Malware Triage Analyzing PrnLoader Used To Drop Emotet

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Amazing stuff. All of this for a loader seems... quite fancy.

I find the developers' taste in porn a bit disturbing/strange, but maybe they're having fun with anyone who reverse engineers it.

👍︎︎ 3 👤︎︎ u/[deleted] 📅︎︎ Dec 10 2020 🗫︎ replies

Captions

[Music] hi folks and welcome to oath analysis live we're back finally a few months in hiatus but today i think we have something pretty interesting for you guys i'm going to be talking about a loader that was used to load emitted so this was an intermediate stage that was dropped after a malicious document was executed this middle stage was dropped and it was actually used to load emma's head which is itself a loader pretty convoluted but we're gonna be talking about this middle stage and it's very interesting probably one of the more unique loaders that i've seen i've dubbed it porn loader and you'll see why if you stick around before we get to that i feel like i owe you a small explanation as to why we've been away so i've moved as you can see behind me new office and we're also doing renovations here so it's taking up all my time also i i didn't put this out there but unfortunately our other bulldog passed away a few months ago the snuffly guy used to sleep in the back of some of my videos and we have a new bulldog which has a thousand percent more energy than our old guy and uh he's just basically taken up all my time that with the renovations but hopefully i'll be posting back a little bit more routinely as i kind of get on top of some of these uh personal things so with that let's jump into the sample and i'll show you why it took my fancy so i actually came across this because of david ledbetter from twitter as avid user of unpack me unpack me a malware unpacking service from open analysis expose the malware before it exposes and he sent me the sample saying hey you don't unpack this take a look at it and so i did and let me show you what i found here if we pull up our unpacking results here we can see we've uploaded the sample here and we do have an unpacked child and it looks okay i mean there's no imports for it so that's kind of usually a sign that there's something a little bit wonky but you know it looks okay when i download it though and take a look at it in ida i can see there's something is very messed up so let's show you that right now so if we load up the child sample here you can see that there's some issue here where it's not able to translate relative address if we continue we load it up and we can see it's it's just totally garbage so clearly we unpack something that looks like a pe file but it's not quite correct it's not a it's not a real pe file so it has the same structure but something's definitely wrong so this made me want to investigate the parent sample a little bit more and try and figure out what was going on so if we take a look at the parent sample here we can see that somebody had actually uploaded it to any run very good sandbox awesome tool if you guys are looking to quickly triage malware so you can see that they uploaded a doc file and when the doc file was run it ended up spawning a few processes so we have this start util.exe was triggered from windward to run it then we have run dll32 which drops this which is obviously being used to run dll and then that drops um this temp file that's in exe and executes it now the one that we're particularly interested in is this run dll32 let's go to the full run here so then we can see here run dll32 is used to run this pdf obviously a dll and they're passing it the i n export so this is just this is the standard syntax for run deal 32 you have the dll followed by a comma followed by the export that you want to execute so we're assuming this kshsh1.pdf file is a dll and then this actually drops that temp file so if we look at the hash for the ksh1k ksh1 pdf file um we can see that the hash of it is actually the same hash as the file that was uploaded to unpack me now what's the best way to show this so if we go to files here and if we click on the executable it's going to show you that hash here fb07 whatever so you can see that's the same hash as the one that was uploaded to unpack me so just a quick bit of context for you guys to see where this came from so this was like i said an intermediate stage we had a malicious document you can see here it was being executed that did some stuff and then there's this middle stage which is the dll and then that dropped this temp e4 whatever.exe so now that we have that context uh let's actually take a look at this intermediate file in ida and see if we can figure out what's going on with it coronavirus corona we saw there was probably a pe file of some sort some sort of structure pd file in it that we were able to extract with unpack me but it wasn't a valid p file if we look at this one last thing to look at before we uh before we open up an ida we can see there are some resources in this file and there's an rc data resource and it's pretty big you can see here usually when i see that and it's a packed file or it's a file that is like a loader and i see an rc data resource that's pretty large i usually assume that that's where the pax pe file is going to be so i'm going to check that out when i first open up the file in in my tool suite in windows so i'm going to show you guys the resources and also take a look at in ida so let's pop over here um we'll load it up in ida okay so it's a dll so we're going to look at the exports and we can see here there is an ion export just like what we saw in any run so that's the one that we want to check out here now you can see they do actually find resource load resource so they're actually pulling something out of the resources just like i suspected so what we can do here is let's open resource hacker it's a favorite tool for looking at pe resources here and let's take a look at this rc data resource okay so something very interesting it looks kind of like a pe file so you can see like the dos