Cool technical report: http://www.sentinel-labs.com/wp-content/uploads/2014/07/Sentinel-Labs-Intelligence-Report_0714.pdf
The interesting stuff:
1)Cool original way of hooking:
the malware will open Explorer.exe with NtOpenProcess and
search for the ntdll.dll from the PEB (FS:[0x30]). The initial goal is to copy explorer.exe’s ntdll.dll to itself,
and lastly it patches the end of the second section of
ntdll.dll with its evil code.It also includes ZwClose function with the ‘CALL’ instruction. The malware’s next step is to unmap the original explorer.exe’s ntdll using ntdll!NtUnmapViewOfSection and maps the patched version of ntdll.dll at the same address using ntdll!NtMapViewOfSection and terminates itself with ntdll!NtTerminateProcess.
2) The malware is a 32bit executable, but has 64bit payload. The 32bit loader is heavily packed and encrypted
using mutated Yoda packer. The payload calls to the 64bit
Native Windows API function to bypass usermod hooks.
The hooking bypass trick is simple, each translation from
32bit to 64bit will not be detected by hooking what is
injected to the Windows-on-Windows subsystem. The
FAR CALL instruction translates the malware operations
to Native 64bit code, hiding the malicious activity.
3)The malware verifies that the Windows boot was
successful and that the OS is not in safe mode by
querying the GetSystemMetrics(SM_CCLEANBOOT). If
the function returns false, it will turn off Windows by calling ExitWindowsEx(EWX_REBOOT, 0)
4)The Gyges malware uses API redirection in order to
prevent import table rebuilding. The malware API code is
redirected to an allocated memory region.
5)It rebuilds the import address table (IAT) when the decryptor finishes its task.
6)Anti-debugging, using the NtSetInformationThread with ThreadInformationClass to 0x11 (ThreadHideFromDebugger), the thread will be detached from the debugger
7)Anti-debugging uses the NtQueryInformationProcess Native API with DebugPort parameter