adric.net

SometimesIcon
Login

I try to take advantage of the malware samples in my inbox every day to practice analysis and learn cool news tools. A previous post covers some of the basics.

This week I got an "eFAX" message with a zip file attachment that was quite suspicious so I dug right into it. It's defintiely a Win32 PE file (exe) inside the zip despite the Adobe-esque PDF icon it's using and although ClamAV didn't find anything VirusTotal confirms that most of the planet thinks it is bad news indeed. Here's the VT and Annubis reports for the binary.

From there I tried to apply some of the techniques I am reading about in Practical Malware Analysis1 an awesome book that walks through the proceedures and tools needed to disect and analyze files. I'm just starting the book and have been reading about the Windows Portable executable format, so PE header analysis, I chose you!

PE Header analysis, I chose you to battle the mysterious eFAX DIGIT 30!

$pescanner.py FAX_id\{DIGIT\30\\}.exe 
################################################################################
Record 0
################################################################################

Meta-data ================================================================================ File: FAX_id{DIGIT30}.exe Size: 137216 bytes Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows MD5: 8c830cfdd2b5829b9164862e2457780a SHA1: d13e5c55a257831096ea2aced067b85bbf8f4a6a ssdeep: 3072:xrTZ+SCHkw/kjp+FiGzp+mFxB6aD5K/IL7EiFb6+ATqE9:lTZngkwcp+BzzkA716+JE Date: 0x51002677 Wed Jan 23 18:05:43 2013 UTC EP: 0x401202 .text 0/5 CRC: Claimed: 0x0, Actual: 0x30c75 SUSPICIOUS

Resource entries ================================================================================ Name RVA Size Lang Sublang Type -------------------------------------------------------------------------------- RT_ICON 0x70f0 0x4028 LANG_FRENCH SUBLANG_FRENCH_BELGIAN data

Suspicious IAT alerts ================================================================================ CreateProcessAsUserA CreateServiceW

Sections ================================================================================ Name VirtAddr VirtSize RawSize Entropy -------------------------------------------------------------------------------- .text 0x1000 0x1314 0x1400 4.960164 .rdata 0x3000 0xa34 0xc00 2.445012 .data 0x4000 0x2fec 0x200 0.000000 .rsrc 0x7000 0x1ef00 0x1f000 7.296704 SUSPICIOUS .import 0x26000 0x1e4 0x200 0.000000

pescanner.py from Malware Analysts Cookbook2 shows us some suspicious Windows syscalls : CreateProcessAsUserA and CreateServiceW. A quick strings run confirms that there are dozens of clear text string Windows system calls in the binary. This is an plain Windows program that doesn't seem to have been encrypted or obfuscated in any way! That's odd but quite helpful.

pescanner calls out the Resource section (.rsrc) as a bit odd and shows us that the bulk of it is an ICON of about 16KB. That seems pretty big for an icon to me, so I want to take a closer look. Perhaps the larger executable is cover for some sneakier obfsucated code hidden in this icon resource?

On a tip from a friendly malware analyst in Texas I grabbed some tools from MiTec for PE/EXE analysis. Their EXE.exe is a neat executable analysis tool available for download as donation ware: http://mitec.cz/exe.html. EXE runs fine in Wine so I was able to run it on the Kali Linux VM I am doing analysis without issue. I was able to browse to the Resources and right click the ICON to save it out, awesome!

So, what is it?

root@kali:~/april$ du -sh fax_icon.bin 20K fax_icon.bin root@kali:~/april$ file fax_icon.bin fax_icon.bin: MS Windows icon resource - 1 icon root@kali:~/april$ eog fax_icon.bin

It's an icon, the fake PDF icon the malware features to try and fool people into thinking it's an eFAX and okay to doubleclick on. It's in the Windows Icon format which has a rich history detailed by Wikpedia here.

fax_icon.bin_037.png

So perhaps the icon was a herring afterall. If I find out more about this binary I'll followup with another post.

Refs:

1:http://practicalmalwareanalysis.com/ 2:http://www.malwarecookbook.com/