string here we can see that actually the first byte is an m but then instead of m z we have m n uh very interesting so it looks like this is some sort of obfuscated or lightly encrypted pa file in the resources so now we expect that this loader is probably decrypting that pe file and loading it now at this point the process is pretty clear we're gonna have to go through and figure out how they're actually loading the pe file but something is making my little radar tingle here something's um so we ran it through unpack me unpack me which you know it's pretty good at unpacking stuff and we unpacked something that looks like this pu file but it wasn't quite correct now if this loader was a simple you know decryption routine that decrypted this resource as a p file and then ran it i would expect that unpack me should unpack it so the fact that it didn't unpack a valid p file is telling me something uh is going on here that i want to look into and it definitely is which is why i'm making this video so um probably what i'm gonna do here is i'm going to pop over into our x-rays view um because it'll be easier to see the decompiled code so i'm just going to press f5 here and this is actually going to be a good tutorial for what to do when you see something like this so a decompletion failure with ida is probably one of the most annoying failures you can have so if you say okay it didn't decompile it so this means that ida isn't able to determine the function setup properly and so we can't decompile it it means that either it's off with the arguments on the stack or the calling convention is wrong or something's wrong here so what we want to do is we want to fix the calling invention and the number of arguments to make sure that it's correct how do you do that if you are lazy the best way to do it is to try and get ida to decompile some of the functions that are within the function that won't decompile to hopefully try and set the number of arguments correctly for that function itself and i'll show you the way to do this so basically what you want to do is you want to find your call functions here you want to pop into them and see if they'll decompile so f5 this now that's failed so we want to go a little bit deeper and see if there's anything in here that we can decompile so let's f5 this so that decompiles it looks like this is just a setup um like a class set up our pseudo code here so let's pop back it's f5 and see if we can do xrefs so press x for xrefs and see if we can decompile uh the functions that called this function so it might fail um but it looks like it worked in this case hell yeah hell yeah so we're able to by decompiling those functions that were called by this function we were able to kind of reset the number of arguments and rearrange the stack for the parent function and then that was able to kind of reset this a little bit now if we go back and we do an extra up here and then we can decompile this was the main export that we're just looking at and you can see here it's going to complain i was going to complain and normally if i was being careful i would try and figure out why this happened but i'm i don't really care because we have the um we have enough to go on here to analyze the sample okay so i'd like to arrange my item windows so that the assembly and the decompiled view are side-by-side and i like to synchronize them and i also like to view the assembly and the textview format so i can see the offsets and is this just a better way to view it if you're viewing them side by side so let's go back here to our in export and now we have a nice side-by-side view with the assembly and the decompiled code here so you can see what i was showing you earlier where they're trying to get the resources they loaded resource they lock it and they copy the contents of it into this var 15. so we're going to call this we're going to rename it with the n key and var resource data okay now if we look down here we can see it looks like it's being written out to a file and it looks like the file name is where we see this uh create file the file name right here is temp e47 blah blah blah dot exe so just like what we saw in any run so it looks like we're getting closer to the answers here so they're writing out that something to that file.exe and then they're creating a process for it so they're launching it so that's how they're actually executing the payload now we want to find out what they actually write into the file so they are writing this resource data in which like i just showed was that sort of malformed pe but they must be doing something with it before they write it out otherwise it would be a null form pe and it wouldn't run so there must be something going on here and we can see there's three functions that we need to take a look at that are called before they write the file now you might be wondering well they don't pass this var resource data into any of these functions but remember the function calls were messed up when we decompiled it so we can't really infer anything by these arguments they could be wrong we need to actually take a look at the functions first and that may fix up the arguments we could see that this is being passed to one of them so let's take a look at the first one here which you guys saw a second ago if you watch me decompiling um and in this one we'll move this over so you can have a better view this is where porn loader gets its name from so um looks like they're doing a pretty standard call out to basically grab a web page here they're doing an internet open url and uh this is this is very strange so it looks like they're setting up a buffer here and instead of just clearing the buffer or setting it to nulls they have this very bizarre setup where they where they set it all to nulls in a big array um and it just i think this might have been what was causing the um decompos decompiler failure um it's just crazy so i'm just scrolling down to the bottom here yeah anyway why why they did it i don't know i i don't know whether it's a compiler optimization that's going wild or