For this first Malware Analysis Blog, I present you the Malware sample from HuskyHacks. For this entry, I will be using FLARE VM where I will be detonating the malware and Remnux’s purpose is for DNS and Wireshark for Packet Capturing.
NOTE: Please make sure you run safety checks on your VMs before running malware, make sure they don’t communicate to your physical host and they’re only supposed to communicate with each other (FLARE and Remnux)
ALSO, Do not forget to have a clean snapshot of your VM. Why do we do this? So we can always revert back to the clean state of our VM, during the moment we haven’t detonated the malware yet, like really really fresh out of the box type of VM no sus and all 💁
LET’S START! :) (I suggest having a playlist companion while doing this Analysis, of course my playlist is Taylor Swift. See reference from my previous blog)
Here we are faced with this unknown binary.
First we will dive into the Static Analysis part of Malware Analysis.
(What is Static Analysis? Static Analysis is the process of analyzing the malware without actually running it using tools like PEstudio)
PE Studio (Winitor) so here are the features of PE studio (this is also found in their website):
Features:
- transform RAW data into information
- spot anomalies
- detect embedded files
- collect imports, exports, strings, resources
- provide hints, indicators, groups, thresholds
- provide @MITREattack indicators
- retrieve scores from @Virustotal
- consume configurations files
- create XML report
First things first, Let’s get the hashes of this binary: (so how do we that?)
Open up FlareVM, open the cmder, and navigate to the folder where you place the malware:
For example, it is on my Desktop
The commands I ran were:
> cd Desktop
> md5sum.exe <File Name>
> sha256sum.exe <File Name>and it gave me the following results:
MD5:
689ff2c6f94e31abba1ddebf68be810e
SHA256
248d491f89a10ec3289ec4ca448b19384464329c442bac395f680c4f3a345c8c
I mentioned earlier about PEstudio, so let’s start using that.
PEStudio is easy to use, you just have to drag and drop the file you want to analyse
PEStudio gave us information about the indictors, libraries, functions, and strings. (Later we will dive why Strings are important) But just by looking at this information, we only have the tip of the iceberg, we haven’t really tackled what it does. We will be running the malware later on.
Maybe, just maybe you’re wondering if other people have also seen this in the wild. There’s one way to know that (or you can just directly ask them) but I think I wanna check out VirusTotal
(What is VirusTotal? VT is a malware repository, or for longer description you can check their site: How it works — VirusTotal)
Since we already have the hashes we can search it on VT (you can also upload BUT uhh I don’t think I can recommend uploading because Enterprise users can see the files you upload, what if the file contains sensitive information or assets? We don’t want that.)
Let’s get into it:
26 security vendors have found this file malicious. VT is very helpful because it gives us information like the PE Info, History, Basic Details, etc. I also like looking at the Community Comments because people like to share their analysis on that specific file I am looking:
Okay let’s get back to our FLARE VM:
I mentioned earlier regarding STRINGS. Strings can contain useful information about the file. In FLARE VM, we can use Strings and Floss.exe
Let’s run the file against Floss.exe, open up your Cmder and type the following: (I renamed the file)
floss.exe RAT.exe.malz > result.txt
Let’s open the result.txt file to see what’s inside. Don’t be scared! We haven’t ran the malware yet, so relax, take a deep breath, and drink your water!
I wanted to check if PEStudio and Floss.exe return the same thing:
Great, they do!
Alright alright, looking at the result… What are those?!?!?! Same thoughts, my friend. Same thoughts. They look gibberish to me, but not really.. If you scroll down there are valuable stuff we can find there like the ff:
What are those?! Fret not, my friend. We have this tool called MalAPI.io to check what each process does
ALSO I want to add another resource that I actually like looking at when I feel a bit lost, head over to Hunt Evil | SANS Poster ! :) The poster shows us what processes are normal on Windows and What not.
OKAY LET’S GET TO THE REAL THING — DETONATING THE MALWARE!
This is called Dynamic Analysis.
(What is Dynamic Analysis? Dynamic analysis detonates or runs the suspicious file in a sandbox)
Please just please, DO NOT run Malware on your PHYSICAL HOST.
Does Denice ever feel nervous when running unknown PE on her sandbox? Don’t worry, I still feel scared running malware on my sandboxes. I guess the feeling just never goes away!
Are you ready? Are you ready? Are you ready kids?
AGAIN: Please perform SAFETY checks first before running it. I double check everything EVERY SINGLE TIME I run malware on my sandbox.
