Wednesday, February 7, 2018

Decrypting C&C traffic with Hypervisor based Inspection


In mid 2017 we blogged about Hypervisor based Inspection, our technology to deeply analyze malware.




HBI uses hardware assisted virtualization to inspect a program during runtime. HBI also provides very fine grained analysis and captures the following data:


  • System calls
  • Kernel calls
  • User mode calls
  • Access to user mode memory areas (e.g. PEB)
  • Access to performance counters
  • Execution of specific instructions (e.g. CPUID) by kernel and user code


Hypervisor Based Inspection


We continue extending the technology and would like to showcase an interesting analysis where HBI gives some additional insights.

The sample we are analyzing has been uploaded to Joe Sandbox Cloud Basic the 8th of January 2018:




If we look at the behavior graph we see that two processes named dnschart.exe and certcache.exe are started:



Certcache.exe is posting some data via HTTP POST to IP 69.16.193.12 and 178.32.255.132:



The HTTP post looks like compressed or encrypted data. Wouldn't it be nice to know what data is sent by the malware? Maybe the two IPs belong to the command and control server?

CryptEncrypt


Let us assume the POST data is encrypted. How would the malware encrypt the data? Well, there two possibilities: via Windows WinCrypt API or by using it's own implementation. Let us assume the malware is lazy and thus intercept the standard APIs with the help of HBI:


All intercepted APIs are collected in a configuration file. Removing or adding new APIs is very simple and can be easily automated.

After we submitted the sample with the new interception configuration we directly see all crypto related activities including the plaintext data:


But the plaintext does not match the POST data, also it still looks like a binary.

Compression


Some of you (with a reversing engineering brain :) might spot in the beginning of data a familiar byte sequence:



What does 7801 mean? It is known as one of the magic headers of a Zlib compressed stream:
  • 78 01 - No Compression/low
  • 78 9C - Default Compression
  • 78 DA - Best Compression

Thus let us decrypt the data from that position with Zlib, and value:


Putting all this together enables to automatically extract Zlib compressed plaintext:


Final Words


Thanks to HBI, Joe Sandbox is able to inspect any API calls. Crypto related API calls which are executed before network related operations are often a good target for hunting. The combination of capturing Crypt API arguments with compression detection, reveals the plaintext send to C&C and allows to identify C&C IOCs.


Interested in trying out HBI or Joe Sandbox Hypervisor? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.