Hi! I am morimolymoly!
I analyze malware daily, for a job, for a research.
I picked simda up from the internet and am going to introduce how to analyze this one easily!
How and where from do I pick sample up?
Sources are a lot!
You can find more on the interenet!
If you paid for VirusTotal, you can download sample from it also!
But, it costs a lot!
I recommend MalwareBazzar and ANY.RUN!
Simda sample are here!
You can search samples from search box.
And samples are tagged as image showed.
Detonation result is here!
ANY.RUN have free Windows7 32bit sandbox.
In near future, Linux one will come!
You can get IOC and ATT&CK map and process trees and modified files and registries and … many things!
From detionation, you can see the behaviour of this malware.
It steals information, AV/Virtualization evasion, C2 communication…
From seeing main process, it has interesting modfied file!
File inside frame seems .zip file, you can download and extract it.
They are stolen information from Simda!
Detonation with ANY.RUN is really good starting point of malware analysis!
With Detect it Easy, it seems packed!
Open with Binary Ninja, it has less functions. It indicates it is packed! It need to be unpacked to static analysis!
As you know, this sample communicate with C2 server so you need to set up FakeNet-NG!
With x32dbg, this sample sometimes immediately crashes! For that case, you can set breakpoint on NtTerminateProcess function!
As you can see process hit breakpoint at NtTerminateProcess function!
Process tree is like this.
Simda creates C:\Windows\apppatch\svchosts.exe and launch it.
This binary is Simda itself!
With OllyDumpEx, you can dump whole memory region of this sample.
With Scylla, you can rebuld IAT!
You can use CAPA to determine what this sample do!
And also, config is decrypted!
This sample is Simda and it persists as C:\Windows\apppatch\svchosts.exe.
It persists with some registries.
- software\microsoft\windows nt\currentversion\winlogon
- software\microsoft\windows\currentversion\run
After unpacking, you can easily analyze it by static.
Big thanks to Abuse.ch and ANY.RUN!!!!!!!!!!!!!!!
- sha256: e1376b3c7237ef685ffe4185857ca13dd03f579fb009740b1d70225a04900734
- C2: www[.]purylev[.]com and so many