Malicious functions to look for while reverse engineering an executable.

(Dynamic Analysis) Analysis Tools Used
IDA Pro

Brain Sectest

Level 1
Thread author
Dec 27, 2018
5
Hello Fellow Engineers, I recently downloaded a file from Microsoft blog Event ID 1085 from “Internet Explorer Zonemapping” Part 2 – ZoneMap Troubleshoot tool and tried to execute it but, the program did not show up in my system processes nor in programs.
So, I uploaded this executable to virus-total and 2 engines shows its a Trojan. I took this one as my opportunity and started reverse engineering using IDA pro tool and I am looking at the functions but, as I am new to reverse engineering, I am not sure which processes to look into.
So far, all I know is, it is a 32 bit executable and the code is assembly language.
Any thoughts or suggestions would help.
 

Attachments

  • IDA reverse engineer.JPG
    IDA reverse engineer.JPG
    173.4 KB · Views: 441

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
In your case, go to Exports tab and double click on the entry there named "start". Afterwards, check where the value being returned by that routine is coming from (it'll be retrieved from a call to another routine) and then double click on it, and that'll be the entry-point defined by the author of the program. The compiler inserted its own entry-point routine and then wrapped in the entry-point defined by the author, by calling it in the compiler's inserted entry point routine, and returning the value returned from it.

Anyway, I advise you take a look at this to learn more on using IDA in general:
The Interactive Disassembler Help Index

You can find some good books on reverse-engineering with IDA as well, a quick Amazon search and you'll find them.
 

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
@Brain Sectest

The stack tracing feature in IDA has failed.

What you need to do is go to the top menu-bar in IDA and choose Options -> General and enable the feature for viewing the Stack Pointer (SP). What this will do is allow you to see the current SP in the disassembly so you can try and diagnose where there's a problem (sometimes there can be multiple stack trace failures in many different areas which would be pretty unlucky).

1547246209660.png


You can find the official documentation about stack tracing failure here:
Problem: Failed to trace the value of the stack pointer
Change Stack Pointer

I've taken a look at the PE in the archive download (Site2ZoneMap.exe and the hash checksum matches to the one from the VirusTotal report you provided) and there are no stack trace failures for me, and IDA actually identifies the _wmain routine (the author's defined entry-point routine) instead of requiring me to check the start routine (presumably with a signature).

1547246319393.png


However, I also checked the start routine for my copy, and it returns the value returned from the _tmainCRTStartup routine, which was inserted by the compiler; the _tmainCRTStartup routine is for the C Run-Time (CRT) and will return the value returned by the author's own defined entry-point routine.

1547246342329.png


1547246351077.png


1547246359375.png


1547246367459.png


Now, with all of that being said, I really recommend you find a good book on IDA/IDA Pro so you can start learning about it exclusively, and I'd make sure to go through the documentation.
 

Attachments

  • 1547246243740.png
    1547246243740.png
    27.5 KB · Views: 393
  • Like
Reactions: Jack

Brain Sectest

Level 1
Thread author
Dec 27, 2018
5
@In2an3_PpG Sure, Just bought a course for reverse engineering using IDA on Pluralsight. Thank you for your insight thought.
By the way, did you find anything malicious when you pulled the executable into IDA ?
 
  • Like
Reactions: upnorth

In2an3_PpG

Level 18
Verified
Top Poster
Content Creator
Well-known
Nov 15, 2016
867
@In2an3_PpG Sure, Just bought a course for reverse engineering using IDA on Pluralsight. Thank you for your insight thought.
By the way, did you find anything malicious when you pulled the executable into IDA ?

I am considering the VirusTotal detection's as nothing but false positive detection's and based on what I saw, it matched to the expected behavior which is documented on the blog post you linked to us about.

I think that Baidu is far from being a reliable source of malware detection, and Cylance has an Ai/ML implementation which is bound to run into false positives for lesser-known/uncommon appearing PEs, but that doesn't mean that they are automatically malicious.

I do not know of Pluralsight but I've just looked them up and they appear to be decent, but I would still recommend getting a book/several on reverse-engineering in general (and preferably one dedicated to IDA Pro) to help you explore more. At the end of the day, it wouldn't hurt to have access to books for reference-purposes.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top