Lab: Malware Basic Analysis
I start by opening the lab and am made aware that the hashes for the malware weren't provided.
I decide to run it through Virus Total to get a gist of what I'm dealing with, and it looks like a windows trojan.
Now I go back to the binary to check for any stray strings I can find using `floss`.
Most of it wasn't much interesting, however I did find some noteworthy details.
With that I had a few leads to look for while exploring the binary.
I open the binary in a tool called PEView (I'm assuming it means Portable Executable View),
Anyway I noticed the magic byte ("0x4D5A"/"MZ") which signifies that it is a DOS executable or a windows executable, another cool fact I found was that "MZ" means "Mark Zbikowski", the designer of MS-DOS.
I checked the 'IMAGE_SECTION_HEADER .text' to check if the binary was packed,
And seeing that the virtual size (size loaded into memory while execution) is close to the size of the raw data on disk, we can assume the binary is not hiding any uninitialised data (i.e. is not packed).
I move onto doing dynamic analysis on the malware, I set up InetSim on my Remnux VM which is in an isolated network with the Flare VM, and have wireshark listening on the (only) interface.
Additionally I put a filter to watch for http requests asking for favicon.ico, as one of the interesting outputs from my static analysis using floss showed a http request.
Having all things set up, I arm the malware and execute it. And quite as expected, the favicon.ico request shows up.
To check if I didn't miss anything, I went through the traffic after removing the filter once and there was another related DNS query I stumbled upon.
This website, 'huskyhacks.dev' was also present in the floss output which is another network based indicator.
To see the impact of the malware on the host I revert the VM back to pre-detonation snapshot and fired up procmon filtering for the process name 'Malware.Unknown.exe'.
This resulted in a lot of information, mostly modifying/accessing registry keys, accessing dlls (likely by the relevant imported libraries) and creating files.
I then added another filter to look for a file in the path, again from the static string analysis, for 'CR433101'.
So with the leads from static analysis established, I can see the relation between the malware requesting the 'favicon.ico' from a sketchy site to get its second stage payload, which of-course was faked by inetsim so the executable downloaded into the documents folder is just the inetsim gui library.
There was another command in the floss output which had my attention as it was cmd command to delete something,
`cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"`,
I put this as a detail filter and executed the malware again from a clean state, this time without inetsim running as this command seems to be pinging for something.
As expected, the malware called for self deletion when it was not able to access the internet, another host based indicator noted.
So from the information gathered until now I can conclude it is a dropper malware which downloads from an external URL and has a control flow as follows:
- If URL exists
- Request favicon.ico ([http:]//ssl-6582datamanager[.]helpdeskbros[.]local)
- Write to Disk (CR433101.dat.exe)
- Execute the Malware downloaded as favicon.ico (CR433101.dat.exe)
- If URL does not exist
- Delete self from disk
Comments
Post a Comment