In part 1 of this series, we covered basic computing terminologies and learned about assembly and disassemblers, essential tools for reversing malware samples. Understanding different malware capabilities and implementations is crucial for reverse engineers.
Malware targeting Windows is often packed and delivered as a second stage, using various methods. This blog will explore key concepts and examples of how malware is packed, obfuscated, delivered, and executed on endpoints.
Topics covered in this blog include:
- Basic terms explaining how malware is delivered to endpoints
- A deep dive on packers – what they are, how they work, and how to identify packed samples
- Hands-on analyses of packed malware samples
Basic Terminology for Reverse Engineers to Know
An executable file can hide its true code through encryption or compression. Tools like packers, crypters, protectors, and loaders are used for this purpose. While legitimate vendors use these tools for protection, threat actors use them to evade detection and complicate the analysis process.
What’s a Packer?
Packers compress the payload to reduce disk space. Malware developers use packers to make malicious payloads smaller and avoid detection by static analysis techniques.
Examples:
- UPX (open-source)
- MPRESS (free)
- Andromeda (custom packer)
What’s a Crypter?
Crypters encrypt the payload to evade detection by security tools using signatures or keywords.
Examples:
What’s a Protector?
Protectors encrypt the payload, obfuscate imports, implement anti-debugging, and anti-reversing techniques to make analysis difficult.
Examples:
- Themida
- Enigma Protector
- VMProtect
What’s a Loader?
Loaders extract and execute packed malware. They can also download the payload from a remote location and set up persistence for the malware.
Tools like Morphine combine functionalities of packers, crypters, protectors, and loaders to complicate analysis.
Deep Dive Into How Packers Work and Detection
How do Packers Work?
Packers compress or encrypt the original executable and add a new PE header and a stub for decompression. The packed file contains packed content, a new PE header, and a stub.
The stub decrypts or decompresses the original file, relocates the entry point and Import Address Table (IAT), and modifies the PE header to create a valid executable.
How to Detect Packed Files
1. Static Detection
Check the entropy of file sections – high entropy indicates packing. Tools like PEStudio, DiE, and CFF Explorer can help detect packed samples.
Here is another free tool that can be useful in these stages and beyond: radare2.
Packed samples often have minimal imports as they do not depend on external libraries like other programs. A low number of imports in a file strongly suggests the presence of another component that is dropped or loaded. However, malware developers may add “dummy” imports to deceive researchers.
For a reverse engineering example, let’s consider the static unpacking of UPX packed samples. Standard UPX packed samples can be identified by their section names, as long as they have not been altered by attackers. By using the UPX command line utility, you can extract the packed payload from a sample with MD5 5598febfbf00839c9f7047d9fe3205e3.
When dynamically analyzing a packed file to extract the payload, functions like API calls and debuggers can be helpful. API calls such as VirtualAlloc, VirtualProtect, and CreateProcessInternalW are commonly used by packers to perform memory allocation, permission changes, and process creation. These system calls can be identified in the list of imported functions, but malware authors may attempt to conceal them through dynamic loading.
Debuggers like OllyDbg, Windbg, and x64dbg are powerful tools for debugging Windows executables and DLLs, allowing you to control the program’s execution, view registers, stack, and memory, and observe runtime code execution. Debugging malware can reveal hidden code and help in understanding how strings and payloads are deobfuscated and constructed.
In the next section, a guide will be presented on extracting packed malware from CobaltStrike and Locky. It is recommended to perform these examples in an isolated Windows virtual machine. The video demonstrates the process of generating a Cobalt Strike payload, analyzing the assembly, dynamically executing the stager to fetch the payload, scanning the endpoint for in-memory genetic analysis, and parsing the Beacon configuration.
The analysis of the Locky ransomware is discussed in the subsequent section.
Tools used for reverse engineering in these analyses include:
1. Windows virtual machine
2. x32 debugger
3. Radare2
4. Command line commands: file, strings, shasum
In this scenario, a packed sample of Locky ransomware is inspected. While Intezer automatically identifies the packed file and extracts the payload, the manual extraction process is demonstrated.
Static analysis involves checking the entropy of the section using radare2 and running the strings command on the sample. The output indicates that the sample is likely packed, prompting a transition to dynamic analysis using the x32dbg debugger.
Dynamic analysis involves setting breakpoints on VirtualAlloc and VirtualProtect API calls. The program is run, and breakpoints are triggered at various stages, allowing the extraction of the unpacked executable from memory.
The extracted payload, identified as Locky ransomware, is then dumped to a file for further analysis. The MD5 of the extracted payload is e96dad009437ca774035ffd73708bd3e, confirming it as the Locky ransomware malware.
Automating the unpacking process for every file is essential for security teams, as manual reverse engineering may not be feasible for large quantities of files. Are you struggling with the time and skills needed to reverse engineer the packed and obfuscated files that your SOC team encounters? Intezer has the solution for you. Our automated alert triage and response process works seamlessly with your endpoint security solution to identify packed files, extract the payload, and provide autonomous or guided remediation. By using Intezer, you can free up valuable time and resources to focus on the threats that truly require your attention. Book a demo today to see how Intezer can handle reverse engineering tasks for every alert. given sentence.
She was so tired that she fell asleep instantly.
-> She was extremely exhausted and immediately drifted off to sleep.
