Monday, April 3, 2017

Malware using IndexerVolumeGUID file

So recently I came across a USB based malware spreading like a worm, which is accessing IndexerVolumeGUID file hidden as a system file in the same USB and contains encrypted malware payload. 

The infection vector is mainly removable media, whereby the malware, when it infects the USB, it hides the original files and folder on the USB and creates .LNK files with the same name, tricking user to click on these .lnk files. The command in the .lnk files are to execute rundll32.exe from system directory and passed on the relative path of a hidden dll located in a sub directory followed by a comma and the entry function name in the dll. I got hold of multiple samples of the lnk files and the dlls and found that the hash of the dll is different every time and the name of the entry function also seems to be a randomly generated string of characters. The only thing which remains constant is the malicious dll, seeking IndexerVolumeGUID hidden system file, so that it can read the encrypted payload from it, decrypt it, load it into memory and execute it, resulting in CnC communication. This is done so that the load of suspicious libraries, which could point to malicious static indicators, is done at runtime by the encrypted loader. The first stage paylaod, the dll therefore gives low score on suspicion indicators.

One thing I noticed was that the dll filename was again a weird pattern of multiple dashes and underscores --__-___----....., like Gamarue (See my last Gamarue post). 

We can see here the randomly generated entry function name of the dll

This is where the rundll32.exe calls the function which is the entry point to dll

The entry point:

We can see the malware using XMM registers to store state and other data possibly for decryption mechanism:

We can see some other function names within the dll, being called.

Again we see a lot of manipulation and assignment involving the XMM registers.

We can see here the mutex, "quvsbhprl" a handle to which is opened to check for any other instance of the same malware running

If not then it will create this mutex to ensure that it is the only copy of itself running:

The malware also creates an environment variable called "obj", with the value of the path to the malicious dll and the indexervolumeguid file:

The malware also looks to load a weird module

This is where it starts reading the IndexerVolumeGUID file

This is where the malware checks for powerstatus of the machine. As described in a FireEye blog the behavior of latent bot is similar, whereby it checks the power for the case of the malware running on a laptop to see if the battery is low. If it is low it executes SetThreadExecutionState to prevent the laptop from sleeping:

The malware then creates the Filemapping of the IndexerVolumeGUID

Maps ViewofFile into its address space

Starts decrypting the payload from the IndexerVolumeGUID using the values in the XMM register

Sets the memory location as execute_readwrite

I also noticed a name of a .bmp file..

This is where the execution flow is transferred to the decrypted paylaod in memory:

The execution of main payload starts here

VT For hash 85b77d0c1133a79e63bc7a92179a1367

VT for MD5 80b15bd6427cfec304bba9a3afea59d5

VT for MD5 8c610fa6b239bd71e7bd7b7cb85f3903

VT for MD5 9aa9764f1a7967319b6b9fb9b9377b2d

Thursday, January 19, 2017

Gamarue/Andromeda Comeback

Gamarue/Andromeda botnet was discovered in 2011 and was at its peak in 2013 as a worm propagating in the network using autorun mechanisms. It seems that there has been a recent rise in its infections (Reference: . The attack vector is still widely USB infection, using lnk shortcuts to drop and run malicious dll files from temp folder, which in turns drops a file ms[***].exe (itself) in the hidden programdata folder and create persistence to run this payload in programdata folder. The samples I am analyzing are mainly dll files with format like _-_-__---_{Some CLSID format}, which are dropped into temp folders with a .tmp extension and executed using rundll32.exe. 

The dll is packed with a custom packer, which unpacks multiple times and decrypt multiple times in memory, self-modify its code at runtime and finally creates msiexec.exe process in suspend mode and injects the final payload in this process and then calls ResumeThread to run the suspended msiexec.exe. The code uses a lot of low-level APIs which are normally not used and could be used to bypass detection by AV or sandboxing technologies.

