Disclaimer

Thursday, May 14, 2020

Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]

Today I just want to share some interesting obfuscation and anti memory forensic techniques I've learned from Netwalker Ransomware that makes its code more time consuming and hard to analyze. This also include the first part which is a obfuscated powershell that will serve as the loader of the malware.

Stage 1: Obfuscated Powershell:

This netwalker ransomware variant start with 3 stages as follows:

1st Layer : base 64 encoded powershell

2nd Layer: (after decoding the base64) is an encrypted array of bytes using xor command with decryption key of 0xc4, that will be run in scriptblock command.

3rd Layer : (after the decrypted 2nd layer) is a 2 sets of hex bytes array which is the x86 and 64 version of Netwalker binary files that will be injected in a process by a C# code that will be loaded and compile using powershell.


figure 1: the 3 layered powershell script

figure 2: the C# loader written in powershell using Add-Type

Stage 2: No MZ Header Binaries

as far as we saw in the last stage of the powershell, it will inject the ransomware (x86 or x64 binaries) to the explorer.exe process. The interesting part is after I decode those hex byte array, I notice that there are no MZ header to the binary file that are one technique to evade memory forensic tools or some quick check for injected executable to a process.


figure 3: NO MZ Header Files

Stage 3: Obfuscated API Call Using Structure

This Netwalker Ransomware has no import table. It will dynamically harvest its needed API using some hashing algorithm search to all export table of all needed DLL modules to executes its malicious code then save it to a structure object. Below is the screenshot how the raw Hexray view of the import harvesting before and after resolving the API hash and the structure Array using Idapython.

figure 4: API harvesting Function

The Hashing Algorithm is really looks complicated base on its graph but actually it is just a loop of xor and rotate bit operation with specific keys.

figure 5: Hashing algorithm

But the Obfuscation does not ends here. As we remember that it place the resolved API address into a structure object. Then this structure was initialized to a another variable by a function then do the access the member of the structure out of that which make the analysis more confusing.

figure 6: Declare multiple Structure as a obfuscation

Thanks for IDA Python for helping me in creating a structure out of harvested API it needs to make the static analysis more easily.

figure 7: Add Structure

Lesson Learn:

I learned that the there are so many way to obfuscate code from analysis and even the data structure can be used to make the analysis little bit confusing during analysis like what I experience. :)

IOC:

https://app.any.run/tasks/6bb00be0-cd0a-4d9a-a1ea-72cd275ded0e/

Powershell:

filename: powershell.ps1
md5: 5bec43ea21e95a68abafa8c7f99d1e6c
sha1: 22df933f2b33f3f4ffee22b51b4f8fa0268bb327
sha256: b7c7fa9b74aacf331871a9e5438678bce46002618fa106429225161d94e22e44

x64  Netwalker Ransomware:

filename: x64.bin
md5: bc96c744bd66ddfaa79d467b757b8628
sha1: a379f9e04708d773a2dec897166780b026f4c4ea
sha256: 2c245db9fb9b2c6e84832662dda3dfff3c6b21128d9fec115f5b989fb090841d

x86  Netwalker Ransomware:

filename: x86_raw.bin
md5: de61b852cadac6afe307652b187ca5df
sha1: fa02c1d394bc150d8a62d3f991d0fdc042ee9724
sha256: e8c5c0b70d45a5dc80d678ed7102abf9882efb9cbc2cff20f171d60d5205051d






 



There Is More Than Meets The Eye - Analyzing Obfuscated WSHRAT Script

Nowadays it is really a common thing for a malware to have a crypter packer, obfuscation and encryption to hide its code from analyst, evade...