whether somebody actually did that i'm not sure anyway so once they open that url to that site they read the file in they there's the file they if you're unsure if you're wondering like how did i know that's the buffer you can hover over it and it's going to show you uh ida will hopefully show you the argument so you know the first one is the handle and then the next one is the buffer and you can hover over it and i'll show you that's the buffer so we're going to name this var url buff and so they're basically reading in that buffer and they're doing something with it here which i believe is moving it over into another buffer yeah so they're copying it over and copying it over into this guy here which they are then copying into here so this is a little bit convoluted and i'm not going to go into the details of why they're doing it mainly because i don't want to take the time to figure it out myself but basically they're using one buffer to read the stream of internet data in a loop this whole thing here is a big loop and they're reading in chunk by chunk of that buffer they're then copying it into another buffer and then they're copying it into this final buffer which they're going to do some work on so what kind of work are they doing well let's take a look at the data first you can already probably guess what they're doing here but let's take a look at the data from that html page first so what they're doing is they're grabbing this page right here and they're grabbing it just the raw html so why don't we grab the raw html as well so let's do a curl for this and we'll paste it into into this file.txt i'll just make it a text file for now and we can change it to html if we want once we take a look at it so let's take a look at it in vi so we can see that it is html and it's just a big long string no line breaks or anything like that and we can see right here file this this little setup of json for the sources and if we look back at our idea here something caught my eye let's look once they have that html code they're passing this in sources file and then they're passing this in i think that this is trying to get the location of this string and this string in the html and if we take a look here it is it's thirster so that's finding the string within the buffer the location of the string within the buffer so let's just name that and we'll pop back here so this is going to be offset to the url that they're trying to locate this is going to be the var name var and the url and if you're wondering why i'm calling it a url let's take a look at that html again so here's where they're starting that's where they're doing finding the first offset to what's this well it's actually a big url string and then they've used the label close quote comma label to find the end of it so this is the string that they're actually looking for in the html code so let's copy that out and let's use wget to grab that it looks like an mv4 video and it's going to take a little while to download here and while it downloads let's take a look at what they're doing with that url so i assume they're grabbing it so that must be the beginning of the url or i'll start and it looks like here they're doing the url start to url and so they're probably copying that url over here let's see what they're doing yeah they're doing a move so then this is going to be the url i believe okay and they're assigning that var url to arg2 of this so this right here arg url all right i'm going to take a minute c compile definitely that long um buffer setup is is hurting ida here i can tell and let's name this function while we're at it we'll name it malware get url from html from porn and i won't actually open that site ah yeah i will it's too funny not to show you so if you're wondering uh why am i calling it porn loader uh let's take a look at what they're actually downloading here i see our download is still continuing uh let's pop over to our browser get ready to sensor uh it's boring [Music] i don't know how i'm gonna censor this in the video it's probably just gonna be a big pixelated screen that you guys see anyway it's some gross porn thing that doesn't even look all that interesting anyway it's still downloading so i'm assuming that this is actually the mp4 for the porn video i can double check once i've downloaded it and i'm curious why they're doing that so let's take a look at what they do once they've got the url from this porn site so let's pop back here this is the url so let's name that var porn url and they pass it to this function here so let's take a look at what they're doing with it in this function here so they actually do download that mp4 video uh just like what i'm doing here so they do an internet open url uh they have one of these buffer setups yeah good lord they do an hdb query info a so this is actually getting information about the internet resource and they use uh they pass it uh the information characteristic or the info level five and infill level show us the query flags what's a five is it should be query content length okay so we can turn that into a macro here just again press m new query content length okay so ida has this nice thing where they'll replace the constant uh with the uh with macro name so you can see that it's got a content length this is the buffer that receives it so we're going to call that var um download size so they're getting the size of the file that they're going to download and they pass it to this thing here um this is like a c plus plus thing they're basically parsing out the size from the buffer that comes back so this is the actual size for our download size so once they have the download size they're doing something strange here so they're checking to see if the size is greater than hex a and one two three and five zeros and if it is then they're changing the size to a hex and five zeros and then they're adding it to this they're changing so this is actually a pointer so we'll name this as far down as a pointer to the download size okay and then what are they doing here they are checking to make sure a3 so what is a3 oh we've added an argument here let's go back let's me i'm not really sure what this is let's go back and see what a3 actually is hey look at that so this is actually the size of the resource which is kind of interesting so remember what i said you can actually before we weren't able to see where that resource data was used before it was written to the file well we can see now that ida is learning more about the arguments for these functions as we're decompiling them it has added these arguments here so we can we know that this is a var pointer to the resource data and this is the var resource data length okay so let's name this arg okay so now we're getting somewhere scroll down here download size so if the resource length is less than the download size and they create sort of division things so this is var and this is the div download size by resource so they're getting the division of the download size by the resource and they do it again they do it twice okay so we'll just attack a two on the end here so if the let's borrow 34. oh if we get the info that's just an info flag okay so um if they got the info about the download size if the resource length is less than the download size they create this uh divide this division of the how many times the resource goes into the download if it goes in less than uh what is this less than 10 24 0 times then create a new variable here which is 10 28 minus the modulus of this div download okay so what they're doing here is they're basically reducing the size of the download by the offset of the division between the resource and the downloaded file so the best way to think about this is basically they are aligning the resource length as a multiple of the download file so if the download file is this long and the resource goes into it x number of times plus some remainder they actually remove that remainder so that it goes in an even number of times um knowing what they do next soon as i've showed you that i can explain why they do this but let's just leave it at that for now we'll go through this and then and then it should become clear to you why they're doing this so i'm going to call this the new size of the var new download size and it's no surprise that what are they doing here they're now downloading the uh download up to that size so that's the so they're downloading that portion of the download file not the whole thing if that condition up here was correct so if the resource was smaller by many multiples than the downloaded file they actually truncate the downloaded file so this is their buffer here is that the buffer i'm not sure i see what they've done here so this is actually the pointer to the buffer this is the download buffer this is the download buffer counter so they create a copy to the download buffer so they've i'm just cleaning this up a little bit so it's easy to read so they basically use an internet read file to read the new size of the download into this download buffer uh they read it in chunks that's what the while loop is for here once they finish reading it they create a pointer to the beginning of that buffer which they then use down here and what looks like some decryption and so now we get to the key part of this malware so once they've downloaded that buffer which we have downloaded ourselves uh so we can see here it's finished in fact let me just show you here if we do a hex dump uh dash and let's see to show that ascii and let's do 100 bytes of it you can see that it is in fact a mp4 movie so it's not a pe file and that would explain what they're doing uh in the next step here which looks like some sort of decryption so back here they've downloaded that porn video that mp4 and they are now iterating through the resource so this is the resource length of our length and this is a counter resource count um so while they iterate bite by bite through the resource and once they reach the end they break for each iteration they grab the downloaded file the mp4 file so we could actually name this movar cornvid so they grab the porn vid at uh another counter so let's call this invar porn the counter okay so they have this pornvid counter and they copy a bite into this temp bite here so let's name this var temp corn bite then what they do is they increase the porn fit counter not by one but by this interesting math that they've done previously which is the number of times the resource fits into the data that they downloaded so it's some offset so like let's say if it's 10 times bigger this value is 10 so it grabs every 10th byte from the mp4 video instead of every single byte so it's very interesting how they've done this what it allows them to do is it allows them to map the key they're using for this xor across the entire movie instead of just using the first you know x number of bytes they actually use the entire movie up to that limit that we saw here this 0xa something something something as the key and they skip every few bytes so like i said for example if it's 10 times larger they skip every 10 bytes or if it's five times larger every five bytes and then every fifth byte is a decryption xor key for the resource now that also explains why when we look at the resource it's not completely obfuscated because many of these bytes are going to be null bytes i mean it's an mp4 video so there's lots of null bytes in there so for each null byte obviously it's an identity xor so it's the same you know it creates the same byte it doesn't alter the byte that it sorted with so uh because it's an mp4 video lots of null bytes lots of the pe file remains the same even though it's xor encrypted so that's kind of cool and if we just finish walking through the xor here so for each bite at that offset interval in the porn vid they xor it with the resource and then obviously coffee back into the resource and then once they're done they close the handle and jump back so let's call this function name malware decrypt resource okay and now they have a decrypted resource that they can write out to this temp file and then create the process for it so