The multiple samples I am working with, range from 70MB to 100MB in terms of size most probably to evade AV or buy enough time to execute itself and the main payload. Contains a lot of junk code, random strings, obfuscated code, unconventional code flows, RETN being used as calls or JMPs to the code sections created in memory. 

there seems ti be a generator available to generate Gamarue binaries:


The sample communicates with malicious domains in Russia like disorderstatus(dot)ru and expirepages-kiae-1(dot)nic(dot)ru.

The expirepages domain resolve to Some OSCTI on the ip and domain:

Linked to Locky ransomware

Identified as Command and Control server for botnet by IBM-Xforce 

Related to Angler EK, Ursnif C2 and Android Malware pulses from AlienVault:

Angler EK traffic

Doing a timeline analysis showed the USB events

We can see that the USB (F: Drive) and the dll under a folder named with a single special character:

One of the sample lying undetected was discovered by Microsoft Safety Scanner as Gamarue Worm:

We can see the dropped file in programdata:

I was also able to find the persistence mechanism from the logs of MSS AV, where the malware has written to:

ntrunkey://HKCU@S-1-5-21-2635117884-509320886-844527511-1004\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD:C:\ProgramData\mszor.exe

From above you can infer which user was logged on when the infection was in progress: 

All 3 samples I am working on had common junk strings and fileinfo, which can help to create YARA rules:

 Two of the samples:

After a bunch of junk calls the last one continues with the malicious flow

We can see here a typical way a JMP takes place in the sample:

A lot of junk code with random strings, which can be used to create YARA ruleS:

RETN is used to JMP to locations

VirtualAlloc called by using RETN:

RWE memory allocation:

Jump to decrypted code in memory:

Another memory location allocated:

Third memory allocation and jump:

We see PEB FS[0x30] being accessed.

Failed attempts to load a lot of weird dlls:

 Fourth VirtualAlloc:

Fifth VirtualAlloc:

A binary getting unpacked:

The sample opening a handle to itself to read 76567808 bytes:

We can see the binary decrypted in the memory allocation:

We can see the reference to RTLDecompressBuffer API, which is used to decompress the decrypted code 

Reference from

We can see that the malicious code in memory is searching for a binary pattern of 0x370xBD0x140xA1 in the decompressed binary created in memory:

It finds it in the following location:

 Also looking for binary pattern 0xB20x300xA30xD5:

 The malicious code then zero out the memory space where the original binary was loaded and then replace it with the decrypted an de-compressed code:

All sections are placed one by one:

The malicious code in memory is zeroed out and memory is freed:

Next we see that in the stack there is a pointer to API functions CreateThread and again RETN is used as an abnormal way to CALL this function and the parameters passed on to the API function can also be seen in the stack. The highlighted address 0x401467 will be the start address of the thread. I dump this location in the Dump area and place a breakpoint there so that when the thread is created the execution breaks at the entry point of the newly decrypted/decompressed malicious code:

We see below the jump to the highlighted location and the code breaks as expected but since Olly is looking at this as data and not code:

Let us right click on this entry point and ask Olly to re-analyze the code, which will result in the assembly code getting visible:

Next we see a call to NtSetInformationProcess. NtSetInformationProcess can change the privilege level of the program or it can be used to bypass Data Execution Protection (DEP). However in this case the processexecutionflag is 0x0c and not 0x22:

The execution crashes at a certain point due to an invalid memory location and required me to study the code and patch it manually so that the code can continue to run:

Once the code continues, it dumps many API names of ntdll, in the stack by going through the function export table and comparing the Crc32 hashes with hardcoded hashes. This is also mentioned in the avast blog, which are to be used by the final payload. again low level API calls used to bypass AV:

Next we can see that the Crc32 hash is being calculated using RtlComputeCrc32 of

Had to patch the Crc32 calculation and comparison. The JNE 00401786 kicks out of program so I started the code after that jumping to the equality branch so the code could continue:

Some more virtual memory allocated using the low-level NtAllocateVirtualMemory instead of VirtualAlloc:

Some more patching required:

We can see that memory is being copied from location 0x402028 to the newly allocated virtual space:

Some more memory allocations with RWE Access

We can see more copying of data from 0x7fea0000 memory location to 0x7fe90000

Some interesting strings:

We can see the strings used to create the JSON object which is supposedly communicated with C2 server. Also we can see the User Agent also:

More strings for JSON communication between bot and C2:

Persistence mechanism?

