During the malware demo we uploaded the malware to virustotal.com and briefly looked at the file detail information. Revist the file details on virustotal.com and spend more time inspecting the PE Imports which are much harder to spoof than file information. Inspect and go over researching the Windows APIs seen called here.
- [Instructor] Let's start analyzing this malware by revisiting the virustotal.com file details we saw earlier. Let's choose file, then select the file that we want to look at. And then click on Scan It. While Virustotal is scanning the file, it is checking the databases for every anti-virus and anti-malware program. Once the file is done being scanned, we will see the detection ratio. We can see only five anti-virus programs were able to detect this malware.
And here's the list of the ones that were able to pick it up and all of the ones that were not. Clicking on the file details reveals more information about the file we uploaded. This is a very handy view when looking at a file you suspect of being malware. It tells us that this is a Win32 executable file with the original name saying it's svchost and the internal name saying it's svchost. Sometimes these two names will not match up.
If they don't, be very suspicious. The file details can be easily spoofed by the malware author, like it was here. This is done by adding a version resource to your Visual Studios project, and in that version resource, you can spoof the file details. So if I wanted to change the internal name, I could change it to hello.exe or I could spoof it to be svchost. I could also spoof the copyright details from Microsoft. Now what's harder to spoof are the PE imports used by the application.
If we scroll down and we go to the PE imports section we can see a list of the libraries this application used. The functions we see here are also used by normal Windows applications. These functions are used for screen-sharing, video chat, phone calls, and typing in Microsoft Word. But in this case, the malware is using these Windows APIs to record us. If we expand opencv_world300.dll, we can see functions being called like VideoCapture, VideoWriter, cvWriteFrame.
These all look to be recording functions that are used to either capture the computer screen or our webcam. If we move up to WINMM, which is the Windows multimedia library, and expand that, we can see the function mciSendCommand. Now, doing some research on this function mciSendCommand, brings us this MSCN page, which tells us that we can record a waveform-audio device using this command. This is how the malware records your microphone.
Moving up to WINNET.dll, we can see this InternetCheckConnection API being called. Doing research on this reveals that this can be used by any application to do a simple internet connection test. Here the malware uses it to first check if Gmail is reachable before starting PowerShell to send the email. Speaking of PowerShell, if we go to this SHELL_32.dll and expand that, we can see the function that the malware calls to start the PowerShell process that automatically sends emails.
If we do research on ShellExecute, we can see that normally it's used to just perform an operation on a specified file. Applications normally use this to start another normal process, but here the malware uses it to send emails. Remember, these functions are normally harmless, and they're used by every Windows application to make your life better, but here the malware is using them to record us.
- Analyzing malware
- Reviewing the overall structure of the malware
- Collecting malware data
- Finding and analyzing keylogger patterns
- Analyzing screen recordings
- Analyzing webcam recordings
- Analyzing microphone recordings
- Recording prevention tips