Hello Fellow Engineers, I recently downloaded a file from Microsoft blog Event ID 1085 from “Internet Explorer Zonemapping” Part 2 – ZoneMap Troubleshoot tool and tried to execute it but, the program did not show up in my system processes nor in programs.
So, I uploaded this executable to virus-total and 2 engines shows its a Trojan. I took this one as my opportunity and started reverse engineering using IDA pro tool and I am looking at the functions but, as I am new to reverse engineering, I am not sure which processes to look into.
So far, all I know is, it is a 32 bit executable and the code is assembly language.
Any thoughts or suggestions would help.
 

Attachments

In2an3_PpG

Level 17
Content Creator
Verified
In your case, go to Exports tab and double click on the entry there named "start". Afterwards, check where the value being returned by that routine is coming from (it'll be retrieved from a call to another routine) and then double click on it, and that'll be the entry-point defined by the author of the program. The compiler inserted its own entry-point routine and then wrapped in the entry-point defined by the author, by calling it in the compiler's inserted entry point routine, and returning the value returned from it.

Anyway, I advise you take a look at this to learn more on using IDA in general:
The Interactive Disassembler Help Index

You can find some good books on reverse-engineering with IDA as well, a quick Amazon search and you'll find them.
 

In2an3_PpG

Level 17
Content Creator
Verified
@Brain Sectest

The stack tracing feature in IDA has failed.

What you need to do is go to the top menu-bar in IDA and choose Options -> General and enable the feature for viewing the Stack Pointer (SP). What this will do is allow you to see the current SP in the disassembly so you can try and diagnose where there's a problem (sometimes there can be multiple stack trace failures in many different areas which would be pretty unlucky).

1547246209660.png


You can find the official documentation about stack tracing failure here:
Problem: Failed to trace the value of the stack pointer
Change Stack Pointer

I've taken a look at the PE in the archive download (Site2ZoneMap.exe and the hash checksum matches to the one from the VirusTotal report you provided) and there are no stack trace failures for me, and IDA actually identifies the _wmain routine (the author's defined entry-point routine) instead of requiring me to check the start routine (presumably with a signature).

1547246319393.png


However, I also checked the start routine for my copy, and it returns the value returned from the _tmainCRTStartup routine, which was inserted by the compiler; the _tmainCRTStartup routine is for the C Run-Time (CRT) and will return the value returned by the author's own defined entry-point routine.

1547246342329.png


1547246351077.png


1547246359375.png


1547246367459.png


Now, with all of that being said, I really recommend you find a good book on IDA/IDA Pro so you can start learning about it exclusively, and I'd make sure to go through the documentation.
 

Attachments

  • Like
Reactions: Jack
@In2an3_PpG Sure, Just bought a course for reverse engineering using IDA on Pluralsight. Thank you for your insight thought.
By the way, did you find anything malicious when you pulled the executable into IDA ?
 
  • Like
Reactions: upnorth

In2an3_PpG

Level 17
Content Creator
Verified
@In2an3_PpG Sure, Just bought a course for reverse engineering using IDA on Pluralsight. Thank you for your insight thought.
By the way, did you find anything malicious when you pulled the executable into IDA ?
I am considering the VirusTotal detection's as nothing but false positive detection's and based on what I saw, it matched to the expected behavior which is documented on the blog post you linked to us about.

I think that Baidu is far from being a reliable source of malware detection, and Cylance has an Ai/ML implementation which is bound to run into false positives for lesser-known/uncommon appearing PEs, but that doesn't mean that they are automatically malicious.

I do not know of Pluralsight but I've just looked them up and they appear to be decent, but I would still recommend getting a book/several on reverse-engineering in general (and preferably one dedicated to IDA Pro) to help you explore more. At the end of the day, it wouldn't hurt to have access to books for reference-purposes.