adric: books icon (c) 2004 adric.net (Default)
adric ([personal profile] adric) wrote2013-04-30 10:19 am

Static analysis:Sometime an icon is just an icon?

I try to take advantage of the malware samples in my inbox every day to practice analysis and learn cool news tools. A previous post covers some of the basics.

This week I got an "eFAX" message with a zip file attachment that was quite suspicious so I dug right into it. It's defintiely a Win32 PE file (exe) inside the zip despite the Adobe-esque PDF icon it's using and although ClamAV didn't find anything VirusTotal confirms that most of the planet thinks it is bad news indeed. Here's the VT and Annubis reports for the binary.

From there I tried to apply some of the techniques I am reading about in Practical Malware Analysis1 an awesome book that walks through the proceedures and tools needed to disect and analyze files. I'm just starting the book and have been reading about the Windows Portable executable format, so PE header analysis, I chose you!

$pescanner.py FAX_id\{DIGIT\[30\]\}.exe 
################################################################################
Record 0
################################################################################

Meta-data
================================================================================
File:    FAX_id{DIGIT[30]}.exe
Size:    137216 bytes
Type:    PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:     8c830cfdd2b5829b9164862e2457780a
SHA1:    d13e5c55a257831096ea2aced067b85bbf8f4a6a
ssdeep:  3072:xrTZ+SCHkw/kjp+FiGzp+mFxB6aD5K/IL7EiFb6+ATqE9:lTZngkwcp+BzzkA716+JE
Date:    0x51002677 [Wed Jan 23 18:05:43 2013 UTC]
EP:      0x401202 .text 0/5
CRC:     Claimed: 0x0, Actual: 0x30c75 [SUSPICIOUS]

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0x70f0   0x4028   LANG_FRENCH  SUBLANG_FRENCH_BELGIAN   data

Suspicious IAT alerts
================================================================================
CreateProcessAsUserA
CreateServiceW

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x1314       0x1400       4.960164    
.rdata     0x3000       0xa34        0xc00        2.445012    
.data      0x4000       0x2fec       0x200        0.000000    
.rsrc      0x7000       0x1ef00      0x1f000      7.296704    [SUSPICIOUS]
.import    0x26000      0x1e4        0x200        0.000000    

pescanner.py from Malware Analysts Cookbook2 shows us some suspicious Windows syscalls : CreateProcessAsUserA and CreateServiceW. A quick strings run confirms that there are dozens of clear text string Windows system calls in the binary. This is an plain Windows program that doesn't seem to have been encrypted or obfuscated in any way! That's odd but quite helpful.

pescanner calls out the Resource section (.rsrc) as a bit odd and shows us that the bulk of it is an ICON of about 16KB. That seems pretty big for an icon to me, so I want to take a closer look. Perhaps the larger executable is cover for some sneakier obfsucated code hidden in this icon resource?

On a tip from a friendly malware analyst in Texas I grabbed some tools from MiTec for PE/EXE analysis. Their EXE.exe is a neat executable analysis tool available for download as donation ware: http://mitec.cz/exe.html. EXE runs fine in Wine so I was able to run it on the Kali Linux VM I am doing analysis without issue. I was able to browse to the Resources and right click the ICON to save it out, awesome!

So, what is it?

root@kali:~/april$ du -sh fax_icon.bin 20K fax_icon.bin root@kali:~/april$ file fax_icon.bin fax_icon.bin: MS Windows icon resource - 1 icon root@kali:~/april$ eog fax_icon.bin

It's an icon, the fake PDF icon the malware features to try and fool people into thinking it's an eFAX and okay to doubleclick on. It's in the Windows Icon format which has a rich history detailed by Wikpedia here.

fax_icon.bin_037.png

So perhaps the icon was a herring afterall. If I find out more about this binary I'll followup with another post.

Refs:

1:http://practicalmalwareanalysis.com/ 2:http://www.malwarecookbook.com/