I have been using VirtualBox (guest OS Windows, host OS is OSX) to analyze malware samples and started to notice exe's on its harddrive being modified. I suspected this because when ever I tried to run certain exes, it would cause an "appcrash". I originally assumed this was just an infected snapshot that had malware doing crawling tools on my disk and trying to modify them, so I switched to a clean snapshot. I started noticing it again on my exes in this snapshot. So I decide to make a completely new VM today and now I just noticed the same behavior start happening to my newly installed tools on a new VM!. My files are fine at start, but after using the VM for a bit they will begin to crash on start up and never work again (regardless of reboot) and I must revert the snapshot. I analyzed the exes that begin to stop working and they seem to have their binary modified.
They are always modified in the same way:
1. It will have a random 4 letter section name added to them
2. the EP is modified to start at this section
3. then an XOR at the entrypoint will cause a memory access violation and results in app crash.
Here is a sample of an exe that was modified:
Entry point code
Anyone have ANY idea whats going on???? :|
They are always modified in the same way:
1. It will have a random 4 letter section name added to them
2. the EP is modified to start at this section
3. then an XOR at the entrypoint will cause a memory access violation and results in app crash.
Here is a sample of an exe that was modified:
Entry point code
Anyone have ANY idea whats going on???? :|
