In this article, I'll explain how I proceeded to analyse a malware know as "SafeDRV".
If you find any error or you have any suggestion please leave a comment.
I'll try to follow in my work "Practical malware analysis" (a great book !).
So, I found this malware in my USB key after using an old computer, which uses Windows Xp, in an Internet café.
I were very happy, and decided to analyse it, in order to understand what is the purpose behind its development and .
The first step is to know which type files I'm dauling with. The use of command "file" doesn't give useful information :
$ file SafeDrv.exe
SafeDrv.exe: MS-DOS executable
Among the string found, I found that only those are meaningful in my analysis :
$strings SafeDrv.exe
...
Borland
KERNEL32.dll
LoadLibraryA
...
GetProcAddress
...
Borland means, perhaps,that this binary is compiled with Borland, but I'm not sure.
KERNEL32.dll is a shared library, and LoadLibraryA , GetProcAddress are two functions which will be used.
The lack of libraries (only one) functions calls (only two functions) means that this malware is obfuscated or packed.
To confirm that, I looked for software under Linux to analyse PE header, and I found this great software https://github.com/guelfoweb/peframe
It looks for signature to check if a known packed is used.
$peframe SafeDrv.exe
Short information
------------------------------------------------------------
File Name SafeDrv.exe
File Size 59285 byte
Compile Time 1987-09-11 02:35:02
DLL False
Sections 2
Hash MD5 08ab82cf528d89fe8daf3550e890ddeb
Hash SHA-1 c25c798455137f71f471989d7f0791cdcadd579d
Imphash 87bed5a7cba00c7e1f4015f1bdae2183
Detected Packer
Directory Import, Resource, TLS
Packer matched [1]
------------------------------------------------------------
Packer FSG v2.0
Suspicious API discovered [2]
------------------------------------------------------------
Function GetProcAddress
Function LoadLibraryA
Suspicious Sections discovered [2]
------------------------------------------------------------
Section
Hash MD5 d41d8cd98f00b204e9800998ecf8427e
Hash SHA-1 da39a3ee5e6b4b0d3255bfef95601890afd80709
Section
Hash MD5 c855e389142114a6950d817243f0acf0
Hash SHA-1 d21a733bf909ccdded25d33960703440752aa452
File name discovered [1]
------------------------------------------------------------
Library KERNEL32.dll
As you see, it confirms what I said about dll, functions and the packer which is FSG v2.0.
I found that compressing algorithm is detailed on http://www.openrce.org/reference_library/packer_database_view/23
But instead of write a program to unpacker the malware, I decided to apply a dynamic analyse with "cuckoo sandbox" which will be detailed on the next article.
If you to discuss please use the following link :
