Ghidra SRE: The AZORult Field Test
04/02/2019
Introduction
One of the most anticipated moments in the infosec community during the last few months was, with no doubt, the Ghidra public release. On the 5th of March, at the RSA conference, Ghidra has been presented to the public revealing the inner details of the Software Reverse Engineering (SRE) framework that National Security Agency used for more than a decade.
Its release was a sort of “main event” for security researchers all around the globe, which immediately started exploring its functionalities to find out its place within the reversing tool panorama. Cybaze-Yoroi ZLAB team also decided to play around with it, but this time using a real case study, AZORult: one of the most active threats spreading nowadays, always using new methodologies to avoid detection. For this reason a recent AZORult sample has been chosen to field-test the NSA reverse engineering tool.
Technical Analysis
| Hash | 12a7b79430bf3b788396009eadb6cbc4da97cba55c6653048d2dd294fa90dc3a |
| Threat | Azorult |
| Size | 809 KB |
| SSDEEP | 12288:KKi7ifyf5/TIEAcp2o/DZDlvs6SskijhnHW3/qgQrjSh4rNxPXJE:K6m5UYZRUokohnH4QrjCCP5E |
The sample is a PE32 file apparently coded in Visual C++, containing references to major IT companies in its metadata fields like Google and Amazon.
Dynamically executing the malware, we are able to isolate only a few actions of the malware, because its C2 server wasn’t active at the time of analysis, probably due to a configuration error.
So, after contacting the server, the sample does not have the possibility to download other components and configurations. Thus, the malware kills itself and terminates its execution. For this reason, we focused the investigation into static analysis and debugging.
Digging into the Sample
The first details about the malware inner workings have been retrieved through the API calls tracing, where some interesting APIs emerged: the malware performs a check on the active processes, finding the typical malware analysis tools, like Wireshark, Process Explorer and Process Monitor.
Among the API calls, there is one quite interesting, an OpenProcess call referencing the process itself, referencing an embedded portable executable inside the original file: the payload.
Reversing the Payload with Ghidra
| Hash | 70d038d221f79baf9114bf37815fe593965c28218fd70e72827a94984f52d968 |
| Threat | Azorult - Payload |
| Size | 128 KB |
| SSDEEP | 3072:YxRaX6raoCoCyz6/mqv1JR+yBtGOeheWgieGq:caZ1tme+1wie5 |
The extracted payload is written in Delphi language, as confirmed with a first preliminary analysis. Thus, we decided to test Ghidra in order to statically analyze the malware.
Using the Ghidra search strings function we found the hardcoded C2 address in plain-text, meaning the malware writers do not bother to protect its payload, but only the container. This IP address is the same was seen during the dynamic analysis section, as shown in Figure 2. Also, the malware uses a custom user-agent.
Then, we managed to gather the characteristic strings of the payload, finding many interesting ones, extensively reported in the section “Configuration Strings”. Thanks to this, we have also isolated the AZORult routine used to gather and store the Mozilla cookies (Figure 8).
Digging further, we identified the “shell routine” which allows the command and control operator to execute arbitrary commands on the victim machine. The code snippet shown in Figure 9 shows how the malware exploits this capability to delete its execution traces into the victim machine.
We also leveraged Ghidra built-in script engines to test Yara rules against the inspected code. This flexibility is one of the main characteristics makes Ghidra a valuable tool for a Reverse Engineer.
Using the “YaraGhidraGUIScript”, available off-the-shelf in the tool, we managed to write down an ad hoc rule to spot the in-memory payload.
The usage of this extension is quite intuitive: the analyst has to select the piece of disassembled code he/she consider representative of the malicious behaviour.
For instance, the selected piece of code in Figure 12 refers to the routine used by AZORult to contact the C2 with the specific User-Agent. Selecting it into the “YaraGhidraGUIScript”, a new popup forms shows the analyst a powerful Yara generation helper.
The Yara GUI shows a smart rule proposal and allows the analyst to freely edit it: in this case the Hex values of the PUSH and MOV operation could be relative to the current virtual addressing of the specific machine, so by clicking on these values, the script replaces the operand values with the wildcard “?”, preserving the assembly instructions.
The resulting Yara rule is reported the right section “Yara rules” below.
Conclusion
Ghidra is a valuable tool in the arsenal of a Reverse Engineer. It freely provides advanced features like the code decompilation, that was typically available into high end commercial products, accessible to well budgeted professionals. The NSA choice to give back to the security community is admirable, especially because the tool itself is solid and has advanced peculiarities that make it suitable for professional usage.
Anyway, it is not possible to directly compare it to commercial products, or wondering if it may be able to replace any of those, it's conceptually erroneous, and after this field test we can confirm Ghidra is a valuable tool should be included in every reverse engineering’s arsenal.
Indicator of Compromise
- Hash:
- 12a7b79430bf3b788396009eadb6cbc4da97cba55c6653048d2dd294fa90dc3a
- 70d038d221f79baf9114bf37815fe593965c28218fd70e72827a94984f52d968
Yara Rules
rule Azorult_payload {
meta:
description = "Yara Rule for Azorult payload"
author = "Cybaze Zlab_Yoroi"
last_updated = "2019_03_19"
tlp = "white"
category = "informational"
strings:
$a1 = { 8B D8 EB 0E 53 E8 03 EA FF FF 8B D0 }
$a2 = { 33 C0 89 45 F0 85 DB 74 0B 83 EB 04 }
$a3 = { 50 6A FF 68 74 28 41 00 8B 45 F4 50 }
// Rule generated through the usage of Ghidra Script
$STR1 = { 68 ?? ?? ?? ?? ff 55 f0 8b d8 c7 47 10 ?? ?? ?? ?? 90 c7 45 b0 ?? ?? ?? ?? 6a 04 8d 45 b0 50 }
condition:
all of ($a*) or $STR1
}Strings
PVAULT_CRED8
EdgePwds
outlookDecrU
Outlook
SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
Browsers\Cookies
Browsers\History
'DisplayName'
'kernel32.dll'
'DisplayVersion'
'Process32FirstW'
'Process32NextW'
'ProcessorNameString'
'CreateToolhelp32Snapshot'
'HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0'
'Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall'
'Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\'
CPU Count:
GetRAM:
Video Info
uProgAndProc
MachineID :
EXE_PATH :
Windows :
Computer(Username) :
Screen:
Layouts:
LocalTime:
Zone:
GDIScreenShot
User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
PasswordsList.txt
scr.jpg
System.txt
%comspec%
/c %WINDIR%\system32\timeout.exe 3 & del "
PasswordsList.txt
Coins
Skype
Telegram
D877F783D5*,map*
%appdata%\Telegram Desktop\tdata\
Steam
image/jpeg
scr.jpg
%APPDATA%\
\autoscan\
\Monero\
.address.txt
.keys
Software\
strDataDir
%APPDATA%\Skype
main.db
\main.db
SteamPath
Software\Valve\Steam
\ssfn*
\Config\*.vdf
\Config\
\places.sqlite
%TEMP%\curbuf.dat
%APPDATA%\.purple\accounts.xml
This blog post was authored by Luigi Martire and Luca Mella of Cybaze-Yoroi Z-LAB
