Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use API calls to analyze malware". The content is simple and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to use API calls to analyze malware".

We find that more and more malware begin to use various protection technologies such as encryption, encapsulation and shelling to confuse malicious code in order to prevent systems or programs from identifying it. In addition, these techniques may even make it more difficult for researchers to analyze them statically. Although more and more malware developers begin to use this protective shell technology, it also directly leads to the birth of another malware analysis method.

One of the methods of analysis is by analyzing the API calls and control commands in malicious code that tell the system how to perform a particular operation. In this method, we do not need to reverse analyze the shelled files, because we only need to dynamically analyze the API calls executed by malicious code to know the specific functions of a particular file. Through this method (analyzing API calls), we can determine whether a file is malicious, and some API calls can only be used by some special types of malware. For example, the commonly used malicious Payload download API is URLDownloadToFile, while the GetWindowDC API is commonly used for malicious tools such as spyware or keyloggers (for screen capture).

Next, we will analyze a malware sample and introduce you to the implementation of this technology.

Trojan horse sample

The malware sample we are going to analyze is a famous Trojan horse named 1.exe. Its SHA256 is as follows: 0213b36ee85a301b88c26e180f821104d5371410ab4390803eaa39fac1553c4c

This file is VMProtect, so it is difficult to analyze it using decompilation tools. Since I am personally not good at reverse engineering analysis, I intend to understand the behavior of the file by analyzing its API calls during execution in the sandboxie environment.

The following picture shows a list of API calls we got by observing its operation in sandboxie environment:

First of all, let's take a look at what these functions do. Some of these functions can be found on Microsoft's website:

GetModuleHandle function

Get the module processor for a specific module, which must be loaded during the calling process. GetModuleHandleA (ANSI)

GetProcAddress function

Gets the address of an output function, or gets a variable from the specified dynamic link library (DLL).

_ wtoi

Convert a string to an integer

CreateStreamOnHGlobal function

This function creates a stream object that can use an HGLOBAL memory processor to store the stream contents.

StrStr function

Find the first substring that appears in the string, and the match is case-sensitive. StrStrA (ANSI)

Wsprintf function

Writes formatted data to a specific buffer, and arbitrary parameters can be written to the output buffer according to the corresponding formatted string standard. WsprintfA (ANSI)

WinHttpOpen function

This function initializes the WinHTTP function and returns a WinHTTP-session processor.

GetModuleFileName function

Gets the full path to the file containing the specified module, which must be loaded in the current calling process. GetModuleFileNameW (Unicode)

LoadLibrary function

Load a specific module into the address space of the calling process, which may also load other modules. LoadLibraryA (ANSI)

LocalAlloc function

Allocates bytes of the specified size to heap memory.

LocalFree function

Releases the specified local memory object and initializes the processor for that object.

GetModuleFileName function

Gets the full path to the file containing the specified module, which must be loaded in the current calling process. GetModuleFileNameA (ANSI)

ExitProcess function

Terminates the calling process and all related threads.

Key malicious identification indicators

It is important to note that not all of the functions given above can indicate the true role of an executable program. But the call to WinHttpOpen tells us that the application has a special purpose.

So we can start with this function. We use URL Revealer (Kahu Security) to detect the destination of the traffic and find two URL addresses that the malicious application will keep trying to connect to.

❝

GET http://twitter.com/pidoras6

POST http://www.virustotal.com/vtapi/v2/file/scan

Note: when we submit a file to VirusTotalAPI for scanning, it is best to submit this form of POST

The link above points to an invalid Twitter address, and when I used Twitter's advanced search function to find it, I found that the tweet had already been deleted.

After decoding through Base64, we get the original content of this tweet: https://w0rm.in/join/join.php. Unfortunately, the site can no longer be parsed, but it was originally an underground site dedicated to website intrusion services. It is important to note, however, that this Twitter account is still active.

From this point of view, there is no way to figure out what this malware is trying to do with GET requests. But there are other ways to figure out what it wants to scan with VirusTotal. Here are the packets we captured using WireShark:

In this package, you can see the API key and file name that the malware uses to scan files on the VirusTotal website. So, by refactoring API calls and packets, we find that this malware will submit its own copy, that is, a copy of the malware, to VirusTotal, which is a typical behavior of the Vflooder Trojan family. Vflooder is a special type of Flooder Trojan horse, and the Flooder Trojan horse can send a lot of information to the target to interrupt the normal operation of the target. But I don't think VirusTotal may be able to detect this malware threat.

The above is all the contents of the article "how to use API calls to analyze malware". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.