Shulou(Shulou.com)05/31 Report--

How to understand the customizable PE loading malware Gacrux based on C language? in order to solve this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find an easier way.

Recently, I analyzed a sample of malware called Gacrux. Considering the source of these two sample files, I cannot directly share the hash of the file with you or disclose the sample file directly, but according to the information provided in this article, you can easily identify this malware. This malware loader is developed in C language and compiled using Visual Studio 2017. The malware, which has been on sale on some forums since August 2020, seems to have been greatly inspired by Smoke Loader.

Back analysis technology

Gacrux applies a lot of anti-debugging and anti-virtual machine technologies. The first technique involves the following code jumps, which will cause IDA to fail to parse the code instructions correctly.

Here, we can directly use the nop opcode to fix this problem. After doing a pattern scan and fixing the problem, we can use IDA to decompile the code.

The second technique involves forged return values and destroys the functional analysis process of IDA. As before, we can also use nop opcodes to solve this problem.

The final code obfuscation involves encrypting functions on two disks, decrypting the function before calling it, and then re-encrypting the function shortly afterwards.

Decryption / encryption works by finding two modes in the function that represent the beginning and end of the encrypted region, and then XOR the code with the key passed to the function.

The code checks the free space and RAM size on the target disk as part of its anti-virtual machine detection mechanism. Here, we can set breakpoints to modify the return value, or directly use the nop command to skip detection.

String encryption

The string is stored in a function that decrypts the string based on the ID passed in.

Click [here] to get the string list of the external module.

Overall execution flow

Anti-debugging and anti-VM technology

The malware code also adds some anti-debugging techniques that are embedded in many important functions and crash the process when a debugger or virtual machine is detected. The first technique, located in the malloc function, checks the BeingDebugged member in the PEB, and if the appropriate setting is detected, the function returns the size of the requested buffer instead of allocating it. In addition, it checks the modules on the blacklist and, if present, exits execution.

In the second technique, if the target system runs out of RAM or disk space, the process PID of the Explorer resource browser is added, which is usually a sign of virtualization. At this point, the code will crash NtOpenProcess and prevent it from running further.

Here, the injected initialization ShellCode/ custom PE loader also checks the BeingDebugged and NtGlobalFlag members of the PEB.

Syscall

The Syscall module of this malware is almost entirely copied from open source encryption programs.

The hash algorithm here is modified to djb2, and the output uses a constant value for XOR.

Persistence

The persistence of malware is achieved through a Windows process, which is constantly called by malicious code in the context of explorer.exe, which detects the installation file and creates .lnk files in the startup menu.

Code injection

For code injection, Gacrux uses NtCreateSection/NtMapViewOfSection as the write primitive in a 32-bit environment and NtAllocateVirtualMemory/NtWriteVirtualMemory in a 64-bit environment, both of which are done through direct system calls. For the execution primitive, it takes advantage of SetPropA, as Adam detailed in his article "PROPagate- a new code injection technique." This is copied from the open source implementation, as evidenced by the way the function pointer is set.

The code injection technology here is mainly used to call a small custom PE loader. Please read on.

Customize the PE loader and data format

This is the most interesting feature of Gacrux. The code injected into Explorer is not a normal PE file, but a PE loader with custom PE Header and custom loader.

The loader will first do some anti-debug detection:

Next, it parses three API and uses them to process the imported table and fix the relocation:

The PE loader uses a custom PE format, and according to the Kaitai descriptor, we can easily restore the original PE file:

Network Communications

The network communication of this malware uses WinInet and is implemented in the Explorer context scenario:

As we can see, Gacrux is actually not very special. It borrows a lot of public code and is put into use with a little modification. Most importantly, Gacrux has a lot of vulnerabilities!

This is the answer to the question about how to understand the customizable PE loading malware Gacrux based on C language. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.