Malware Reverse Engineering

-

I recently analyzed and submitted some malware to Microsoft Security Intelligence that I found on a YouTube video. 

The video has since been reported so it may not be available. 

https://www.youtube.com/watch?v=uQG6Xwxdb2A

This YouTube video promoted downloading a program that claimed to "generate" keys for copyrighted software. Windows Defender identified it as Trojan:Win32/Wacatac.C!ml

Here below is the Virus Total entry:

https://www.virustotal.com/gui/file/509e1b4447cd7f0c448b31d88a41dbca6ceca5a029caabfa2bd10b7c965bbe51/detection

The first thing I did was analyze for malicious registry changes with a program from Nir Soft called RegistryChangesView v1.26. I did not find malicious registry changes. The few changes to the registry were normal Windows behavior, for example here was one registry change:

==================================================
Registry Key      : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Change Type       : Added Value
Value Name        : P:\Hfref\pnyro\Qrfxgbc\Tnzrf Sbe Jvaqbjf Yvir Xrltra\xrltra TSJY ol nyrkvf221515.rkr
Value Data        : 00 00 00 00 02 00 00 00 02 00 00 00 A8 25 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF F0 01 CE 17 18 AB D6 01 00 00 00 00 
Value Type        : REG_BINARY
Data Length       : 72
Value Data Changed To: 
Value Type Changed To: 
Data Length Changed To: 
Key Modified Time 1: 10/25/2020 2:44:32 PM
Key Modified Time 2: 10/25/2020 2:45:19 PM
==================================================

I read over this forum post and learned a little bit.

Notice the ROT13 encoding in the "Value Name" field. Apparently this is normal Windows behavior and is also easily decoded for example with a web app such as Criptii.

The next thing I did was use a tool called dnSpy in a VM to reverse engineer the exe file. The most interesting code was in an action that was attached to a button in the user interface or "form" in .NET terms. The screenshot illustrates that this "key generator" simply cycled through pre/hard-coded and used Microsoft software keys.


After reverse engineering and analyzing the code within the exe I resubmitted it for analysis to Microsoft Security Intelligence because I couldn't find that it caused damage which in my opinion is closer to what I would expect from Trojan:Win32/Wacatac.C!ml based on the description.



It looks like possibly the definition was updated and the container/archive file is now defined by Windows Defender as Trojan:Win32/Vigorf.A.

HackTool:MSIL/Keygen!MSR search result: https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=HackTool:MSIL/Keygen!MSR

More info from Volume 13 of the Security Intelligence Report.

"The most commonly reported threat family in 1H12 was Win32/Keygen, a detection for tools that generate keys for various software products. Software pirates often bundle a key-generator utility with a well-known application and then distribute the package using a torrent client or by uploading the package to a file distribution site. A user who downloads the package runs the key-generator utility to create a product key that will supposedly allow the software to be used illegally. Its widespread impact—of the 105 countries or regions covered in this report, 98 percent listed Keygen as one of the top 10 families detected in 1H12— and its strong association with unsecure file distribution activity make it a good indicator family to use to examine how attackers exploit such activity to distribute malware."

Comments

Post a Comment

Popular posts from this blog

Should you hide your SSID on your Wi-Fi?

-
Some of us may not realize the kind of control we have over our home wi-fi. There are a pros and cons to all of the features that wi-fi offers. I will do my best to explained some of them below. I won't drag on before saying that to have secure Wi-Fi you should have the settings in bullet points here functioning: Enable Wi-Fi Protected Access 2 ( WPA2 ). Use Advanced Encryption Standard ( AES ). If it does not say AES it is probably using AES. Pre-shared Key (PSK) With this enabled your data is encrypted behind a password using AES which is the most modern and trusted encryption standard in use today. However if you're curious (like me) about some of the other features I will do my best to explain a few of the more interesting ones below. The first question is about hiding the SSID using the settings in your wireless access point (AP) or router. Does that make your wi-fi more secure? The accurate answer is 'no' but the friendlier answer is 'that...
Read more

Open Whisper Systems: Signal Messaging App

-
There are a number of factors that set Signal by Open Whisper Systems apart from any other encrypted messaging platform. The first being that it is open source. https://github.com/signalapp/Signal-Android Signal uses e-to-e encryption or end-to-end. Next, given that it is open source anyone can analyse the code for back-doors and the strength of the encryption. The celebrity whistle blower Edward Snowden  https://twitter.com/Snowden  endorses Signal and so do many IT professionals who report on controversial subjects. Even if the company is subpoenaed Signal retains nearly nothing on the user.  https://www.theverge.com/2016/10/4/13161026/signal-subpoena-court-order-encryption-police-open-whisper Signal is showing up in mainstream more all the time. https://www.wired.com/story/signal-encrypted-messaging-features-mainstream/ Security can even be improved upon the default settings with a few tweaks of the app settings. https://theintercept.com/2016/07/02/s...
Read more