Lab: Analysing Reverse Shell Malware

-

Very similar to the last lab, however this one focuses on analysis of the reverse shell malware.

As usual, I begin with a static strings analysis with floss.

I tried searching for multiple keywords, only one of them bore any result. This is a call for `cmd.exe` to execute a command given to it.

With strings not providing much insight I fire up PEstudio to get some leads, although it also didn't have any solid leads aside from few vague indications of the techniques used and how they are similar to a RAT.

So I move onto detonating the malware while monitoring with wireshark and inetsim.

Since I didn't have specific information on what website the malware will request stuff from, I filtered for DNS queries in wireshark, which seemed to be very fruitful as I caught the domain the malware was trying to reach.

Seeing I didn't find any traces of a URI in the strings analysis, I'd assume this would be the product of malware concatenating the strings at run time.

So that was something, but there was nothing after that initial DNS query, no HTTP, no TCP, nothing. I was a bit confused as to why the binary wasn't doing anything even though inetsim should be simulating realistic environment for it.

I decided to check TCPview to see if I could find more details on the connection from this end, and apparently the binary had established a TCP connection on port 443 (https) on the remote server (remnux).

This gave me something to work with so I started listening on port 443 at the remnux machine.

At first I failed to connect so I had to kill the process on windows, then proceed to setup a listener on port 443 with `nc` and then start inetsim for DNS resolution.

That seemed to work as I got a working connection this way, so I tried typing in some commands to see how it responds.

Which seemed to work like I had expected. This confirms the reverse shell capabilities of the binary.

To understand the functioning of the binary a bit better I grabbed its PID from the process tree in procmon (6200).

And put a filter for Parent PID with that in procmon to watch for its behaviour as often malware spawn commands as their child processes.

The binary worked similar to my expectations, it queried the path for the command and then spawned it as a child process of `cmd.exe` using the command `cmd.exe /c whoami`, this matches with the string I found in the output of floss.

Thus with the information I gathered I can conclude that this malware was a reverse shell binary which allowed the attacker to execute commands on the target system via a HTTPS channel.

Comments

Post a Comment

Popular posts from this blog

Malware Analysis Report: Sample SmokeScreen

-
Image
Basic Facts Components -         PASTA_MENTOR_PROMO_DEAL_agreement.docx.scr       (Initial Stage) [Program1.exe]      sha256 8d204db953fd7d637f8718f56fbecfbf93ebcc8e7402ce71d5c52b01689777a2       Program1.main.exe        (Second Stage) [Runs under InstallUtil.exe]      sha256 c7ce154d0ab5aec517829623f7b3b30a4e0ea6dc981fdf13134a8f263a062a9a   Malware Type: Injector/Info-Stealer  Windows PE | C# (stage 1) | Nim (stage 2)   --*--*--
Read more

[TryHackMe] BrainPan 1

-
Image
So I was selected in one of the teams Sheridan is sending for cybersci and that meant I gotta prepare myself for the challenge, and what better way to do it than try a hard lab (I should have started with something easier, but atleast the pain was a learning experience). This is my writeup for BrainPan 1, or as I like to call it Brain Pain.
Read more