines (102 loc) · 3.81 KB
Raw

Lab1-3 Analysis

Virus Total Search

Name: TrojanClicker:Win32/Tnega.3bb840a6

Obfuscation

Packer FSG 1.0

Unpacking it with unipacker: https://github.com/unipacker/unipacker

#unipacker
[0]  New sample...    

Enter the option ID: 0
Please enter the sample path (single file or directory): ./Lab01-03.exe

Next up: Sample: [FSG] ./Lab01-03.exe
>>>aaa
File analysis:
YARA:                       pe32, fsg       
Chosen unpacker:            FSGUnpacker     
Allowed sections:           sect_1, sect_2  
End of unpacking stub:      unknown         
Section hopping detection:  active          
Write+Exec detection:       inactive        

PE stats:
Declared virtual memory size:  0x17000                
Actual loaded image size:      0x5200                 
Image base address:            0x400000               
Mapped stack space:            0x00      -  0x100000  
Mapped hook space:             0x104000  -  0x105000  

Static imports:
0x104004    LoadLibraryA    kernel32.dll  
0x10400c    GetProcAddress  kernel32.dll  
0x73df20d0  LoadLibraryA    kernel32.dll  
0x73e02870  GetProcAddress  kernel32.dll  
0x755e57b0  LoadLibraryA    kernel32.dll  
0x755e4ee0  GetProcAddress  kernel32.dll  

Dynamic imports:
0x73e089f0  VirtualProtect  kernel32.dll  
0x73dd4600  VirtualAlloc    kernel32.dll  
0x73dd4ae0  VirtualFree     kernel32.dll  
0x755e6760  VirtualProtect  kernel32.dll  
0x755e66a0  VirtualAlloc    kernel32.dll  
0x755e6700  VirtualFree     kernel32.dll  

Register status:
EAX = 0x405000
EBX = 0x201000
ECX = 0x405000
EDX = 0x405000
EIP = 0x00
ESP = 0x80000
EFL = 0x246
EDI = 0x405000
ESI = 0x405000
EBP = 0x80000

Unpack it

>>>r
...
Fixing sections
Size of raw data (): 0x00, fixed: 0x3000
Size of raw data (): 0x28c, fixed: 0x1000
Size of raw data (): 0x200, fixed: 0x12000
Set IAT-Directory to 0 (VA and Size)
RVA to import table: 0x9000
Totalsize:0x17000, VirtualMemorySize:0x17000, Allocated chunks: []
Fixing SizeOfImage...
Fixing Memory Protection of Sections

Fixing protections for:  with (False, True, True)

Fixing protections for:  with (False, True, True)

Fixing protections for:  with (False, True, True)
Fixing Checksum
Dumping state to unpacked.exe

For some reason it will not work with r2. It returns error: "Can't find entry point"

Imports analysis

Found string: http://www.malwareanalysisbook.com/ad.html Imports:

[0x00401090]> ii
[Imports]
   1 0x00402048    NONE    FUNC ole32.dll_OleInitialize
   2 0x0040204c    NONE    FUNC ole32.dll_CoCreateInstance
   3 0x00402050    NONE    FUNC ole32.dll_OleUninitialize
   8 0x00402038    NONE    FUNC OLEAUT32.dll_VariantClear
   2 0x0040203c    NONE    FUNC OLEAUT32.dll_SysReAllocString
   6 0x00402040    NONE    FUNC OLEAUT32.dll_SysStringLen
   1 0x00402000    NONE    FUNC MSVCRT.dll___getmainargs
   2 0x00402004    NONE    FUNC MSVCRT.dll__controlfp
   3 0x00402008    NONE    FUNC MSVCRT.dll__except_handler3
   4 0x0040200c    NONE    FUNC MSVCRT.dll___set_app_type
   5 0x00402010    NONE    FUNC MSVCRT.dll___p__fmode
   6 0x00402014    NONE    FUNC MSVCRT.dll___p__commode
   7 0x00402018    NONE    FUNC MSVCRT.dll__exit
   8 0x0040201c    NONE    FUNC MSVCRT.dll__XcptFilter
   9 0x00402020    NONE    FUNC MSVCRT.dll_exit
  10 0x00402024    NONE    FUNC MSVCRT.dll___p___initenv
  11 0x00402028    NONE    FUNC MSVCRT.dll__initterm
  12 0x0040202c    NONE    FUNC MSVCRT.dll___setusermatherr
  13 0x00402030    NONE    FUNC MSVCRT.dll__adjust_fdiv

1-3 looks like ms COM library - CoCreateInstance is a hook for initialising out of process "service".

Host / Network activity

Originaly I was not able to get alll functions (because of issues with FSG1.0 packaging), but it looks like a COM service injection.

  • this URL was found in the strings dump: http://www.malwareanalysisbook.com/ad.html - most probably service performs requests to this URL