Open in app

Sign up

Sign in

Write

Sign up

Sign in

How to research malware for free — Simda case!

morimolymoly
InfoSec Write-ups
Published in
4 min readDec 29, 2023

--

Hi! I am morimolymoly!

I analyze malware daily, for a job, for a research.

I picked simda up from the internet and am going to introduce how to analyze this one easily!

How and where from do I pick sample up?

Sources are a lot!

ANY.RUN - Interactive Online Malware Sandbox

Cloud-based malware analysis service. Take your information security to the next level. Analyze suspicious and…

any.run

Login | Triage

Explore Triage's Malware Analysis Sandbox to dissect your malware samples. Access malware trends, and a customizable…

tria.ge

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and…

www.hybrid-analysis.com

MalwareBazaar

MalwareBazaar is a project of abuse.ch with the goal of sharing malware samples

bazaar.abuse.ch

You can find more on the interenet!

If you paid for VirusTotal, you can download sample from it also!

https://www.virustotal.com/

But, it costs a lot!

I recommend MalwareBazzar and ANY.RUN!

Pick simda up from bazzar!

Simda sample are here!

Checking your browser

Edit description

bazaar.abuse.ch

You can search samples from search box.

And samples are tagged as image showed.

Detonation with ANY.RUN

Detonation result is here!

Analysis e1376b3c7237ef685ffe4185857ca13dd03f579fb009740b1d70225a04900734.exe (MD5…

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no…

app.any.run

ANY.RUN have free Windows7 32bit sandbox.

In near future, Linux one will come!

Information what you get from ANY.RUN

You can get IOC and ATT&CK map and process trees and modified files and registries and … many things!

IOC
ATT&CK

From detionation, you can see the behaviour of this malware.

It steals information, AV/Virtualization evasion, C2 communication…

From seeing main process, it has interesting modfied file!

File inside frame seems .zip file, you can download and extract it.

They are stolen information from Simda!

Detonation with ANY.RUN is really good starting point of malware analysis!

Surface & Static analysis

With Detect it Easy, it seems packed!

Open with Binary Ninja, it has less functions. It indicates it is packed! It need to be unpacked to static analysis!

Unpack

As you know, this sample communicate with C2 server so you need to set up FakeNet-NG!

With x32dbg, this sample sometimes immediately crashes! For that case, you can set breakpoint on NtTerminateProcess function!

As you can see process hit breakpoint at NtTerminateProcess function!

Process tree is like this.

Simda creates C:\Windows\apppatch\svchosts.exe and launch it.

This binary is Simda itself!

With OllyDumpEx, you can dump whole memory region of this sample.

With Scylla, you can rebuld IAT!

Fixed

After unpack

You can use CAPA to determine what this sample do!

And also, config is decrypted!

Conclusion

This sample is Simda and it persists as C:\Windows\apppatch\svchosts.exe.

It persists with some registries.

  • software\microsoft\windows nt\currentversion\winlogon
  • software\microsoft\windows\currentversion\run

After unpacking, you can easily analyze it by static.

Big thanks to Abuse.ch and ANY.RUN!!!!!!!!!!!!!!!

IoCs

  • sha256: e1376b3c7237ef685ffe4185857ca13dd03f579fb009740b1d70225a04900734
  • C2: www[.]purylev[.]com and so many

--

--

morimolymoly
InfoSec Write-ups
Follow

Written by morimolymoly

31 Followers

I am a Software Engineer, Malware Analyst. Feel free to reach me! Webpage: https://morimolymoly.com/

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams