Threat Research

Deeper and deeper

Michal Krejdl, 11 May 2012

Deeper and deeper

Don't worry, we're not gonna watch movies marked with an asterisk :P. However, from the malware analyst's point of view, following lines might be somehow "spicy". We'll take a look at a suspected false positive promoted as a regular GameMaster setup. The file appeared in our FP submission system with an usual comment "it's clean" or something like that, thus we can only guess that the file has not been obtained from official source.

The submitted binary was detected as Win32:MalOb-II, but the particular infected file was not the setup itself (the topmost layer), but an included file FlashPlayer.exe (under InnoSetup {app} subfolder). So, if we want to analyse it, we must unpack the setup. FlashPlayer.exe has an icon stolen from WinRar archiver - that's the first suspicious sign. It contains a lot of high-entropic data - another suspicious sign. This data block gets my attention - I'm curious what's inside. And here we go: after a little bit of tracing, a dynamically allocated block of memory appears and guess what - it contains another executable binary (which is not dumped to the disc but directly executed). Great, another layer :-). Let's dump this binary and take a detailed look at it. It contains high-entropic (encrypted) data as well, so let's emulate it and see what's inside. Bingo! It's another executable binary, this time it is dumped to disc under a randomly generated name (it's a dll). We can compare it to a typical matryoshka, as we go deeper and deeper through the layers. For those, who didn't catch the flow of informations: is it better with the image below?

Still nothing? Ok, sorry ;-). For those, who are still on the track: the initial setup file has a detection coverage lower than 35%, which is frankly a bad overall result. Go deeper! The fake FlashPlayer.exe gets much better score going close to 83%. Go deeper! The binary executed directly from memory gets again a lower detection ratio (an on-demand scan of the dump). Go deeper! And the detection ratio finally raises up to 75% for the last dropped binary. More details from the particular VT scans can be found here:

As you can see, all layers of this matryoschka "smell" like Vundo, which is definitely nothing what someone wants to install along with GameMaster. Leaving the binary as it is could raise a false feeling of safety - it's a normally looking setup from outside, but if you can look inside and aggregate the suspicious signs with detection ratios, you can definitely say: "not a FP, next please". :-)

Pls, let me know - are such insights to our daily work interesting for you?

Check 8 comments or write your comment

Discussion (8)