When does BCD0236E965582D56DD365E44BD764FA5DFD6CBF312BB124AA2563B5C2 mean “:: Bradesco Pessoa Fosica ::”? Only when CD30ABC0221E5486A23D0F619DB27FC50110504DB9D3DC357893D269E177CB2D1BD1758CCC77AA93ED3DBA190A7BD914B80F5254919C2DC0D471B02CC20260CC4CB2C73A5B really means “HSBC Bank Brasil S.A. — Banco Muliplo — No Brasil e no mundo, HSBC”, of course.
A couple of previous posts provided insight into what clues strings provide when performing malware analysis, and a concise description of how to decrypt obfuscated strings in a static file using advanced IDA Pro functionality.
Here, we’ll use a debugger to step through a malicious file in the lab and observe data as it is decoded by the malware itself. Sometimes, when speed is a priority and not all that many strings are involved, stepping through the decryption loop prior to writing an IDA script is another good approach to have in the toolkit.
We’ve started the executable within Ollydbg. No human-readable strings are visible to the analyst here, but a quick look at the text section following some unpacking reveals multiple arrays of garbled text. Also suspicious is that each string of unreadable, or probably crypted, data is being passed by pointer to the same function. Most likely, this procedure includes the decryption loop that we are looking for. Each call to this same procedure being passed a pointer is highlighted in a red below:
We can review this loop, setting a breakpoint on the procedures that are passed these strings as a parameter. Somewhere along the way in here, the decrypted data is most likely written out to memory or as a hash. As we single step through the code (hitting F7), we’ll watch for pushes, pops, repeated movs intructions, and look for pointers to strings and data copies from esi to edi. We find an interesting loop here after the garbled text is pushed onto the stack. Notice that string data is being copied from esi to edi:
Following edi in the data dump displays the memory contents as they are written out and decrypted by multiple layers and loops. Setting a breakpoint here and running through the loop reveals the decrypted data. We can single step through this loop to evaluate the decryption algorithm.
Eventually this decrypted data is passed to another function via pointers on the thread stack. Now that we’ve run through the loops, we can identify a list of banks and web sites that our portuguese speaking friends in Brazil may recognize:
Having identified these strings within the malware, we craft few custom written empty web pages with these strings as title bar content. We then open the html pages with Internet Explorer. We’ll witness images stored within the malware being presented in the foreground of the browser, waiting for our login id’s and passwords. Here are a few related screenshots:
These strings helped lead us to identify another all too popular Brazilian banking password stealer. Done with these strings, off for a little samba and sun on the coast of Buzios!