Back to Blog
Getvolumeinformation Serial Number5/10/2021
In the example below the malware has been manually unpacked and is running from the desktop.
Getvolumeinformation Download The MalwareI havent spent too much time on the macrosPowerShell used to download the malware as there are already plenty of resources available that have that covered.Using x32dbg I have broken down how the malware creates the seemingly random filenames for the malware, enumerates and encrypts the running processes, how the malware sets up its C2 connectivity and also how to extract the config.The URLs are often obfuscated using base64 and are relatively easy to decipher. This shows PowerShell being used to download the malware to the User directory. Original filename is 215.exe, this is then copied to the malwares persistence location and renamed. Extracting the unpacked binary can be done by setting a breakpoint on VirtualAlloc in a debugger such as x32dbg. In this example the unpacked malware was then stored in a buffer edi54 at location 001d0115. The header was prepended with some junk code, once the unpacked binary has been dumped this needs removing using a tool such as HXD to create a clean PE header. This is because the malware functions are hashed and each library and its associated APIs are loaded dynamically when needed. Getvolumeinformation Tdll And Kernel32The first two function calls in this sample contain the hashes for ntdll and kernel32. The first function resolves ntdll.dll and its associated API calls. This is done by moving the hash values into global variables and the following parameters being pushed onto the stack. The PEB contains information about the currently running processes including the list of DLLs that have been loaded or mapped into the process memory. The FS register contains the address of the data structure called the Thread Information Block (TIB) and a pointer to the PEB can be found in the TIB at the offset value of 0x30. Based on this information a pointer to the PEB can always be found at FS:30. The loop checks that each character of the process name is a lowercase character and the hashing routine is performed. Once completed the hashed value is stored in EAX and compared to EBX. ![]() The below image shows the hash has been generated and stored in EAX, this is then compared to the hash value in EBX. The values match so the malware has successfully located kernel32. Once a match has been found it has the location of the API calls it wants to use such as GetWindowsDirectoryW. The above image shows the fouth parameter which is pushed onto the stack will retrieve the volume serial number. First a call is made to snwprintf which writes formatted data to a string, in the below image the format that will be used is GlobalIX, where X will be the volume information. The newly created mutex, highlighted in green, is stored in the EAX register.
0 Comments
Read More
Leave a Reply. |