In mid 2017 we
blogged about Hypervisor based Inspection, our technology to deeply analyze malware.
HBI uses hardware assisted virtualization to inspect a program during runtime. HBI also provides very fine grained analysis and captures the following data:
- System calls
- Kernel calls
- User mode calls
- Access to user mode memory areas (e.g. PEB)
- Access to performance counters
- Execution of specific instructions (e.g. CPUID) by kernel and user code
Hypervisor Based Inspection
We continue extending the technology and would like to showcase an interesting analysis where HBI gives some additional insights.
The sample we are analyzing has been uploaded to
Joe Sandbox Cloud Basic the 8th of January 2018:
If we look at the behavior graph we see that two processes named dnschart.exe and certcache.exe are started:
Certcache.exe is posting some data via HTTP POST to IP 69.16.193.12 and 178.32.255.132:
The HTTP post looks like compressed or encrypted data. Wouldn't it be nice to know what data is sent by the malware? Maybe the two IPs belong to the command and control server?
CryptEncrypt
Let us assume the POST data is encrypted. How would the malware encrypt the data? Well, there two possibilities: via
Windows WinCrypt API or by using it's own implementation. Let us assume the malware is lazy and thus intercept the standard APIs with the help of HBI:
All intercepted APIs are collected in a configuration file. Removing or adding new APIs is very simple and can be easily automated.
After we submitted the sample with the new interception configuration we directly see all crypto related activities including the plaintext data:
But the plaintext does not match the POST data, also it still looks like a binary.
Compression
Some of you (with a reversing engineering brain :) might spot in the beginning of data a familiar byte sequence:
What does 7801 mean? It is known as one of the magic headers of a Zlib compressed stream:
- 78 01 - No Compression/low
- 78 9C - Default Compression
- 78 DA - Best Compression
Thus let us decrypt the data from that position with Zlib, and value:
Putting all this together enables to automatically extract Zlib compressed plaintext:
Final Words
Thanks to HBI, Joe Sandbox is able to inspect any API calls. Crypto related API calls which are executed before network related operations are often a good target for hunting. The combination of capturing Crypt API arguments with compression detection, reveals the plaintext send to C&C and allows to identify C&C IOCs.
Interested in trying out
HBI or Joe Sandbox Hypervisor? Register for free at
Joe Sandbox Cloud Basic or
contact us for an in-depth technical demo!
Full Joe Sandbox Analysis Report.