RE Series #10: LockBit ELF

After doing a substantial amount of RE challenges, I decided to analyze real Malware to see if what I’ve learnt is actually useful, and I have to say, I think it really helped!

In this post, I’ll be dissecting the initial portions of the Linux variant of LockBit.

Basic Information

The binary on its own is a stripped file, and is dynamically linked. We can view the objected that it uses by running “ldd”

We run “strings” on it, and unsurprisingly we don’t get much. We do however see calls to the Blake2b hashing function

Static Analysis with Ghidra/Dynamic Analysis with IDA

When we go to the entry point of the program, we see a bunch of XOR operations from lines 23 to 43.

Immediately after, the code checks if it’s being debugged by attempting to call PTRACE. We learnt how to overcome this by simply changing the return value in EAX to be not -1.

The function FUN_00403fc0 that runs after the check is yet another de-obfuscation with many XOR operations

Firing up IDA, we set a breakpoint to after these instructions, and let the de-obfuscation run. We get IDA to extract the available strings again and we start to see string that we obfuscated before:

These text include instructions on how to use the binary, what parameters it accepts, and certain IOCs as well, such as the address to make the ransom payment to.

We extract out this string data to see exactly what the binary accepts, and how to run it with the correct parameters.

Further down the code, the binary creates two files:

  • /tmp/locklog
  • /tmp/lock.pid

The binary also checks if certain files exists on the system. Specifically, there are these files:

  • 0063c3b0 = /bin/vm-support
  • 0063c3c0 = /sbin/vm-support
  • 0063c3ed = /bin/vim-cmd
  • 0063c3de = /sbin/vmdumper

The logic of this program is

  • If neither “/bin/vm-support” nor “/sbin/vm-support” exists, return “FALSE”
  • Else, if “/bin/vm-support” exists, copy “/bin” to 0x0063d440, else if “/sbin/vm-support” exists, copy “/sbin” to 0x0063d440
  • If “/sbin/vmdumper” does not exists, return “FALSE”
  • If “/bin/vim-cmd” exists, return 0, else return -1

Therefore:

  • “/bin/vm-support” or “/sbin/vm-support” must exist
  • “/sbin/vmdumper” must exist
  • “/bin/vim-cmd” must exist

If the above function returns 0, meaning all the pre-requisite files are present, it calls this block of code to prepare a system command to be executed

Inspecting the decoded strings, we can piece together the command to be

“ps -ef | grep ‘%s’ | grep -v grep | awk ‘{print $2}’ | xargs -r kill -9”

The binary is trying to find a running process, and kill it. However, stepping through the binary with IDA always leads to a malformed string in the format string variable. I’m not sure if it’s because the binaries were not present on the system, or because of an error in the XOR de-obfuscation

Because of this issue, I could not proceed any further, (technically I could if I jumped through a few technical hoops like getting the binaries in), but I decided that this was enough an analysis for my first attempt at Malware Analysis.

Skills were definitely transferrable from the various HTB challenges, such as anti-debugging techniques and XOR obfuscation, and it’s great that I’m seeing them in a live sample, which means to say that these are “real-world” lessons.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: