This is part 3C in the ongoing saga of the Analyzing PDF Malware series. If you haven't read any of the preceding posts you can find them all right here: Part1, Part2, Part3A and Part3B. We will be building off our analysis from those posts. This post contains two embedded videos. The videos are best viewed in full screen HD mode.
...
We statically analyzed the previously extracted and deobfuscated shellcode in Part3B. Today's goal is to analyze the same shellcode, but this time we will be running the code in a sandboxed virtual environment using distinct methods and employing a variety of tools. These methodologies will be demonstrated through embedded videos complete with techno music which is obviously required for all such demos.
Since we cannot just purely execute the shellcode in its current form, we need to first do a bit of work to prepare. I mentioned some tools for creating a standalone executable from shellcode in this excerpt from Part3A:
There are helpful resources floating around out there both as a web service, or if your code is potentially sensitive, as a stand-alone script.
One of the benefits of dynamic analysis is that we don't necessarily need to deobfuscate the shellcode to run it. The code needs to decode itself to actually run, so we can leave that tedious work to the malware. We don't specifically care about the syntactic code itself, but rather in the resulting behaviors demonstrated by that code. It is a very subtle viewpoint shift. Ultimately it can often result in getting answers more quickly than through static analysis. *fair warning* Ok, that being said, it should be noted that dynamic analysis without some form of additional static analysis follow-up could potentially leave functionality undiscovered, such as conditional branches that rely on specific environment triggers or command line arguments. If you are anything like me, those "what-if" questions may tend to drive you crazy. The point is, dynamic analysis is only one view into a piece of malware and it is often an incomplete view at that.
We have extracted a significant amount of valuable information from our static analysis using IDA. Now let's circle back as promised to see the code run dynamically in a sandboxed virtual machine. During this analysis we can confirm the previously identified functionality, as well as look for new clues or any additional bits of "interesting". Yes, I just nouned an adjective. If you completed the assigned task of creating a PE wrapper for the shellcode, we can simply execute the binary while running a collection of monitoring tools inside our VM as shown in the following video.
We can dig even deeper by loading up that same binary into a debugger, setting break points at key instructions that we hand picked from our static analysis (Part3B), and inspecting the registers and memory locations along the way as demonstrated in the video that follows.
The previous videos absolutely confirm our findings gathered during the inspection of the disassembled code. By popping up the calculator application 'calc.exe' within our virtual environment we know that additional unknown malware is being actively downloaded from a specific domain and is masquerading itself as a temporary PHP file in the local system cache. The shellcode then executes that newly downloaded file before terminating itself. So what is the shellcode actually trying to download? What does that new binary try to do on our system? In the next post of the Analyzing PDF Malware series we will investigate exactly those questions. Until then…
--@Rnast
Tools Used: