A year ago this fall, we introduced the VMRay Analyzer IDA plugin for IDA Pro disassembler and decompiler. With Version 1.0 of the plugin (nicknamed IDARay), malware analysts and DFIR teams could use the output of VMRay Analyzer to enrich IDA Pro static analysis with behavior-based data. The plugin sped up in-depth analysis of malware threats by adding comments to dynamically resolved API calls within IDA, showing the resolved function, its parameters, return value and timestamp.
The value of the plugin was boosted this past May, when we rolled out VMRay Analyzer 3.0, with smart memory dumping. This feature triggers more frequent and contextually relevant memory dumps, capturing a more complete, accurate record of malware behavior, down to the exact function calls and corresponding memory addresses.
Now Version 1.1 of the plugin, released in August, allows analysts to work immediately and directly with smart memory dumps, which reveal far more information about malware behavior than static analysis alone can provide. From a workflow perspective, the new plugin version also streamlines tedious aspects of deep-dive analysis such as unpacking, de-obfuscating, and organizing malware files and runtime artifacts such as memory dumps.
The plugin also allows analysts to investigate other processes monitored and logged inside the VMRay analysis archive – so files that were downloaded or dropped, then executed afterward can also be investigated without further effort.
To highlight these latest capabilities, we’ll look at Sodinokibi malware−called the Crown Prince of Ransomware−through the eyes of an analyst.
Our starting point is an analysis report on the sample (Figure 1), which has been observed in VMRay Analyzer. We can see the malware is classified as a Trojan, a Downloader and Ransomware. Although not shown here, the Overview tab reveals that two-thirds of its many threat indicators have a high severity rating.
Clicking on the Behavior tab (A) displays a process tree (B), showing the sequence of malware behavior. The malware is embedded in a Word document (C), which drops and runs an executable payload. The behavior includes two processes−#2 and #4 (D)−that are injecting code into other subsequent processes. We also see a series of links (E) to detailed information on the most “interesting” processes identified by VMRay Analyzer. These processes could turn out to be legitimate behavior, or they may be contributing to the threat.
Figure 1: VMRay Analyzer report on Sodinokibi malware sample.
Drilling down a level (Figure 2) reveals a list of memory dumps related to Process #4.
Figure 2: Smart memory dumps related to Process #4
In Figures 3 and 4, the analyst selects the Analysis Archive for the Sodinokibi malware and—enabled by the IDA plugin—downloads smart memory dumps from VMRay Analyzer into IDA Pro for further investigation. A list of these memory dumps is displayed in Figure 5; the specific dumps for Process #4 are shown in Figure 6.
Figure 3 – Selecting the Analysis Archive for the Sodinokibi malware to download
Figure 4: Loading the Analysis Archive into IDA
Figure 5: Selecting memory dumps for Process #4
Figure 6: Display of memory dumps to be further analyzed
Due to frequent changes that are potentially related to malware behavior, some memory regions are dumped multiple times, as shown in Figure 6. In such cases, the plugin will load the latest dumps, which typically contain most of the information that’s useful for analysis.
In Figure 7, we see the memory dumps have been loaded into the IDA database (IDB), and the VMRay plugin has annotated the database, identifying locations in memory that have corresponding function calls in the function log. All these annotations are searchable.
Figure 7: IDA shows dynamically allocated memory regions (952 and 1015), where code was written, decrypted and executed
The most notable items listed in Figure 7 are region_952 and region_1015. These are dynamically allocated memory regions, where the malware has written code to the buffer, then decrypted and executed the code in runtime. As we’ll see, these memory dumps provide far more information about malware behavior than is visible with static analysis alone.
As the analyst begins investigating the malware sample at a deeper level, the entry point (which was identified by the plugin) highlighted in Figure 8 provides a good place to get started.
Figure 8: The highlighted entry point for region_952 shows an exact address where code was executed.
Figure 9: The search term “VMRay” reveals many locations in region_952 that API calls were made from
Figure 10: This confirms the injection into Process #5 was carried out by Process #4
Figure 11: The function log shows the injection was made via a call to WriteProcessMemory
Figure 12: Here’s the exact location where the injection occurred.
This brief exploration suggests one of the workflow benefits of the IDARay plugin. It enables analysts to more easily identify strings of code they may want to write signatures for. Previously that identification had to be done manually. Now the information can be accessed with just a few clicks.
VMRay customers can download the IDARay Plugin Version 1.1 from the customer portal.
Figure 13: VMRay Integrations Page