The FireEye Labs Obfuscated String Solver (FLOSS) automatically extracts obfuscated strings from Windows executables and shellcode. The tool integrates with various reverse engineering tools including IDA Pro, radare2, and x64dbg. In this post, I will show how to leverage strings that FLOSS decoded when reverse engineering malware using IDA Pro and debugging it using x64dbg.
For this analysis, I use a backdoor linked to APT28 and commonly referred to as Gamefish, Sednit, Seduploader, Jhuhugit, and Sofacy. The hash values of the file are:
- See https://virustotal.com/en/file/3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8/analysis/
I performed my analysis on a Windows 7 64-bit system setup with FLARE VM. If you haven’t heard about the project yet, you should really check out this malware analysis distribution at https://github.com/fireeye/flare-vm. Peter also describes the project in a blog post at https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html. FLARE VM already includes a wide variety of tools, including FLOSS and x64dbg.
First, we run FLOSS on the sample to see the provided string deobfuscation results. As we are not interested in regular strings here, we disable showing them using the
--no-static-strings command-line option. Listing 1 shows that FLOSS could deobfuscate 36 encoded strings and 14 stackstrings. The warning at the top of the output is related to vivisect’s vtrace module. It does not affect FLOSS’ analysis and can be ignored. Note, that updated FLOSS versions do no longer display the warning.
C:\Users\user\Desktop>floss --no-static-strings 211b7100fd799e9eaabeb13cfa446231.exe WARNING:vtrace.platforms.win32:LoadLibrary c:\program files\python27\lib\site-packages\vtrace\platforms\windll\amd64\symsrv.dll: [Error 126] The specified module could not be found WARNING:vtrace.platforms.win32:LoadLibrary c:\program files\python27\lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll: [Error 126] The specified module could not be found FLOSS decoded 36 strings [file] Execute Delete [/file] www.google.com 188.8.131.52 184.108.40.206 w2f434g5Dt .xml rundll32.exe FileName PathToSave Rundll POST Content-Type: application/x-www-form-urlencoded 0`AP www.google.com SYSTEM\CurrentControlSet\Services\Disk\Enum POST Content-Type: application/x-www-form-urlencoded disk= build= POST Content-Type: application/x-www-form-urlencoded POST Content-Type: application/x-www-form-urlencoded CreateToolhelp32Snapshot GetProcessHeap GetProcessHeap GetProcessHeap GetProcessHeap GetProcessHeap GetProcessHeap GetProcessHeap GetProcessHeap GetProcessHeap FLOSS extracted 14 stackstrings \profiles.ini wininet.dll InternetReadFile network.proxy.http Profile0 Basic http=http://%s:%s InternetCloseHandle Path network.proxy.http_port WeelScrInit Control Panel\Desktop \Mozilla\Firefox prefs.js Finished execution after 15.682000 secondsListing 1: FLOSS analysis results
Let’s pull the analysis results into x64dbg. We can create a x64dbg database file using the
--x64db command-line option. This will create a JSON file containing the decoded strings and their offsets. Figure 1 shows a screenshot of running the following command:
C:\Users\user\Desktop>floss --no-static-strings --x64dbg=211b7100fd799e9eaabeb13cfa446231_floss.json 211b7100fd799e9eaabeb13cfa446231.exe
Now we can open the sample in x64dbg and load the FLOSS analysis results.
In x64dbg’s main menu use File – Import database to load the created database file (see Figure 3).
x64dbg will indicate that the file has been loaded in its status bar at the bottom of the window (see Figure 4).
In this example decoded strings are added as comments to the decoding function calls, e.g. the function at offset
0x10003FD4 (see Figure 5). If FLOSS detects obfuscated data at a global memory location, the decoded strings are added at the respective global offset. FLOSS does currently not support stackstring annotations for x64dbg.
IDA Pro integration
--ida command-line option to FLOSS to create an IDAPython script that annotates IDA Pro’s disassembly. Here is an example command:
C:\Users\user\Desktop>floss --no-static-strings --ida=211b7100fd799e9eaabeb13cfa446231_floss.py 211b7100fd799e9eaabeb13cfa446231.exe
The tool indicates that the file has been written successfully:
[...] Wrote IDAPython script file to C:\Users\user\Desktop\211b7100fd799e9eaabeb13cfa446231_floss.py [...]
After opening the sample in IDA Pro, we can execute the created IDAPython script to annotate the disassembly. Select File – Script File (Shortcut Alt+F7) and load the script (see Figure 6).
Figure 7 shows the script’s execution status information displayed in IDA Pro’s output window.
Figure 8 shows calls to the decoding routine at offset
0x10003FD4 that have been annotated with the decoded strings.
Figure 9 shows the FLOSS annotations from deobfuscated stackstrings. Each decoded stackstring is added as repeatable comment to the respective local variable. Hence, IDA Pro displays them whenever the local variable is referenced (see Figure 10).
This post discussed how the analysis of FLOSS can augment the analysis of malware in IDA Pro and x64dbg. Hopefully, I could show the benefit of pulling FLOSS results into both tools. While the process is straight-forward in either case, I am sure this step-by-step tutorial can be helpful – especially when you are doing it for the first time.