Malware Analysis

# Malware Analysis > [name=cyberc0re] ## 1. Malware.Unknown.exe ### File hash & VT Analysis * (VT - Virustotal) ``` command: sha256sum.exe Malware.Unknown.exe.malz ``` 92730427321a1c4ccfc0d0580834daef98121efa9bb8963da332bfd6cf1fda8a <Malware.Unknown.exe.malz> ``` command: md5sum.exe Malware.Unknown.exe.malz ``` 1d8562c0adcaee734d63f7baaca02f7c <Malware.Unknown.exe.malz> --- ### Basics Static Analysis * String and Floss Output #Floss Malware.Unknown.exe.malz ``` FLOSS static Unicode strings jjjj cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s" http://ssl-6582datamanager.helpdeskbros.local/favicon.ico C:\Users\Public\Documents\CR433101.dat.exe Mozilla/5.0 http://huskyhacks.dev ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR433101.dat.exe open ``` > Note: Most of the important Strings were found at the end. --- ### IAT & PEView **Windows API calls:** * DowloadFromURL * InternetOpenURLA * ShellExec --- ### Basic Dynamic Analysis * Host and Network Indicators | Host | Network | | -------- | -------- | |1. Delete Files. |1. Calls out to a Domain.| |2. Install Persistence.|2. Downloads a file. | --- ### Network Signature * Wireshark has been used to find the Network Signatures > ![](https://i.imgur.com/Vquog6O.png) ### Host Indicator * If inetsim was not running, the Malware is designed to self delete once it is detonated as it wouldn't be able to fetch request from the DNS. So, once I terminated inetsim in my Remnux terminal the Malware deleted itself, when I tried to detonate again. ![](https://i.imgur.com/ITUhN2D.png) ``` cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Cyberc0re\Desktop\Malware.Unknown.exe" ``` * Program execution flow If URL exists -> Download favicon.ico -> Run favicon.ico If URL doesn't exists -> Delete from disk -> Do not run Name: Dropper.DownloadFromURL.exe --- ## 2. RAT.Unknown.exe.malz (Dynamic Analysis) * ### String/Floss Output: ``` @SSL support is not available. Cannot connect over SSL. Compile with -d:ssl to enable. @https @No uri scheme supplied. InternetOpenW InternetOpenUrlW @wininet @wininet MultiByteToWideChar @kernel32 @kernel32 MessageBoxW @user32 @user32 @[+] what command can I run for you @[+] online @NO SOUP FOR YOU @\mscordll.exe @Nim httpclient/1.0.6 @/msdcorelib.exe @AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup @intrt explr @http://serv1.ec2-102-95-13-2-ubuntu.local ``` ### Initial Detonation > ![](https://i.imgur.com/HcpHYC2.png) --- ### Wireshark observation after detonation. ![](https://i.imgur.com/jAKsqp0.png) > Dechaining/ Decoupling: The data can be transmitted first and can be written into the disk with some other name. * ```#Potential File Download -> msdcorelib.exe``` ### Host Base Indicators ![](https://i.imgur.com/EHTH3e7.png ) * **Persistence Binary File:** ![](https://i.imgur.com/BCZcQhs.png) * **TCP Socket in Listening State:** ![](https://i.imgur.com/3D2dVVv.png) * **Command Injecting Capabilities:** ![](https://i.imgur.com/PYb98e5.png) > Note: This is a "Bind shell script", a Trojan that can be remotely connected. ``` #Re-evaluated Name: "RAT.commandshell.exe" ```