-
Notifications
You must be signed in to change notification settings - Fork 73
File System Example
John Holowczak edited this page Jul 16, 2019
·
2 revisions
This example showcases Binee's mock filesystem handling. We have hooked certain Windows API calls for creating and writing files so we can trick the sample into thinking it is writing to an arbitrary file on disk, when in fact is saved in a temporary directory.
The sample in this example is a piece of malware belonging to the Parite family. SHA256 hash is eccfc9c6005f16179edad51e0ddc937e2b5f6be85fa0dbb39cd310a5b31f6e1c. Two major characteristics we want to focus on in this demo of this binary are that it is obfuscated (it will deobfuscate on run), and when it is deobfuscated it will write a DLL stored in the binary to disk. It will later load the DLL from disk and attempt to use functionality with the DLL, but that is not the focus of this demo.
##Writing file to disk We use Binee's standard functionality to see the DLL being written to disk:
root@b5a411b1b3da:~/go/src/binee# ./binee /malware/eccfc9c6005f16179edad51e0ddc937e2b5f6be85fa0dbb39cd310a5b31f6e1c
...
[1] 0x20eddb80: F CreateFileA(lpFileName = 'C:\Users\tbrady\eccfc9c6005f16179edad51e0ddc937e2b5f6be85fa0dbb39cd310a5b31f6e1c', dwDesiredAccess = 0x80000000, dwShareMode = 0x1, lpSecurityAttributes = 0x0, dwCreationDisposition = 0x3, dwFlagsAndAttributes = 0x1, hTemplateFile = 0x0) = 0xa000163e
[1] 0x20edde60: F GetTempPathA(nBufferLength = 0x104, lpBuffer = 0xb7fefd84) = 0x7
[1] 0x20edced0: F GetTickCount() = 0x5d2e2a69
[1] 0x20edde40: F GetTempFileNameA(lpPathName = 'c:\temps\tbrady\eccfc9c6005f16179edad51e0ddc937e2b5f6be85fa0dbb39cd310a5b31f6e1c', lpPrefixString = 'kee', uUnique = 0x0, lpTempFileName = 0xb7fefeba) = 0x8
[1] 0x20eddb80: F CreateFileA(lpFileName = 'XVlBzgba', dwDesiredAccess = 0xc0000000, dwShareMode = 0x1, lpSecurityAttributes = 0x0, dwCreationDisposition = 0x2, dwFlagsAndAttributes = 0x80, hTemplateFile = 0x0) = 0xa000164f
[1] 0x20eddfa0: F SetFilePointer(hFile = 0xa000163e, lDistanceToMove = 0x295dc, lpDistanceToMoveHigh = 0x0, dwMoveMethod = 0x0) = 0x295dc
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x2800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x2800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x2800
[1] 0x20eddf10: F ReadFile(hFile = 0xa000163e, lpBuffer = 0xb7fed584, nNumberOfBytesToRead = 0x800, lpNumberOfBytesRead = 0xb7fefe88, lpOverlapped = 0x0) = 0x545dc
[1] 0x20ede000: F WriteFile(hFile = 0xa000164f, lpBuffer = 0xb7fed584, nNumberOfBytesToWrite = 0x800, lpNumberOfBytesWritten = 0xb7fefe88, lpOverlapped = 0x0) = 0x800
[1] 0x20edd920: F CloseHandle(hObject = 0xa000164f) = 0x1
[1] 0x20edd920: F CloseHandle(hObject = 0xa000163e) = 0x1
...
The sample tries to create a dll file in C:\temps\<username>\<filename> after generating a temporary file name.
It thinks that the folder exists and the file is written to disk, but in fact is has been written to the temp directory in the binee project root. This folder is a default search path in Binee for reading or writing files, if there are any supporting files for a sample to run or files dropped by a sample they should be placed or will appear there, respectivly. We can see it placed here:
root@b5a411b1b3da:~/go/src/binee# ls temp
XVlBzgba
We can see This sample deobfuscating itself using Binee's verbose output:
root@b5a411b1b3da:~/go/src/binee# ./binee /malware/eccfc9c6005f16179edad51e0ddc937e2b5f6be85fa0dbb39cd310a5b31f6e1c -v
[1] 0x0042a000: push 0x19ccbf6
[1] 0x0042a005: pop ecx
[1] 0x0042a006: nop
[1] 0x0042a007: nop
[1] 0x0042a008: mov edi, 0x42a022
[1] 0x0042a00d: nop
[1] 0x0042a00e: nop
[1] 0x0042a00f: mov edx, 0x598
[1] 0x0042a014: nop
[1] 0x0042a015: nop
[1] 0x0042a016: xor dword ptr [edx + edi], ecx
[1] 0x0042a019: nop
[1] 0x0042a01a: nop
[1] 0x0042a01b: dec edx
[1] 0x0042a01c: sub edx, 3
[1] 0x0042a01f: nop
[1] 0x0042a020: nop
[1] 0x0042a021: jne 0xfffffff5
[1] 0x0042a016: xor dword ptr [edx + edi], ecx
[1] 0x0042a019: nop
[1] 0x0042a01a: nop
[1] 0x0042a01b: dec edx
[1] 0x0042a01c: sub edx, 3
[1] 0x0042a01f: nop
[1] 0x0042a020: nop
[1] 0x0042a021: jne 0xfffffff5
[1] 0x0042a016: xor dword ptr [edx + edi], ecx
[1] 0x0042a019: nop
[1] 0x0042a01a: nop
[1] 0x0042a01b: dec edx
[1] 0x0042a01c: sub edx, 3
[1] 0x0042a01f: nop
[1] 0x0042a020: nop
[1] 0x0042a021: jne 0xfffffff5
[1] 0x0042a016: xor dword ptr [edx + edi], ecx
[1] 0x0042a019: nop
[1] 0x0042a01a: nop
[1] 0x0042a01b: dec edx
[1] 0x0042a01c: sub edx, 3
[1] 0x0042a01f: nop
[1] 0x0042a020: nop
[1] 0x0042a021: jne 0xfffffff5
...