Fork me on GitHub

Finding Goldeneye infection

radiff2 is a useful tool to detect the changed spots in a binary. I just read about goldeneye so i decided to show some r2 stuff with it. First of all we open the sample with radare to see if we can get some information about the binary itself.

[0x0040c424]> i
type     EXEC (Executable file)
file     b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690.bin
fd       6
size     0x3fa00
iorw     false
blksz    0x0
mode     -r--
block    0x100
format   pe
havecode true
pic      false
canary   false
nx       false
crypto   false
va       true
bintype  pe
class    PE32
arch     x86
bits     32
machine  i386
os       windows
minopsz  1
maxopsz  16
pcalign  0
subsys   Windows GUI
endian   little
stripped true
static   false
linenum  false
lsyms    false
relocs   false
binsz    260608
compiled Tue Jun 18 22:01:49 2013
dbg_file C:\\src\\ZoomIt\\Release\\ZoomIt.pdb
hdr.csum 0x000416f9
cmp.csum 0x000416f9
guid     F7C36553AB7346788DDC20CEA530001EB

The interesting part here is the dbg_file information. Now we know that it could be the ZoomIt program from the sysinternals suite. The original file has the sha256:

3916bcae09bf0de86d9339ed4b1328d04ed491ae489ee6deb98f8f8677b8723f

Now we fireup radiff2 to see the difference.

radiff2 b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690.bin ZoomIt.exe
0x00000119 2601 => 2a06 0x00000119
0x0000014a 04 => 09 0x0000014a
0x00000150 f91604 => 637909 0x00000150
0x00000156 0000 => 4081 0x00000156
0x00000184 b20100 => 680505 0x00000184
0x00000191 0000 => fe08 0x00000191
0x00000194 0000 => c01a 0x00000194
0x0000019a 04 => 09 0x0000019a
0x00000270 b20100 => 680505 0x00000270
0x00000279 0200 => 0605 0x00000279
0x0000029e 04 => 09 0x0000029e
0x000002a5 c603 => ca08 0x000002a5
0x00015fd3 21fef7d18b15c7d043008bd74ff7d133f081e63c3d3503e80af6feff81f2ae51f10885c0702cb8f0ca950b48c1e2128bc633f0c1c61021fe8bf009fe21c0e8aa20ffff85c27081b91b65ef1dc1e805e8d2f5fefff7c0575e4c0d7051e8d5ccfeff87c2c1ee0340c1ca0c42c1c61fe8ae10ffff812d50ce => ff1524114300f645e80174060fb745ecc9c36a0a58c9c3558beca1d0ef4300330550c64300740dff7510ff750cff7508ffd05dc3ff750cff7508ff154011430033c0405dc3558bec51568b3558d2430085f67925a130f0430033f6330550c643008975fc740d568d4dfc51ffd083f87a750146893558d2 0x00015fd3
...

The first major change is at 0x00015fd3. The section information from r2 helps us to identify the correct section for this offset.

[0x0040c424]> iS
[Sections]
idx=00 vaddr=0x00401000 paddr=0x00000400 sz=194560 vsz=196608 perm=m-r-x name=.text
idx=01 vaddr=0x00431000 paddr=0x0002fc00 sz=44544 vsz=45056 perm=m-r-- name=.rdata
idx=02 vaddr=0x0043c000 paddr=0x0003aa00 sz=6656 vsz=20480 perm=m-rw- name=.data
idx=03 vaddr=0x00441000 paddr=0x0003c400 sz=512 vsz=4096 perm=m-r-- name=.rsrc
idx=04 vaddr=0x00442000 paddr=0x0003c600 sz=13312 vsz=16384 perm=m-r-- name=.reloc

We assume this huge change to be inside the .text section. Therefore we add the paddr with the size:

[0x0040c424]> ? 0x00000400 + 194560
195584 0x2fc00 0576000 191K 2000:0c00 195584 "\xfc\x02" 000000101111110000000000 195584.0 195584.000000f 195584.000000

The .text section begins at the physical address 0x400 and ends at 0x2fc00 so our offset lays inside. To get to the correct address we just have to use:

