Sunday, February 12, 2017

Analysis of the Rovnix Dropper 1/5 - Information Gathering

This post is the first of the 5 post series on  how I analysed the Rovnix dropper.

Analysis of the Rovnix Dropper 1/5 - Information Gathering

Analysis of Rovnix Dropper 2/5 - Unpacking

I always begin with static analysis of the binary sample. I would acquire information such MD5 and SHA1 hash of the sample. I would also need to know what sort of binary am I dealing with, for example, PE,ELF,.dot NET, or office documents. For this I would use CFF Explorer.
Usually at this point, if possible I would do a Google search using the hash values to check if the sample had been analysed. As this sample is pretty old (2015), there were much information related to the sample. From CFF Explorer, I knew I am likely dealing with a PE binary written using C++.

Knowing that I am dealing with a PE binary, I would use PE Studio to determine what the sample does, for example does it connect to internet, download/upload files or collect information from the victim machine. I would also like to know if the binary is packed.
From PE Studio, I could not tell much information about the sample. There are only a few dlls being imported by the sample. There was a large number of strings but I could not see any URLs.

Next, is the dynamic analysis phase. I will try to execute the sample in a VM with Sysmon and FakeNet running in the background. I could see some URLs being accessed by the binary via FakeNet. However, before I could take a closer look at the URLs the infamous BSOD happened.
BSOD happened every time after running the sample I also tried to run it in a different VM and also Virtualbox.

From FakeNet, it show a URL being accessed after the binary was executed. Some information related to the victim machine was also being uploaded to the URL.
At this point, I am certain the sample will upload information gathered from the victim machine to a fixed URL. However, from the strings dumped using PE Studio, there was nothing related to the URL. In addition, PE Studio also did not showed any APIs that could be used to access internet.
I guess the sample is packed. I opened up the sample in IDA Pro and I am greeted with this long WinMain() that seemed to be drawing dialog boxes.

I scrolled through WinMain() and it ended this interesting dynamic call instruction.

In the next post, I would document how I unpacked the sample using Ollydbg. :)

No comments:

Post a Comment