Overview
In the spring of 2020, I obtained and analyzed a sample of malware called “Emotet”. The malware is one of the most violent malware in Japan in 2020. The malware used several techniques that bothered analysts.
Most of the recently malware seen hides the main payload with a program called “packer”. The malware I analyzed also used some techniques. This time, I will explain the technique of “function-based encryption” and introduce the analysis method.
Target malware hash value:
MD5:545BFDC9B1976AE0003443FF4F90EB7E
SHA1:92E8CE006BB3C4A1DDB8D8BA8DE3A90C0BBB6326
What is the “Function-based encryption” technique?
Describes the “function-based encryption” technique. Malware packers often encrypt the payload. Packers typically unpack the decrypted payload into memory with each decryption method. Therefore, analysts extract and analyze the decrypted code. However, this packer used a unique technique. The packer unpacks the payload from the resource area, but it is still encrypted. And use a relay function that decodes the function that executes before the function is called. The relay function also encrypts the calling function.
Why do attackers use this technique? That is because it is difficult to analyze. If analysts could capture the decrypted code, they would be able to statically analyze it. However, if this technique is used, the code is not decrypted, even if the decrypted data is captured. Therefore, it is difficult for analysts to perform static analysis. Antivirus and memory forensics also have difficulty detecting malicious code in memory.
This technique can be analyzed by the following method.
- Debugger analysis
- Dynamic analysis
This article is about debugger analysis.
Mechanism of “Function-based encryption”
Describes how “function-based encryption” works. If this technique were used, it would have been encrypted except for the initial code and the encryption / decryption process. The method I found is encrypted / decrypted using “XOR”. Therefore, encryption and decryption can be performed with one method.
The figure of the process is shown below.
The initial code calls the encryption / decryption method to call the encrypted function. This specimen is a mechanism that allows you to specify a function to be called by the index value. The encryption / decryption method not only decrypts the called function, but also encrypts the called function. As a result, the only code that analysts can read while the malware is running is the initial code, the encryption / decryption method, and the running function.
This technique was very annoying for me to do static analysis. However, behavioral analysis worked well. In the next section, I will introduce a method using a debugger.
Analysis method of “Function-based encryption” by the debugger
I use IDA as a debugger in my article. You can use your favorite debugger. It would be difficult with tools that do not have executive function. An example in which this specimen calls the encryption / decryption method is shown in the figure.
In this case, “sub_4571920” is the encryption / decryption method(Figure 3). The value pushed immediately before is the value indicating the function. This function is output from the resource area of the Windows application to memory and decrypted.
This is the core process of encryption / decryption method(Figure 4). Caller and Called function encryption / decryption and Called function execution are coded. If you analyze this technique, you need the skills to understand this code.
This is the content of the subroutine written as “call dword ptr [ebp + 8]”(Figure 5). It is a very simple XOR process. The key is in the area indicated by “esi”. In this case, the size is 0x3C.
Observe the results of actual encryption and decryption. The code of “0x045711A0”(Figure 6) and the encrypted code(Figure 7) are shown in the figures.
Conversely, the encrypted “0x045726E0” code(Figure 8) and the decrypted code(Figure 9) are shown in the figures.
Can you analyze the code by looking at the code in Figure 7 and Figure 8? The answer is no. However, when the functions are not executed, the functions are in the same state as in Figure 7 and Figure 8. This is the point where this technique bothers analysts.
How did I analyze this technique? I tried to monitor “sub_4571920”. As a result, dynamic analysis of malware has become much easier.
If you analyze malware with the same technique, there are 3 points.
- Knowing this technique in advance is a great advantage
- If you can discover the key “encryption / decryption method” of the technique, dynamic analysis will be easier.
- It is useful to classify functions by the index value of the function.
Ex) 0x01 = memset, 0x02 = memcpy …
Consideration
Attackers develop various techniques to evade security products. Cybersecurity analysts need to devise analysis methods based on the techniques used for malware. “Function-based encryption” technique will make it difficult to detect malware based on static analysis. On the other hand, dynamic analysis that analyzes behavior has no effect. In addition, static analysis is not impossible by analyzing while executing the application. We will be able to improve cybersecurity by understanding how this technique works and knowing its weaknesses.
I hope this article helps someone analyze malware and improve the performance of security products.
