A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #32918  by ekt0
 Wed May 08, 2019 5:55 pm

First of all, I don't know whether this topic should belong to "Malware" or "RE and Debugging" boards, so please let me know if I'm wrong.

File summary:
Name: svhost._bad_exe
Type: 64 bit Windows Portable Executable
Size: 2694144 bytes
SHA256: da40e0a9fb8ca951aedfc7057497fea9a4be5f628b9a1905ceeae016dddcc8af
Malware sample is attached, password is infected.
N.B.: Originally, the sample had the Dynamic flag enabled but I removed it.

I have collected a Windows PE executable during incident response, which does malicious actions on the analysed workstation.
From forensics evidence, I concluded that :
- it creates NetUdpPortSharing service to run itself with persistence,
- does RDP bruteforce attack,
- communicates with hxxp://www[.]wrestfight[.]com:23480

I tried to analyse and reverse engineer the malware in order to unveil its capabilities and find why and how it communicates with its C2. However, I found out it is packed with Enigma Protector v5.5. The last release is 6.5 and its manual can be found here: https://enigmaprotector.com/en/help.html.

There are heavy anti-debug and anti-vm mechanisms. Consequently, the dynamic analysis reveals parts of its behaviour but it probably detects that it is ran in a VM because it stops before creating the NetUdpPortSharing service. I just monitored the process with Procmon, and also tried to run it with PIN in order to trace external calls.

Static analysis requires skills that I do not have unfortunately. The malware's functions are virtualized by EP and, even though I reversed lighter VM from crackmes, this one is quite tough. I don't know how to analyse it and I fail separating anti-debug and obfuscation code from actual valuable code. The first step of unpacking is quite straightforward and only consists in mapping the VM code, resolve its IAT, and jump to it.

To be honest, I don't need the results in order to close my case. However as a wannabe reverser, I would be really interested in how you would succeed in reversing it, or at least how you would proceed (dynamic analysis included). Also, it is the first time I see a malware using this packer. I am curious to know if you ever encountered an actual malware packed with Enigma Protector.

Password is infected
(2.52 MiB) Downloaded 4 times