4/3/2023 0 Comments Fly crypter![]() Dealing with these exceptions can slow down manual analysis and definitely make dynamic analysis more difficult. In most cases it happens at the beginning of the main function. The majority of samples raise exceptions during debugging. On data like this any static detection will not be possible and a corrupted sample won’t run in dynamic analytical boxes. When a tool like this unpacks an UPX impostor sample the result will be random corrupted data. There are multiple tools for automatic and static unpack of UPX packed programs and for extraction of original code for further analysis. This can lead to the confusion of an inexperienced analyst, but what is even worse it can confuse analytical tools. At the first glance it is possible to see that the sample has sections exactly like UPX, even when you analyze the sample with tools like “Detect It Easy”, the tool will incorrectly tell you that the sample is UPX packed. A few samples have the first layer modified to look like they are UPX packed even when they are not. One of the most common packers is the UPX packer which can compress programs and also hide their original code. It may happen that memory allocation or decryption happens in a small part of code between unrolled iterations of loops full of junk code.ĨB85A4D9DF1140D25F11914EC4E429C505BD97551EDE19197D2B795C44770AFE UPX impostors The main function is always quite long, because of junk code and often because of loop unrolling. As a consequence, creation of static rules for detection gets quite complicated if someone wants to cover the majority of samples.Īfter seeing some samples it is possible to quite easily estimate which function is the main function. Differences vary between big ones like completely different API function calls in the junk part of code or small ones like those that use different registers and local variables in a cycle which seem the same. Each one of the analyzed samples had a unique main function. UniquenessĪfter finding this main function in multiple samples there is the first obstacle – uniqueness. The easiest way to find this function is to check cross references to the CreateEventA API function. Even though the first layer includes usually at least a few hundred functions, there is always one long function (let’s call it main function) with a lot of junk code but it also includes following functionalities which are important parts of OnionCrypter: A service like this is frequently advertised as a FUD (fully undetectable) crypter. Based on the uniqueness of the first layer it is also safe to assume that authors of OnionCrypter offer the option of a unique stub file to ensure that encrypted malware will be undetectable. We believe that likely the authors of OnionCrypter offer it as an encrypting service. Its widespread use and length of time in use make it a key malware infrastructure component. In the last three years we have protected almost 400,000 users around the world from malware protected by this crypter. This includes some of the best known-most prevalent families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader among others. Most interestingly, we have found that OnionCrypter has been used by over 30 different malware families since 2016. This can help malware analysts because seeing samples like these might get confusing and overwhelming at first not only for humans but also for dynamic analysis sandboxes. ![]() This blogpost covers most of the techniques OnionCrypter used to complicate analysis and breaks down its structure. It’s important to note the name reflects the many layers this crypter uses, it’s in no way related to the TOR browser or network. Because of this we are calling it “OnionCrypter”. One of the key techniques this crypter uses is multiple layers of encryption. The crypter discussed in this blogpost uses a combination of multiple interesting techniques that make it hard for analysts and for proper detection. This stub looks like an innocent program, it may also perform some tasks which are not harmful at all but its primary task is to decrypt a payload and run it. A crypter encrypts a program, so it looks like meaningless data and it creates an envelope for this encrypted program also called a stub. One possible solution for this are crypters. One of the goals of malware authors is to keep their creation undetected by antivirus software. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |