Bamital Analysis using Malpimp and Pymal

VN:F [1.9.8_1114]

A couple of months ago, I released my two new tools Malpimp and PyMal for malware analysis. Malpimp aims at API tracing and PyMal is a general purpose malware analysis tool. In this blog I will discuss how to use both of them in malware analysis. As a case study I am using Bamital botnet sample.


Bamital is a good case study, it is using some innovative methods for code injection. Actually Bamital, carberp and zeroaccess all are interesting malware samples and are using some interesting and new code injection methods apart from their functionalities. Also it is interesting to see that most of the samples these days are using APC actively for code injection.  So the systems that closely monitor CreateRemoteThread , nt/zwCreateThread etc. may not be able to catch these things. Anyways lets discuss a bit about bamital code injection technique. It hooks kernel32!WaitForSingleObject API in a very interesting way.


The procedure used by bamital is a bit similar to process hollowing. It first reads the kernel32.dll from remote process and then it patch the kernel32!WaitForSingleObject API with the hook handler code. Then it suspends the target process (explorer or browser) and unmap the kernel32.dll from the target process address space. It then maps the modified kernel32.dll back into the target process and resumes the process. As in most of the multi-threaded applications like explorer or browsers the call to WaitForSingleObject API is very frequent and hence it can execute its code without any delay.


Now in a traditional way when we want to hook something or we want to inject code into a remote process then either we have to allocate memory into another process or we have to load a dll into the remote process. But some intelligent HIPS and host based firewalls monitor remote process memory allocation and loading of a DLL, it means the older methods are basically already under observation so the method used by bamital is more stealthy. However this technique may crash the application if some thread in that process initiates execution before malware resumes the process. Bamital also hooks couple of other APIs but WaitForSingleObject API hooking is the interesting one.



API Tracing using Malpimp:

Lets use malpimp to trace the API calls of the malware.  We can start malpimp from command line like: Malpimp.exe bamital.exe 0 – the second parameter (zero in this case) is basically the address from where we want to trace api calls, in case of zero, malpimp will trace the API calls from the initial execution point (address of entry point).



Bamital API trace:

