MBR Malware Analysis

So I have read a few articles lately on the return of MBR malware so I figured I would take a look at a sample.

The malware sample we will be looking at is this one D5C12FCFEEBBE63F74026601CD7F39B2

Let's see if this piece of malware is packed. We will be using Bintext and PEiD to test this. I've overlapped the two tool windows to save space. You can see here that it appears PECompact was used. Let's see if we can unpack it.

Silvrback blog image

Upon opening the program in Ollydbg we are dropped into the OEP of PECompact. It's moving a value into EAX. One of the characteristics of PECompact is the JMP EAX, which is typically located close to the value being moved into EAX at the OEP. So what we will do here go to the expression, 00453030. You can do this by hitting the Ctrl+G key while inside OllyDbg. Then type 00453030 into the box.

Silvrback blog image

After we go to expression 00453030 it will look like this: Note the address location in red.

Silvrback blog image

Now once you are here, scroll down and look for a bunch of POPs for EDX, ESI, etc. Right after all of those POPs you will have the JMP EAX that we talked about above.

Silvrback blog image

Once here, left click JMP EAX, and hit Ctrl+E, which will bring up a edit window like this. You will want to change JMP EAX to JMP EIP, which will create an infinite loop in the program. Refresher. EIP is the instruction pointer that points to the next instruction to be executed.

Silvrback blog image

It should now look like this after you make the modification.

Silvrback blog image

You will want to right click the "red" code and select, "Copy to executable", and the select, "selection".

A window will pop-up that looks like this. Right click the window and select, "Save file".

Silvrback blog image

Save it as "loop.exe" or whatever you want.

Silvrback blog image

Now we have our edited exe file. Go ahead and close out of OllyDbg for now. Execute the loop.exe now. After you execute it, open up OllyDbg. Once Olly is open select, File, and then select Attach. This will take you back into OllyDbg's "main screen".

Silvrback blog image

It will take you to a RETN, which is a return to 77C0F189, which is ntdll.

Silvrback blog image

Hit F9, and then hit F12, which is a run and pause. It will drop you here. Look familiar? This is where we edited JMP EAX (FF E0) to JMP EIP (EB FE). We will want to change this back to FF E0, so hit Ctrl+E and make the change.

Silvrback blog image

Once this has been edited, you will want to left click FF E0, and then hit F7 two times.

Silvrback blog image

After you hit F7 twice you should be here: You can now dump the process using Olly Dump Process plugin, or use LordPE.

Silvrback blog image

It should now be unpacked. Let's see what it looks like compared to the previous one. Here is a quick view of the original .exe, and the dumped.exe that we dumped via OllyDbg. Using Hexacorn's hdive.exe program really shows the differences.

Silvrback blog image

Master Boot Record

As most of you already know DOS partitions contain a MBR in the fist 512 -byte sector. So to get things started here I went ahead and ran the following command to give us a clean baseline that we can later compare with an infected MBR.

  • dd.exe if=\.\PhysicalDrive0 of=C:\Users\Desktop\mbr.bin bs=512 count=1 --localwrt

Silvrback blog image

Here is the assembly code for this particular MBR sample I extracted via dd.

Silvrback blog image

Here is what the MBR looks like after I execute the malware. As you can see we have similar patterns here, but it's nothing like the original one. The malware appears to replace the MBR with its own version of it.

Silvrback blog image

Here is the assembly code of the second snapshot. I snipped quite a bit of it out to conserve space. If you want all of it let me know, and I can send it to you. You will see that it's quite a bit more than the original mbr.

Silvrback blog image

So I also decided to use the methods talked about here: Digital Standard - MBR Analysis, but they didn't seem to spot any malicious activity. If I read into it correctly it appears to use placement of partition tables to identify if malware might be hiding, but I don't believe it can determine if the MBR was completely re-written?

In either case, it seems like this script is better positioned to spot this kind of infection - MBR Parser.

Moving on....

If you open up the disk image in a hex editor you will see some interesting stuff. If you look at the memory location offset you will see that the MBR starts at 00000000. If you notice in the assembly code above, you see, 7C00. That is the memory address where it's loaded into memory; however, if you keep looking towards the end of the disk you will see some more artifacts.

Starting at offset 8BFFF0400 you get the following:

It goes from 8BFFF0400 - 8BFFF059B.

Silvrback blog image

Here you have it again from 8BFFF0800 - 8BFFF9BCB

Silvrback blog image

There are also more hits at the following locations:

  • 8BFFF9E00
  • 8BFFFB800
  • 8BFFFC929
  • 8BFFFE93A
  • 8BFFFF5F5

They all appear to start with 41524348, which translates to ARCH so this could possibly be an identity check. In either case, ensure you also check the end of your disk, and not just the beginning where you think the MBR should reside.

There also appears to be a clean (original) copy of the MBR located at 8BFFFFC00.