Friday, June 26, 2020

My Notes on using IDA to unpack Redaman following the OALabs / Live Overflow blog step by step

My Notes on using IDA to unpack Redaman following the OALabs / Live Overflow blog step by step

https://www.malware-traffic-analysis.net/2018/10/02/index.html
https://www.virustotal.com/gui/file/ceb8efb3a3eb1085c61bba4b0a77d1aca1f7b10511497e1521135f18bf67647c/detection
df725667733410f1a023a76d36fcbd31
https://www.youtube.com/watch?v=YXnNO3TipvM

redaman

add breakpoint to "ret 10" of virtualalloc
 must find it, click through jumps to get to kernelbase and find return statement

add breakpoint to "1st line" in virtualprotect
 to see the parameters coming in

breakpoint on virtualalloc "ret 10"
 look at EAX register, that is memory just allocated
debug044:00320000 , so in "Hex View-1" synchronize with EAX ... then "unsynchronize" to ensure it stays viewing, hit F9 to continue
at next breakpoint, go to view -> open subviews -> segments ... should take you to our debug044, see how it's X (execute) & W (write)
    this appears to be the "Loader Stub", a small piece of code that will unpack the malware and setup the real payload

2nd breakpoint on virtuallloc "ret 10" hit
 look at EAX, debug047:00350000, sync w/ "Hex View-2" then unsynch

3rd breakpoint on virtualprotect
 NOTICE our "Hex View-2" now has MZ header, it's an executable at debug047:00350000 !!!
 view in view -> open subviews -> segments
start 0x00350000 , end 0x0037B000 ... so size = 0x2B000 or 176128 (per hex calculator https://www.calculator.net/hex-calculator.html?number1=0037B000&c2op=-&number2=00350000&calctype=op&x=83&y=15)

To export/save the EXE that is in memory to your c drive, Hit SHIFT-F2 to execute script
 select Python, type in
filename = AskFile(1, "*.bin", "Output file name")
address = 0x009DD5B8
size = 0x37a0
dbgr = False
with open(filename, "wb") as out:
data = GetManyBytes(address, size, use_dbg=dbgr)
out.write(data)

open dumped file in "PE BEAR"
review sections (make sure it had text, data, looks normal)
review imports (make sure it has some, like kernel32 and a few)
question???
mapped (ready to execute, sections start at virtual address)  <== yes we want this
or
unmapped (format on disk, sections start at raw address)

finishing the 3rd breakpoint (VirtualProtect)
 notice the top parameter on the stack (esp) is 0x00400000
  that is the address of our main executable (redaman.exe) that we loaded into IDA
   when you see this it's possible they are doing a "PE Overwrite" to overwrite the existing PE in memory

terminate process in ida
open newly dumped file instead
notice the analysis bar has "small blue" code section, and "giant yellow" section which appears to be packed data

click in ida on the beginning of the "giant yellow" packed section
look for xrefs / data links ... and go to code where it's used ... might get lucky and find where it's being unpacked

in our case i picked unk_403000, click 'x' for xref, it took me to a lea eax, unk_403000 statement
 below that statement is a loop with xor and rol (rotate left) which may indicate unpacking
  parameters to the loop may be
   "key"
   "size"
   "link to blob of encoded text"
 below loop is static strings, loadlibrary and getprocaddress calls
  one string is rtldecompressbuffer (like unzip in windows)
 followed by GetTempFileName and CreateFile and WriteFile
  that written file is a DLL likely (written to disk so AV could detect it), they use LoadLibrary to open it
  they call an export function called "DllGetClassObject" with arguments "host 000000000"

set breakpoint on that final LoadLibrary
 EAX has address to temp file
  click into it, hold SHIFT and select the entire string, hit ALT-A to change it to a unicode string
    c:\users\xxx\appdata\local\temp\967B.tmp
  (notice it's hidden in windows explorer, but if you use HxD hex editor and open the file it shows up as an MZ)
  or else in cmd.exe use "attrib c:\users\xxx\appdata\local\temp\*.tmp" to see the file also

open newest dumped file (From .tmp) in PE BEAR
 i see exports so its a DLL, I see the "DllGetClassObject" which is the one the malware called

1 comment:

  1. I want to thank Dr Emu a very powerful spell caster who help me to bring my husband back to me, few month ago i have a serious problem with my husband, to the extend that he left the house, and he started dating another woman and he stayed with the woman, i tried all i can to bring him back, but all my effort was useless until the day my friend came to my house and i told her every thing that had happened between me and my husband, then she told me of a powerful spell caster who help her when she was in the same problem I then contact Dr Emu and told him every thing and he told me not to worry my self again that my husband will come back to me after he has cast a spell on him, i thought it was a joke, after he had finish casting the spell, he told me that he had just finish casting the spell, to my greatest surprise within 48 hours, my husband really came back begging me to forgive him, if you need his help you can contact him with via email: Emutemple@gmail.com or add him up on his whatsapp +2347012841542 is willing to help any body that need his help.

    ReplyDelete