Setting breakpoints on the exports of dll: C:\WINDOWS\system32\ntdll.dll
Setting breakpoints on the exports of dll: C:\WINDOWS\system32\kernel32.dll
RETURN ADDRESS: 0x004095af	CALL FUNCTION: KERNEL32!GetSystemDefaultLCID
RETURN ADDRESS: 0x004095bb	CALL FUNCTION: KERNEL32!GlobalAlloc
RETURN ADDRESS: 0x0040954c	CALL FUNCTION: KERNEL32!CreateFileA
				yyyyyyyyy
				401208
				80000000
				1
				0
RETURN ADDRESS: 0x00409556	CALL FUNCTION: KERNEL32!GetProcAddress
RETURN ADDRESS: 0x0040954c	CALL FUNCTION: KERNEL32!CreateFileA
				yyyyyyyyy
				401208
				80000000
				1
				0
RETURN ADDRESS: 0x00409556	CALL FUNCTION: KERNEL32!GetProcAddress
RETURN ADDRESS: 0x004095e5	CALL FUNCTION: KERNEL32!LoadLibraryA
				Spoolss.dll
				40b205
Setting breakpoints on the exports of dll: C:\WINDOWS\system32\ADVAPI32.dll
Setting breakpoints on the exports of dll: C:\WINDOWS\system32\WS2_32.dll
RETURN ADDRESS: 0x004095f0	CALL FUNCTION: KERNEL32!GetProcAddress
RETURN ADDRESS: 0x004095fe	CALL FUNCTION: KERNEL32!GetLastError
RETURN ADDRESS: 0x0040954c	CALL FUNCTION: KERNEL32!CreateFileA
				yyyyyyyyy
				401208
				80000000
				1
				0
RETURN ADDRESS: 0x00409556	CALL FUNCTION: KERNEL32!GetProcAddress
RETURN ADDRESS: 0x00409588	CALL FUNCTION: KERNEL32!VirtualProtect
RETURN ADDRESS: 0x00409120	CALL FUNCTION: NTDLL!LdrLoadDll
RETURN ADDRESS: 0x00409120	CALL FUNCTION: NTDLL!LdrLoadDll
RETURN ADDRESS: 0x004091b5	CALL FUNCTION: KERNEL32!GetSystemDefaultLCID
RETURN ADDRESS: 0x00407acf	CALL FUNCTION: KERNEL32!VirtualAlloc
RETURN ADDRESS: 0x00407d78	CALL FUNCTION: KERNEL32!CreateFileMappingA	VIRTUALALLOC RETURNED POINTER 0x003c0000
RETURN ADDRESS: 0x00407d84	CALL FUNCTION: KERNEL32!GetLastError
RETURN ADDRESS: 0x00407d9b	CALL FUNCTION: KERNEL32!CloseHandle
RETURN ADDRESS: 0x00407acf	CALL FUNCTION: KERNEL32!VirtualAlloc
RETURN ADDRESS: 0x00407acf	CALL FUNCTION: KERNEL32!VirtualAlloc	VIRTUALALLOC RETURNED POINTER 0x003d0000
RETURN ADDRESS: 0x00409251	CALL FUNCTION: KERNEL32!lstrcatA	VIRTUALALLOC RETURNED POINTER 0x003e0000
RETURN ADDRESS: 0x0040925f	CALL FUNCTION: KERNEL32!CreateDirectoryA
				C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server
				3e0000
				0
RETURN ADDRESS: 0x00409271	CALL FUNCTION: KERNEL32!lstrcatA
RETURN ADDRESS: 0x00409282	CALL FUNCTION: KERNEL32!lstrcatA
RETURN ADDRESS: 0x004092a0	CALL FUNCTION: KERNEL32!CreateFileA
				C:\WINDOWS\system32\user32.dll
				3c0000
				80000000
				1
				0
RETURN ADDRESS: 0x004092b9	CALL FUNCTION: KERNEL32!GetFileTime
RETURN ADDRESS: 0x004092c0	CALL FUNCTION: KERNEL32!CloseHandle
RETURN ADDRESS: 0x00408e81	CALL FUNCTION: KERNEL32!lstrcatA
RETURN ADDRESS: 0x00408ea4	CALL FUNCTION: KERNEL32!lstrcatA
RETURN ADDRESS: 0x00408ec2	CALL FUNCTION: KERNEL32!CreateFileA
				C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server\qauink.dll
				3c0000
				c0000000
				3
				0
RETURN ADDRESS: 0x00408ee9	CALL FUNCTION: KERNEL32!WriteFile
RETURN ADDRESS: 0x00408f04	CALL FUNCTION: KERNEL32!SetFileTime
RETURN ADDRESS: 0x00408f0f	CALL FUNCTION: KERNEL32!CloseHandle
RETURN ADDRESS: 0x00408f3d	CALL FUNCTION: ADVAPI32!RegCreateKeyExA
				80000001
				Software\fgmdqauink
				40b175
				0
RETURN ADDRESS: 0x00408f62	CALL FUNCTION: ADVAPI32!RegSetValueExA
RETURN ADDRESS: 0x00408f72	CALL FUNCTION: ADVAPI32!RegCloseKey
RETURN ADDRESS: 0x00408f96	CALL FUNCTION: ADVAPI32!RegCreateKeyExA
				80000002
				SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
				401086
				0
RETURN ADDRESS: 0x00408fbd	CALL FUNCTION: ADVAPI32!RegSetValueExA
RETURN ADDRESS: 0x00408fcd	CALL FUNCTION: ADVAPI32!RegCloseKey
RETURN ADDRESS: 0x00409302	CALL FUNCTION: KERNEL32!GetModuleFileNameA
RETURN ADDRESS: 0x00407acf	CALL FUNCTION: KERNEL32!VirtualAlloc
RETURN ADDRESS: 0x0040931f	CALL FUNCTION: KERNEL32!lstrcatA	VIRTUALALLOC RETURNED POINTER 0x003f0000
RETURN ADDRESS: 0x00409333	CALL FUNCTION: KERNEL32!MoveFileExA
RETURN ADDRESS: 0x00409343	CALL FUNCTION: KERNEL32!MoveFileExA
RETURN ADDRESS: 0x0040937f	CALL FUNCTION: ADVAPI32!RegCreateKeyExA
				80000002
				SYSTEM\CurrentControlSet\Services\sr\Parameters
				401008
				0
RETURN ADDRESS: 0x0040939b	CALL FUNCTION: ADVAPI32!RegSetValueExA
RETURN ADDRESS: 0x004093a7	CALL FUNCTION: ADVAPI32!RegCloseKey
RETURN ADDRESS: 0x004093cb	CALL FUNCTION: ADVAPI32!RegCreateKeyExA
				80000002
				SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
				401038
				0
RETURN ADDRESS: 0x004093dc	CALL FUNCTION: ADVAPI32!RegDeleteValueA
RETURN ADDRESS: 0x004093e8	CALL FUNCTION: ADVAPI32!RegCloseKey
RETURN ADDRESS: 0x004081e2	CALL FUNCTION: KERNEL32!CreateToolhelp32Snapshot
RETURN ADDRESS: 0x00408200	CALL FUNCTION: KERNEL32!Process32First
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408216	CALL FUNCTION: KERNEL32!lstrcmpiA
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x00408250	CALL FUNCTION: KERNEL32!Process32Next
RETURN ADDRESS: 0x004081e2	CALL FUNCTION: KERNEL32!CreateToolhelp32Snapshot
RETURN ADDRESS: 0x00408200	CALL FUNCTION: KERNEL32!Process32First
RETURN ADDRESS: 0x00408020	CALL FUNCTION: KERNEL32!OpenProcess	PID: 1484
RETURN ADDRESS: 0x0040808f	CALL FUNCTION: NTDLL!ZwCreateSection
RETURN ADDRESS: 0x004080c2	CALL FUNCTION: KERNEL32!ReadProcessMemory
RETURN ADDRESS: 0x00408183	CALL FUNCTION: NTDLL!ZwSuspendProcess
RETURN ADDRESS: 0x004081c1	CALL FUNCTION: NTDLL!ZwResumeProcess
RETURN ADDRESS: 0x00407ae6	CALL FUNCTION: KERNEL32!VirtualFree
RETURN ADDRESS: 0x00407ae6	CALL FUNCTION: KERNEL32!VirtualFree
RETURN ADDRESS: 0x00407ae6	CALL FUNCTION: KERNEL32!VirtualFree
RETURN ADDRESS: 0x00407ae6	CALL FUNCTION: KERNEL32!VirtualFree
RETURN ADDRESS: 0x00409616	CALL FUNCTION: KERNEL32!ExitProcess

