Crypters are tools used by attackers to change the binary signature of a malware while keeping its original functionality intact. The main reason for using them is to evade detection. Last week Joe Giron, a security researcher, released a new crypter (joecrypter).
Joe chose the crypter theme to be the 90’s classic – Mighty Morphin’ Power Rangers:
This is how the author described his work: "The crypter I made modifies exes, packs them, and adds AV / VM / Sandbox / debugging evasions inside of a wrapper. I’m employing a basic process hollowing technique for the payload that is only run after all evasions are satisfied. The anti-debug modules include anti-single stepping as well as anti-tracing. I can even detect procmon without checking the process list".
We decided to check it out, but when we tried to pack a plain calc.exe – window with multiple errors popped up:
Fixing The Cypter
This output indicated compilation errors, so we started to analyze the build process. This was not too difficult as Joe was kind enough to attach most of the source and the compiler used.
We found out that for each build a C source file named dont_touch_me.joe is modified as an intermediate part of the build process. This modified source is saved as joe_crypter.c, and is the cause for all the compile-time errors we experienced.
We took a closer look in the original dont_touch_me and noticed that its author prepared multiple blank lines in one of the functions for some reason:
We also observed that the compilation errors begin in this function declaration – so we took a closer look in the modified joe_crypter.c in the exact same place:
LotsOfWindows() is a function declared later in this file, implementing anti-analysis technique – it is quite clear that it should not be called in the middle of other function’s declaration...
Now we used ILSpy and took a closer look in the part of the .NET application in charge of morphing don’t_touch_me to joe_crypter:
We suspected that the fs.seek offset calculation was wrong, and this was indeed the problem! The offset was supposed to send us straight to the blank lines prepared in advance but instead was about 80 bytes short.
We chose to modify don’t_touch_me so that the 1422L offset will match the blank lines in the function. Alternatively, we could have patched the compiled .NET with the right offset.Voila!
Now, we were able to pack binaries and asses the tool’s abilities.
To have a sense of its power we compared the detection ratio of an extremely familiar piece of malware – packed and unpacked. The well-known Xtreme RAT was chosen for this mission, and in his undisguised form it was detected by 48/54 AV vendors:
When we packed the same binary with Joecrypter it was detected only by 4/54 vendors:
Minerva Anti-Evasion Platform prevents infection by any kind of malware packed by this crypter. This is for example the packed Xtreme RAT, terminated on an workstation protected by Minerva before it made any harm:
We would like to express our appreciation to Joe for sharing his original work publicly, it gives the community a chance to face challenges very similar to off-the-shelf crypters sold in underground hacking forums.
Want to see Minerva in action? Request a demo!
Minerva - don't chase, PREVENT!