[0x0040c424]> s 0x00015fd3 + (0x401000 - 0x400)
[0x00416bd3]> pd 40
        |   0x00416bd3      21fe           and esi, edi
        |   0x00416bd5      f7d1           not ecx
        |   0x00416bd7      8b15c7d04300   mov edx, dword [0x43d0c7]   ; [0x43d0c7:4]=0
        |   0x00416bdd      8bd7           mov edx, edi
        |   0x00416bdf      4f             dec edi
        |   0x00416be0      f7d1           not ecx
        |   0x00416be2      33f0           xor esi, eax
        |   0x00416be4      81e63c3d3503   and esi, 0x3353d3c
        |   0x00416bea      e80af6feff     call 0x4061f9
        |   0x00416bef      81f2ae51f108   xor edx, 0x8f151ae
        |   0x00416bf5      85c0           test eax, eax
       ,==< 0x00416bf7      702c           jo 0x416c25
       ||   0x00416bf9      b8f0ca950b     mov eax, 0xb95caf0
       ||   0x00416bfe      48             dec eax
       ||   0x00416bff      c1e212         shl edx, 0x12
       ||   0x00416c02      8bc6           mov eax, esi
       ||   0x00416c04      33f0           xor esi, eax
       ||   0x00416c06      c1c610         rol esi, 0x10
       ||   0x00416c09      21fe           and esi, edi
       ||   0x00416c0b      8bf0           mov esi, eax
       ||   0x00416c0d      09fe           or esi, edi
       ||   0x00416c0f      21c0           and eax, eax
       ||   0x00416c11      e8aa20ffff     call 0x408cc0
       ||   0x00416c16      85c2           test eax, edx
       |`=< 0x00416c18      7081           jo 0x416b9b
       |    0x00416c1a      b91b65ef1d     mov ecx, 0x1def651b
       |.-> 0x00416c1f      c1e805         shr eax, 5
       ||   0x00416c22      e8d2f5feff     call 0x4061f9
        |   0x00416c27      f7c0575e4c0d   test eax, 0xd4c5e57
       ,==< 0x00416c2d      7051           jo 0x416c80
       ||   0x00416c2f      e8d5ccfeff     call 0x403909
       ||   0x00416c34      87c2           xchg edx, eax
       ||   0x00416c36      c1ee03         shr esi, 3
       ||   0x00416c39      40             inc eax
       ||   0x00416c3a      c1ca0c         ror edx, 0xc
       ||   0x00416c3d      42             inc edx
       ||   0x00416c3e      c1c61f         rol esi, 0x1f
       ||   0x00416c41      e8ae10ffff     call 0x407cf4
       ||   0x00416c46      812d50ce4300.  sub dword [0x43ce50], 0x1a48a48
       |`=< 0x00416c50      e2cd           loop 0x416c1f

Compared with the original file:

[0x0040c424]> s 0x00015fd3 + (0x401000 - 0x400)
[0x00416bd3]> pd 40
            0x00416bd3      ff1524114300   call dword [sym.imp.KERNEL32.dll_GetStartupInfoW] ; sym.imp.KERNEL32.dll_GetStartupInfoW
            0x00416bd9      f645e801       test byte [ebp - 0x18], 1   ; [0x1:1]=90 ; "Z."
        ,=< 0x00416bdd      7406           je 0x416be5
        |   0x00416bdf      0fb745ec       movzx eax, word [ebp - 0x14]
        |   0x00416be3      c9             leave
        |   0x00416be4      c3             ret
        `-> 0x00416be5      6a0a           push 0xa
            0x00416be7      58             pop eax
            0x00416be8      c9             leave
            0x00416be9      c3             ret
            0x00416bea      55             push ebp
            0x00416beb      8bec           mov ebp, esp
            0x00416bed      a1d0ef4300     mov eax, dword [0x43efd0]   ; [0x43efd0:4]=0xd6d6d6d6
            0x00416bf2      330550c64300   xor eax, dword [0x43c650]
        ,=< 0x00416bf8      740d           je 0x416c07
        |   0x00416bfa      ff7510         push dword [ebp + 0x10]
        |   0x00416bfd      ff750c         push dword [ebp + 0xc]
        |   0x00416c00      ff7508         push dword [ebp + 8]
        |   0x00416c03      ffd0           call eax
        |   0x00416c05      5d             pop ebp
        |   0x00416c06      c3             ret
        `-> 0x00416c07      ff750c         push dword [ebp + 0xc]
            0x00416c0a      ff7508         push dword [ebp + 8]
            0x00416c0d      ff1540114300   call dword [sym.imp.KERNEL32.dll_InitializeCriticalSectionAndSpinCount] ; sym.imp.KERNEL32.dll_InitializeCriticalSectionAndSpinCount
            0x00416c13      33c0           xor eax, eax
            0x00416c15      40             inc eax
            0x00416c16      5d             pop ebp
            0x00416c17      c3             ret
            0x00416c18      55             push ebp
            0x00416c19      8bec           mov ebp, esp
            0x00416c1b      51             push ecx
            0x00416c1c      56             push esi
            0x00416c1d      8b3558d24300   mov esi, dword [0x43d258]   ; [0x43d258:4]=-1
            0x00416c23      85f6           test esi, esi
        ,=< 0x00416c25      7925           jns 0x416c4c
        |   0x00416c27      a130f04300     mov eax, dword [0x43f030]   ; [0x43f030:4]=0xc3c2c2c1
        |   0x00416c2c      33f6           xor esi, esi
        |   0x00416c2e      330550c64300   xor eax, dword [0x43c650]
        |   0x00416c34      8975fc         mov dword [ebp - 4], esi
       ,==< 0x00416c37      740d           je 0x416c46

Thats it for now, the next step will be to see what this infected function does.

links

social