why don't we see if we could reproduce this in python i'll grab the data file i'll grab the resource so let's actually copy the resource out now i'll dump it out to a file with resource hacker right click save bin save that out close that up and let's pop over to our command line here and see if we can't create some magic so let's look at our directory here python our resource and what do we call it read file in the pornvid is the mp4 file so that is right here read binary read it in okay so now we have to get the multiple between the two of them so let's do hex of the length of the porn divided by the length of the resource okay so 2 4c in and let's see if the length of the porn is bigger than do hex for that so that's actually bigger than the value here so it's actually bigger than this so the size of the porn video is actually truncated down to that size so let's do porn size equals this okay so then let's do the hex of the porn size for in size divided by the length of the resource just like we had before okay so that's our offset byte so every hex 1e bytes is are the bytes that we actually select from the mp4 porn video so let's create our little out stream here and let's do four i in range land of the resource and out plus equals char of uh so we have to turn it into an ord i'm using python27 python27 for life xord with an ord and let's fill these in so the first iterator is going to be across the resource so we're going to do resource at i because we xor with every bite for the resource and for the porn we xor at every bite so i x times the offset which is zero x one e okay so now this should select every zero x one e bytes in the mp4 video so every byte that's spaced out by that amount and xor with every single byte in the resource in order to produce our decrypted pe file so let's see if we can get this out let's print out a few bytes here to make sure that we did it right let's print out 500 maybe hey that looks good so it corrected instead of mn it's now mz and it looks like uh that's a good header here at least for a p file so let's write this out and we'll take a look at it in ida and see what we got out dot bin right binary right okay and we'll take a look at this in ida oh looks like we've got a pdb path so that looks good hey looks like it's loading up no problem do we have imports yes we do so we have a well-formed pe file excellent now you might be wondering why does it look so crazy like this well i think that's because it's vv6 and if we look at the imports here yeah it's definitely vb6 so this is a vb6 file that is the output from that very interesting loader and what we can do is see if this is packed i'll just upload it to unpack me unpack me and see and let's see here ouch open it up hey look at that pack no problem with that so the reason why i want to talk about the sample it's that i think it's really interesting i think it's one of the first times i've seen that type of external key data being used to decrypt a payload so even if you have the sample and you're analyzing statically you're not going to be able to decrypt it unless you go and make that call out to the porn site and download the mp4 i also think it's very interesting because the fp4 file is benign i mean there's nothing wrong with it besides it being a terrible porn nothing off porn just that particular porn is pretty bizarre so without that uh porn video you can't decrypt the sample and so basically on its own that mp4 is is perfectly fine it's valid but it also is the key for this packed and encrypted p file which happens to be emitted now i think this is very interesting i think uh there could be more of this sort of stuff in the future it is a pretty decent way to beat static analysis as you can tell here it works really well and the only way to really circumvent this is to have this run in a sandbox which has full internet access and of course if that movie was ever taken down you wouldn't be able to decrypt the payload at all so it's very interesting i think it's clever on the part of the malware developers it's a clever strategy and um i'm going to be looking for more of this kind of stuff i think it's very interesting i also one note about this that is probably something that's going through people's minds this is a simple xor and a lot of the pe file was in plain text because the xor key had a lot of null bytes in it now that might lead you to think that you could brute force the key it's not true the way that they set this up is incredibly clever because they've used the entire mp4 file and they've spread the key across the whole thing there's no repeating key material it's not like they have a set cipher stream that's reused across the entire pe file where you could use some sort of crib to guess what that cipher stream is and then reuse it to decrypt the rest of the p file it wouldn't work what they've effectively created is a key that is the length of the data a random key so trying to brute force that would it doesn't seem possible to be honest so this is actually even though it looks janky and it looks you know easily breakable it's actually very clever and well designed i just want to note that um just because obviously if you see like single bite xor you think ah this is garbage um i don't even care about the uh mp4 file and in this case actually you would need it uh to recover the full p file okay so with that i will wrap up as always i'll put all the links to the samples scripts everything in the video description below like and subscribe let us know what you want to see next and i will try and get a few more of these videos out to you guys on a little bit more regular basis again still lots of renovations a little puppy in the house and obviously uh you know busy worth work and unpack me and everything else but i'll i'll be trying so until next time keep exposing mechanics behind the malware stay [Music] feel curious [Music]

Info

Channel: OALabs

Views: 6,046

Rating: 4.9442897 out of 5

Keywords:

Id: 5_-oR_135ss

Channel Id: undefined

Length: 36min 59sec (2219 seconds)

Published: Thu Dec 10 2020