Malware Analysis

cyberc0re

1. Malware.Unknown.exe

File hash & VT Analysis

• (VT - Virustotal)

command:
sha256sum.exe Malware.Unknown.exe.malz

92730427321a1c4ccfc0d0580834daef98121efa9bb8963da332bfd6cf1fda8a <Malware.Unknown.exe.malz>

command:
md5sum.exe Malware.Unknown.exe.malz

1d8562c0adcaee734d63f7baaca02f7c
<Malware.Unknown.exe.malz>

Basics Static Analysis

• String and Floss Output

#Floss Malware.Unknown.exe.malz

FLOSS static Unicode strings
jjjj
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
http://ssl-6582datamanager.helpdeskbros.local/favicon.ico
C:\Users\Public\Documents\CR433101.dat.exe
Mozilla/5.0
http://huskyhacks.dev
ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR433101.dat.exe
open

Note: Most of the important Strings were found at the end.

IAT & PEView

Windows API calls:

• DowloadFromURL
• InternetOpenURLA
• ShellExec

Basic Dynamic Analysis

• Host and Network Indicators

Network Signature

• Wireshark has been used to find the Network Signatures

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Host Indicator

• If inetsim was not running, the Malware is designed to self delete once it is detonated as it wouldn't be able to fetch request from the DNS. So, once I terminated inetsim in my Remnux terminal the Malware deleted itself, when I tried to detonate again.

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Cyberc0re\Desktop\Malware.Unknown.exe"

• Program execution flow
  If URL exists
  -> Download favicon.ico
  -> Run favicon.ico
  If URL doesn't exists
  -> Delete from disk
  -> Do not run

Name: Dropper.DownloadFromURL.exe

2. RAT.Unknown.exe.malz (Dynamic Analysis)

• String/Floss Output:

@SSL support is not available. Cannot connect over SSL. Compile with -d:ssl to enable.
@https
@No uri scheme supplied.
InternetOpenW
InternetOpenUrlW
@wininet
@wininet
MultiByteToWideChar
@kernel32
@kernel32
MessageBoxW
@user32
@user32
@[+] what command can I run for you
@[+] online
@NO SOUP FOR YOU
@\mscordll.exe
@Nim httpclient/1.0.6
@/msdcorelib.exe
@AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
@intrt explr
@http://serv1.ec2-102-95-13-2-ubuntu.local

Initial Detonation

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Wireshark observation after detonation.

Dechaining/ Decoupling: The data can be transmitted first and can be written into the disk with some other name.

• #Potential File Download -> msdcorelib.exe

Host Base Indicators

• Persistence Binary File:
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• TCP Socket in Listening State:
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• Command Injecting Capabilities:
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Note: This is a "Bind shell script", a Trojan that can be remotely connected.

#Re-evaluated Name: "RAT.commandshell.exe"