The previous blog entry covered how SmokeLoader uses various obfuscation techniques to slow reverse engineers down. We also identified yet another shellcode being allocated to a memory region, which we then dumped and analysed.
In this blog entry, we’ll try to identify some of the key API functions the malware employs through dynamic API resolution to allocate memory, store shellcode, and deceive analysts.
This third stage uses techniques similar to those used before – dynamic API resolution – but this time, the APIs are declared on the stack as their names and don’t go through API hashing.
A number of APIs are executed with GetProcAddress for the malware to dynamically resolve functionality. These APIs are:
- LoadLibraryA(“Kerne32.dll”)
- GetProcAddress(“VirtualAlloc”)
- GetProcAddress(“VirtualProtect”)
- GetProcAddress(“VirtualFree”)
- GetProcAddress(“GetVersionExA”)
- GetProcAddress(“TerminateProcess”)
- GetProcAddress(“ExitProcess”)
- GetProcAddress(“SetErrorMode”)
Then we came up against an issue. The malware only wants to run on a specific version of Windows – we think it was made for Server versions.
The Windows API, GetVersionExW, has its return values compared to a very specific version. So when we run this program, it causes an exception as we weren't on the correct Windows version. To get around this for now, we had to set the ZF flag in x32dbg to jump over the code that caused the exception. This is necessary, or the memory address in EAX will cause an exception two lines later.
Taking another look at the function, we found another jmp eax!
We then performed the same process of setting a breakpoint, executing until that point, and then dumping the memory.
Conclusion
The third part of our SmokeLoader analysis explored dynamic API resolution, and we found another layer of shellcode in memory to dump.
By this point, it was clear that SmokeLoader had multiple layers of shellcode inside it, with layers of obfuscation to slow down reverse engineers.
During our analysis, we came across a number of these issues relating to control flow obfuscation. Trying to jump to certain instructions to identify shellcode gave us the EXCEPTION_ACCESS_VOILATION error.
The final blog post of this series will discuss this exception more closely, describe how to defeat it and look at some indicators of compromise you can identify in the later stages of reverse engineering.
Immerser
Immerser