CSP-CERT® Malware Research:
Patching Malware to Help with Analysis

by CSP-CERT® Research Science
posted July 2, 2017

Patching Malware to Help with Analysis


There has been a lot of buzz recently for Petya/NotPetya malware, and a lot of analysis has already come out.


Some quick information about the files it drops:

  • a copy of itself in Windows directory
  • dllhost.dat - confirmed to be PSEXEC
  • a temp file – modified Mimikatz used for extracting passwords.


In the process of confirming the information above, we used Regshot to record the files that were dropped as well as other system modifications. Note: We only ran the malware for a few minutes so not all behaviours would have been caught




As you see above:

  • C:\windows\a – copy of the malware
  • C:\windows\dllhost.dat – PSEXEC
  • A windows task – the scheduled task added to automatically reboot the machine


Notice that there are two prefetch files recorded:

  1. Rundll32.exe – this is the prefetch for when we executed the malware via rundll32.exe a.dll
  2. 9BF1.TMP – temp file that is supposed to be Mimikatz.


You can see the prefetch but the temp file is gone. This is a usual method with malware wherein they drop their components, run and then delete them after use.


We wanted to confirm that the temp file is Mimikatz, usually Capture-Bat is enough to get a copy of the deleted files, but this malware does something extra to protect the temp file from being copied and analysed.


Before deleting the temp file, it replaces the contents of the temp file with 0x00 hex. So, when you analyse it with Capture-Bat, you get the temporary file, but all you will see is a bunch of 0x00 hex bytes like the screenshot below.




This leads us to check the malware code to see what it actually does with the temp file.




The screenshot above shows that the function for creating the temp file is used two times.


One is when it is creating the Mimikatz temp file and the next is when it is overwriting the Mimikatz temp file with a file that only contains 0x00 hex bytes.


As we wanted a quick way to get the temp file and confirm that it is actually Mimikatz, we decided to just patch over the 2nd create file function call and the file deletion part with 0x90 hex (NOP).


The red box shows where we patched over the commands that protects the Mimikatz temp file.


Before:




After:




Running the patched malware, we can now get the actual temporary file that was used as a component. It is now an executable and not just 0x00 hex bytes.




Sending the file to virustotal confirms that the file really is Mimikatz.


https://www.virustotal.com/en/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/1498939521/


Snippet from the virustotal link above:




This was just one occasion where patching a malware helped with the analysis and got me a quick confirmation of the behaviour. There are other ways where this method can help like removing anti-debugging techniques to make analysis flow smoother or removing the call to a dangerous function. APT types make it a lot easier to patch because most of them are not packed to avoid heuristic detections that check for packers.