In the api trace we can see that the malware opened a process and after couple of API calls it just terminates. So here is the indication that the malware may have injected its code into the remote process.

We can now use pymal to start our analysis on the process which was opened by the malware. Pymal offers couple of good functions for malware analysis but hook detection and injected code detection are the powerful ones.


Hook detection using PyMal:

ScanModInPid method can be used to check a loaded module for hooks in a process. PyMal also offers couple of other methods that can scan the entire process and even the entire system for hooks. But we will use ScanModInPid, it takes pid and module name as a parameter as you can see in the below snapshot.


As you can see in the snapshots that couple of APIs from ntdll.dll and kernel32.dll are hooked. Now our job is to identify the modules or code segment where these hooks are pointing. Pymal offers a BelongTo method to detect which module holds the hook’s address. If the address is in any loaded module then it will report the name of the DLL but if it will not report anything then it means that the address is from a newly allocated region.

As you can in the above snapshot that the hook address for CreateProcessInternalW is from a newly allocated region and hook address for WaitForSingleObject is from kernel32.dll itself. It basically indicates that some code is injected into the kernel32.dll address space as well. Using pymal’s DumpModule method we can dump the kernel32.dll from process to disk as shown in the below snapshot. After it we can also upload the file to virustotal or manually inspect the strings and codes.

Now we know that the hook address for CreateProcessInternalW is from a newly allocated region but we don’t know the allocation size and base address. So we can use pymal‘s  GetAllocation method or FindInjectedCode method to find allocation base address and size. For several reasons I prefer FindInjectedCode method over GetAllocation.

As you can see in the above snapshot that our hook address is from marked allocation, after that we can read this allocation from process and can search for strings or can write the data on the disk.

In Internet explorer it will also hook couple of ws2_32.dll APIs.

 

You can download the malpimp and Pymal from the following links:

Malpimp: http://securityxploded.com/malpimp.php

Pymal: http://securityxploded.com/pymal.php

Pymal Demo Video: http://vimeo.com/67400713

 

Also if you are a beginner then you may want to visit our free malware analysis course page: http://securityxploded.com/security-training.php

 

 

 



 

 

 

Related Posts Plugin for WordPress, Blogger...

No Comments Yet

Leave a Reply

Just Launched – MalwareNet

Follow us on Facebook


Join Mailing List

Get direct access to our expert trainers or mingle with like minded security folks in our mailing list