K, Last BEFORE we proceed the standard practice when it comes to sharing malicious files, we put them in a password-protected file and the password is always infected
OK now you’re wondering what is .malz? So its adding another extension to the file so when you accidentally click it (Yes mistakes happen but we gotta be really careful because we dont know what we’re dealing with) the malware doesnt run. :-) Another thing in the industry if you ever find IOCS you can defang them for example like this, google[.]com / 127[.]0[.]0[.]1
Make sure Wireshark is running on your remnux VM so we can capture whatever this file is communicating to. (I configured the network settings for Remnux VM and Flare VM, if you want to know more about this I can make another blog post on how to configure the settings)
Alright, let’s run the malware now (remove the extension)
Running the file results to the image above. I wonder what I did to NOT have soup for me?! Is it because I clicked the malicious file? Yes. Maybe yes.
Now let’s proceed to Remnux VM to check what it captured:
Okay very very very interesting stuff. what are those? What is this request?
Another interesting stuff is this:
Again what are these? Let’s dive into what it exactly does. Are you still with me?
Let’s follow the HTTP Stream of the /mscorelib.exe
Since it has a GET request, did this download something? Did this download a file? I am so curious, let’s check out the Downloads folder if it really did download anything:
None. (I downloaded those files :D)
Alright, alright, think. Earlier part of this blog, I mentioned that Strings contain USEFUL information about the binary. so let’s go back and check if there are some we can use to continue our analysis.
Ok, so I searched the msdcorelib.exe just for starters and voila! there’s something next to it!! IS THAT A FILE PATH?!
Omg omg omg. ALERT THE MEDIA.
Ok relax! Let’s use this tool called Procmon or Process Monitor.
(What is Procmon? Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. Process Monitor — Windows Sysinternals | Microsoft Docs)
Have you downloaded it yet? Hope you did!
Open Procmon and don’t get too overwhelmed because of the processes you see as you open it! We will filter the noise and only retain what we need.
For that, let’s use the the Process Monitor Filter.
Thankfully you can use different filter in ProcMon, there’s Process Name, Category, User, and other things that can cater to your needs. In this Analysis, we will be using the filter Process Name.
Choose from the dropdown > Process Name > contains > ProcessName
I also added the File Path that we saw earlier in the Filter criteria, so if you haven’t done that, please add it. Here’s my filter: #SharingisCaring
If you apply that to ProcMon it will return a very very clean ProcMon:
We want to see something based on the criteria we selected. How do have them spawn again?
Yes, we will detonate the malware once again. (I know, I’m sorry!)
Wooop!!! Interesting results shown by ProcMon:
Let’s click on the result to see more properties:
As shown above, it looks like this process is all about creating a file, based on the Operation property. What file was created? and where is it located? Looking at the screenshot, there’s a File Path right in front of our eyes, is it the file we are looking for?
We’re going to go to the startup folder:
GOTCHU! GOTCHU! It downloaded a file called mscordll.exe ! (We can use this to filter things later on via ProcMon)
We are using another tool called TCP View.
(What is TCP View? TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. TCPView for Windows — Windows Sysinternals | Microsoft Docs)
It shows us very rich information but we only need a specific thing, the RAT.exe, so let’s find it on TCP View:
Right, TCP View provides information about RAT.exe: Process ID, Protocol, Connection State, Creation Time, etc.
In this information, RAT.exe is listening to 0.0.0.0 Local Port 5555.
We’ll be introducing a tool called Netcat.
(What is Netcat? This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. Netcat — SecTools Top Network Security Tools)
It is just fitting that we will be using this tool to interact with this binary.
Let’s go over to our Remnux box and use Netcat.
In netcat, here are the commands we can use to cater our needs:
But for this specific task, we will be using the following command:
nc -nv <IP of our VM> <port which it listens to>nc -nv 10.0.0.8 5555
HELL YEAH. Connection succeeded everyone!! give yourselves a round of applause :-)
But what is the texts below? That is base64 OR if you have no idea we can use CyberChef tool to find that out.
Wait wait wait, I saw those texts in the Strings when we ran the floss.exe against it, right? Did you see it too?
Lets try another command in our remnux box.
This returns the following:
I tried out other commands to check if I can gather more information about the Windows where I ran the malware.
Oof and it did give me details.
Since we have more details on this Analysis, we can use another filter on ProcMon! Operation IS TCP, to see if the Process is receiving and sending information.
Head over to your Remnux once again and type out a command, for example whoami
and now head over to your FLARE VM to see if Process Monitor is displaying details:
TCP RECEIVE AND TCP SEND! Exchanging infOkay to summarize this Analysis, it contains command injecting capabilities. This binary can easily inject any command and it’ll return the information it requested to whoever is connected in port 5555.
Now we found out what this Malware does…
I HOPE YOU LEARNED SOMETHING FROM THIS ANALYSIS. :-)
Tool Recap:
FLARE VM (mandiant/flare-vm (github.com))
REMNUX (REMnux: A Linux Toolkit for Malware Analysis — REMnux Documentation)
PEStudio (Winitor)
Wireshark
Floss.Exe
Netcat
CyberChef
Thank you for reading!!! Here’s a picture of my cat sleeping as a THANK YOU
#MalwareAnalysis #CyberSecurity #InformationSecurity
