Mutli Stage Malware

How to Decrypt or Get the multi stage malware shell code inserted

Tools used PE-Bear PE-Studio X64Dbg Binary Ninja

Download Links x64DBG - https://x64dbg.com/ Binay Ninja - https://binary.ninja/free/

so have attached the malwareFile syswow.exe

Lets first understand the platform and what architecture the file is Import the file in either Pe-Studio or Pe-Bear

According to the image we understood that its 64 bit architecture , Now lets open the x64Dbg and import the file syswow.exe into it

Once we open the file we would add the BreakPoint for both the VirtualAlloc and VirtualProtect Windows API calls as marked in yellow in the command section

so we get the break point as

Now lets run the code or script and stop when we see the breakpoint at VirtualAlloc

Once we see the break , we need to understand the parameter sent to the module VirtualAlloc

From the URL we can see the structure of the VirtualAlloc https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc

LPVOID VirtualAlloc( [in, optional] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flAllocationType, [in] DWORD flProtect );

Here currently lets concentrate on the flAllocationType and flProtect Going through the above structure details and the values for the flAllocationType its MEM-COMMIT (0x00001000) and MEM_RESERVE(0x00002000) addition which is 3: r8 0000000000003000 0000000000003000 , continuing the same approch for the flprotect traversing to the url https://learn.microsoft.com/en-us/windows/win32/Memory/memory-protection-constants we found the 4: r9 0000000000000004 0000000000000004 which is PAGE_READWRITE = 0x04.

Now we need to capture the address returned by the VirutalAlloc since it would be used to store the malcious content in the memory. Since its a funcation call , the return address would be stored in RAX registry and its also good to run the code until the return so we can see the virutal allocated address in the mentioned registry, so lets select Debug and select Execute till return

Once we click on the button , keep an eye on the RAX and also the command in the CPU Section

Now right click on the RAX registry and select teh Dump1

Once the Dump1 or any Dump selected we can see at the bottom the memory has values 0's

Now lets continue running the code , lets select Step over the ret statement and then step into one by one and at some point we saw the loop, we can confirm by seeing the red color loop kind in the cpu commands section , so seeing the loop right after VirtualAlloc would be suspicious and the malware might be writing some code into it (obfuscated).

We can confirm on this while seeing the code , it has some mov instructions and also XOR instructions which indicate some deobfuscation is happening in the loop , to validated that lets run the loop for few times and see how the dump 1 values keeps changing

we can see the values FC, 48, 83 (FC indicates its a shell code , we will see how to cross verify it later) which indicates the deobfuscation is happening , instead of running one by one , lets run the whole loop , so select the next statement after the loop and select options

"Run until selection" which runs the complete Loop and gives the result

Going through the ASCII values we can find some text , agents and IP's (multiple IOC's)

We found winnet.avi , micsoroft agent and ip 45.61.136.200 . This would indicates some connectivity is happening to IP address

Now to verify the FC hex indicates its a shell code (CLD , Clear direction flag). Right click on Memory address in Dump 1 and select Follow in Dissessembler we can see the instructions CLD.

So now lets export the binary of shell code which is inside the multi stage malware and later analyse it

Right click on Memory address in the CPU on the instructions CLD , select the Follow in Memory Map

Right click on the Memeory map and dump to the file and save it as first.bin

Now lets open the Ninja to see how the binary looks

Open the file and select the platform

Then we can analyse the staged code , select the Linear and High Level

Thats it for the session , we have extarcted the shell code the multi statge code and we tried to see what it is ....