We can see reference to Zone.Identifier, which could indicate that this can be removed by the malware to bypass the "File downloaded from the internet" warning. We can also see reference to ms%s.exe the format of string used for dropped file in programdata. Also it sets the Hidden and ShowSuperHidden values in registry to prevent displaying hidden files.

We can see reference to cdosys.dll which could be a module of Gamarue to be downloaded from the C2 server.  We can also see another persistence mechanism whereby taskmgr.exe process execution option has the debugger set as the malicious program, so that whenever task manager runs, this program runs in the background as a debugger.

We can see a call to another low level API LdrProcessRelocationBlock to relocate the base to a new address:

 Again we see memcpy copying bytes from decrypted code to now another RWE location 0x7fe80000:

Then I see some strange code whereby the System32 directory is traversed for all dlls

I also see that strangely two bytes are copied from ntdll.RtlWalkHeap to 7FE80000. Maybe for runtime patching or self-modifying code:

I see a jump using CALL EDI to the 0x7fe90000 in-memory malicious code, using its entry point 0x7fe91493:

I observed a really unusual mechanism of code hiding and obfuscation, whereby the code in the 0x7fe90000 RWE memory section calls code in the 0x7fe80000 RWE section and this is remarkable evasion using code flow redirection techniques. The API calls of the final payload are all made from the 0x7fe80000 section, where 0x7fe90000 contains calls to 0x7fe90000. So as a result there are two layers of in-memory flow through code sections to perform action on objectives.

As you can see that the API call being made from the 0x7fe80000 for setting the error mode to suppress any display of errors:

We can see API call to get the %systemroot%:

Getting information about the volumes:

 Then there is a bunch of JMPs in 0x7fe90000, which again jumps to 0x7fe80000 for calling API functions. This is where most of the functionality/logic of the final code is centered:

We see API calls to enumerate running processes to compare against hard-coded hashes of black-listed processes to see if anyone of them is running. If yes then the program would exit. I had to patch the code flow once as one of the blacklisted process vmtoolssd.exe had a match against the processes running on my VM:

 API call to Process32First and Process32Next:

Now it calculates CRC32 for the process name. In the below case it is calculating it for “system” process:

The comparison of CRC32 against blacklisted process names is happening here:

Here the process will detect the blacklisted process of VM “vmtoolsd.exe” and terminate. So we need to patch the code here.

During the course of its execution if the malware detects analysis, it will go into an infinite loop of Sleep: We can see multiple Sleep calls:

Some more comparisons to Crc32 hashes. Below is the comparison with hash of process "sandboxierpcss.exe"

Next we see the CreateFileMapping and MapViewoffile API call, where it is mapping itself and can be used to load code in RAM or execute code without Windows loader:

Next we see 6000 bytes being copied from 0x400000 to 0x40000

We can see the copied binary:


Getting environment variable "4076290568" (UNICODE) and setting it if not found:

Getting the process filename:

Setting the process variable as the path to filename:

We can see using process hacker the environment value set:

 Next we see reference to msiexec.exe

Concatenation to create the full path to msiexec.exe:

Opening file msiexec.exe for reading:

Again the program crashes at this memset, where FFFFFF95 bytes are to be set?! Patching was of not much help at this stage. So I thought of looking ahead in the code and find as many other IOCs as possible and understand the working:

I can see a call to CreateProcess msiexec.exe in Suspend mode:

I could also see offsets to persistence keys

I can see where the malware forces the OS to not to display hidden files. This is again to hide its payload in programdata:

String format for the ms..exe file

This is where Zone information is removed by calling DeleteFile

I can also see the Image file execution persistence mechanism for taskmgr.exe and the name of the module cdosys.dll.