Decompiling Malware Without Previous Experience [1 of 2]

Disassembling (Looking at code in machine language, usually "assembly") and decompiling (converting machine code into human-readable code such as C) malware is an art form that for many can be a huge technical undertaking.  

Like looking at a prized canvas from several hundred years ago, watching a true malware reverse engineer and looking at their final product is nothing short of amazing.  Some of my favorites are:

However, we're not all van Gogh. Heck, some of us aren't much better than stick figure artists, but thanks to the wonderful folks at Avast Threat Labs, we might be able to get some help adding color to our canvas. 

While the experts I noted above use products like IDAPro, OllyDbg, Redare2 for disassembling and HexRays and Snowman for decompiling - the barrier to entry is high from a financial and technical skillset perspective.  

I should mention, that the folks behind IDAPro recently released an all-new FREE version of their code that will disassemble both 64 and 32-bit binaries.  

Avast has helped lower that bar somewhat; as a matter of fact, if you can understand python or C (read/write), you can likely analyze many 32bit binaries using a tool they recently open sourced, https://github.com/avast-tl/retdec

While the project only supports 32bit binaries (for now), it does give everyone an opportunity to infer their own conclusions when working with malware that may impact family, friends or work organizations.  

Take for example this code for the "Wanna Crypt" ransomware that made global headlines in 2017: 

GetImage (1).png

We can clearly see the "kill switch" domain that was sink holed to stop the ransomware from executing. 

This is mostly because the author did not take any steps to obfuscate it, Even a simple strings search will reveal the domain (without any context).  Even the ransom wallet ID's are visible: 

GetImage (2).png

However, the assembly version may not be easy for some individuals to read and includes lots of bits that may be confusing.  To help reduce this confusion, we can pass the binary through Retargetable Decompiler from Avast and generate a python representation of the assembly code: 

GetImage.png

Okay, still not perfect, but maybe it's a little easier to read.  

The Installation instructions on Github are complete, and it's relatively simple to build, but Blacktop, a security researcher in California has made this much easier for us. Blacktop does some pretty great work around Docker containers for Security purposes - including an up and coming Malware identification tool called Malice.   

To get started, simply grab a copy of Docker for your specific platform.  

Then acquire the Blacktop Docker image of Avast's RetDec with: docker pull blacktop/retdec 

The image will be just over 5GB; but still much smaller than a standard virtual machine.  

Run your sample with:   docker run --rm [currentdirectory]:/samples blacktop/retdec -k -l py --cleanup [filename] 

Or, on Linux/OSX:  docker run -rm `pwd`:/samples blacktop/retdec -k -l py --cleanup malware.exe 

The output is controlled with the -l (L) option, omit this option if you'd like to "C" output.  

While you're at it, take a look around at the other packages provided by Blacktop! 

If you're interested in diving deeper into Malware analysis and reverse engineering, please consider Amanda's online training videos.

Decompiling Malware: InfoSec Docker [2 of 2]

Security isn't Compliance and Compliance isn't Security