Reversing my first malware

This blog post was authored by Kamila Babayeva (@_kamifai_)

I am Kamila, a first-year student of Computer Science and Electrical Engineering in CTU (Czech Technical University in Prague). I recently joined the Сivilsphere team as a Malware Reverser. So, this blog will be about my first small project in analyzing a particular  malware, its actions, and understanding what it does.

The malware is written in Python, and works on 32-bit/64-bit Windows computers. Generally speaking, the malware makes changes to Windows processes and directories and steals users’ personal information.

I will show the process of understanding the malware through one of its functions. Below you can see the function before (Figure 1) and after (Figure 2) my analysis. It took me 5 steps to understand the function and present it in a readable way as it is right now.

Figure 1 - Original malware code obfuscated.

Figure 2 - Malware code de-obfuscated after analysis.

Step 1. Clean the code from meaningless statements.

The malware code is obfuscated, and filled with ‘If 0’ statements. These are totally useless when it comes to understanding its behavior, because the code after ‘If 0’ is not executed.

Figure 3 - Malware code after removing meaningless statements

Step 2.  Rename obfuscated code with generic variables.

Personally, it is preferably to rename all these ‘iIi1iIii1’ and ’oOoo0o0’ variables with generic ones. This will help to quickly distinguish between variables and get a clear view what is happening to the variable through the code.

Figure 4 - Malware code after first renaming of variables

Step 3. Analyzing the behavior of the malware.

The interesting part of this step is a possibility to monitor how the malware operates in the computer system. In this case, the challenge was that the malware uses methods for Windows operating system. I had to get at least some basic knowledge of Windows management.

Figure 5 - Malware code after the first round of analysis

Step 4. Rename the variables in respect to its function/action.

After analyzing every line of the code, it is important to change variables with valid names.

Figure 6 - Malware code after the second round of variable renaming

Step 5. Summarize the behavior of malware.

A small documentation in the function perfectly introduces its general steps .

Figure 7 -Final code of the malware with the behavior summarized

Conclusion

To conclude, I showed the steps I took to analyze and understand my first malware. The malware was written in Python, it was obfuscated, and it was designed for Windows OS. There are 5 simple steps that I took to accomplish my goal: 1) Clean the code, 2) Rename variables, 3) Analyze the behavior, 4) Rename variables again, 5) Summarize what the malware does.
TL;DR: clean-rename-analyze-rename-summarize.