When I teach FOR610[1], I like to use a funny quotation with my students: “Make malware happy!” What does it mean? Yes, we like malware, and we need to treat it in a friendly way. To help the malware work or detonate successfully, it’s recommended that we replicate the environment where it was discovered (or at least, as much as possible). This is not always easy because we often receive a sample outside of its context.
Some examples?
- Respect the user rights, are administrator rights required?
- Respect the path of files used by the malware (or its own path)
- Respect the OS or tools versions
- Respect the binary name
- …
Some sandboxes launch samples in a VM from the same directory and with the same name like “c:tempsample.exe”. From a malware point of view, it’s a piece of cake to detect if the environment changed!
First example, detect the name of the executable file in .Net:
using System; using System.Diagnostics; using System.IO; public class Program { public static bool IsMyNameValid() { string fullPath = Process.GetCurrentProcess().MainModule.FileName; string fileName = Path.GetFileName(fullPath); return !string.Equals(fileName, "sample.exe", StringComparison.OrdinalIgnoreCase); } [...] }
Check another one that I spotted recently (from my last diary[2]):
public static void Main() { string friendlyName = AppDomain.CurrentDomain.FriendlyName; string startupPath = Application.StartupPath; string pathRoot = Path.GetPathRoot(Environment.SystemDirectory); string userName = Environment.UserName; string text = "Microsoft"; pathRoot + "Users\" + userName; "ta\Roaming\" + text; string text2 = "_OneDrive.exe"; string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData); [...] Thread.Sleep(1000); try { File.Copy(Application.ExecutablePath, string.Concat(new string[] { folderPath, "\", text, "\", text2 }), true); } catch { } Thread.Sleep(1500); if (startupPath == folderPath + "\" + text) { [... Go ahead ...] }
Sometimes, malware analysts will make the malware unhappy because they will change its environment to make the analysis easier. A classic is to disable ASLR[3] to debug packed malware. A malware can detect if ASLR has been disabled (ASLR is on by default)
public static bool CheckASLR(Process process) { IntPtr hProcess = process.Handle; if (GetProcessMitigationPolicy(hProcess, PROCESS_MITIGATION_POLICY.ProcessASLRPolicy, out PROCESS_MITIGATION_ASLR_POLICY aslrPolicy, Marshal.SizeOf(typeof(PROCESS_MITIGATION_ASLR_POLICY)))) { bool status = !aslrPolicy.BottomUpRandomization && !aslrPolicy.ForceRelocateImages && !aslrPolicy.HighEntropy && !aslrPolicy.DisallowStrippedImages; return status; } return false; }
If ASLR is disabled, the malware will maybe change its behavior, exit immediately, or perform more nasty stuff.
In conclusion, when analyzing malware, always treat it with kindness.
[1] https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques/
[2] https://isc.sans.edu/diary/SwaetRAT%20Delivery%20Through%20Python/31554
[3] https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.