Saturday, August 17, 2013

Elitism: A rant by Secluded Memory

After several blog posts, it occurred to me that not everyone understands the purpose of this blog, my intent for writing, or why I don't believe in being an elitist, so I wanted to take some time to try to clear that up. There will definitely be some ranting involved here - you've been warned.

For starters, I've been extremely flattered by all of the positive feedback I've been given surrounding my various blog posts, as well as the work I've been doing as part of the MalwareMustDie community. So, to all of you who have supported me in my personal life, my professional life, and my time as a "malware crusader" - thank you.

When I write a post, there's only one place I ever post the link - Twitter. Inevitably the link seems to be passed around to various other places on the internet, which is fine. The side effect is that it reaches a much wider audience than I originally anticipated. This isn't necessarily a bad thing, but a larger viewer base means there are going to be people who simply don't like what I have to say.

If you happen to be such a reader who doesn't like what I have to say, let me be clear - I didn't create this blog for you, and I'm certainly not forcing you to read it. I created this blog to contribute something positive the community which has been so incredibly helpful in my never-ending quest to learn. I did not create a blog for people like this:

"I'm tired of things like "Look, I'm malware analyst I can post VirusTotal links to my twitter". There is only one tool for malware analysis - IDA PRO, other tools are for malware analysis cargo cult. If you are uploading file to VT then you don't do any malware analysis - you just get results from many AV vendors. I just don't get people who calls output from tools like ProcMon, or some sandboxes "malware analysis", why not a research?" - <name redacted>

Which brings me to my next point...

What does it mean to be a malware analyst?

Malware analysis involves so many different things. One of the biggest components to that involves research. We aren't here to reinvent the wheel, we're here to accomplish a task. Sometimes all we want to do is answer the question of, "what type of malware is this?" or, "what does this malware do?" and don't necessarily need to fully reverse engineer the sample. Maybe we just don't have time to do that.

Being a malware analyst means being an observer, a researcher, a hacker - an analyst. We take a piece of malware and figure out something about it that the average user doesn't know. The tools we choose to use are not what determines who we are, and the choice of tool certainly does not make one of us better than the other. I use VirusTotal because it helps point me in the right direction to start my research. If someone else has already fully reversed the sample I'm working on, why would I do it again if all I really want to do is give people an overview of my thought process for dynamic (read: behavioral) analysis? I wouldn't.

I have never claimed to be an expert at anything other than drinking and sarcasm. Just because I have a blog doesn't make me any better than anyone else. Just because I can look up something in VirusTotal doesn't mean I think I'm an expert at reverse engineering. Just because I don't think IDAPro is the only tool people should be using for malware analysis doesn't mean I'm not a malware analyst.

At the end of the day, I think we can do without the elitist attitude that certain individuals have who are also a valuable part of this very same community. Trying to keep up with the spread of malware is hard enough, we don't need to be putting each other down or trying to pretend like we're better than the next guy. We are all on the same team, so let's start acting like it. With that, I'll leave you with one question:

If we can't help each other become better at whatever it is that we're doing, then why are we here?


Sunday, August 11, 2013

The Mind of a Malware Analyst: Blogging While Doing 64-bit Malware Analysis

It certainly has been a while, hasn't it? Between playing with malware pretty much non-stop for a few months straight, followed by an unfortunate death in my family, going on vacation, and then getting sick - the combination of burnout and life getting in the way caused me to not make time to write up a post sooner.

The good news is, I'm here now, and I'm going to try something new(ish). This time around, I'm going to do an analysis on a 64-bit malware sample sent to me by @DarrelRendell. The difference here is that I don't know anything about what I'm getting into, other than the fact that it's 64-bit, before starting work on the blog post about it. That is to say, I'm writing this post as I do my analysis of it. My goal here is to give you a little glimpse into my thought process and understand the way I like to do things. This might also lead to a post that's a little more sporadic than my previous posts. With any luck, I won't hit a dead end.

The tl;dr version:

Here's the basic overview of my (dynamic) analysis process.. this gets covered in depth throughout the post
  • Gather basic info about the malware
    • md5, VirusTotal info, sigcheck, exiftool, strings
    • Make an educated guess about which malware family it belongs to
  • Use procmon and process explorer to gather behavioral information
    • Use filters in procmon to make life easier
    • Correlate behavioral information to try to more accurately identify the malware
  • Look at network traffic generated by malware (if applicable)
    • Analyze any secondary paylods

The game begins...

Basic Information Collection

Okay, let's get started. I've got my sample, so let's gather some basic info on it. Hash, header info, check for packers, strings output, etc.

First, let's run it through sigcheck:

Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals -

        Verified:       Unsigned
        Link date:      1:43 AM 2/26/2010
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    464F4C6477613AAAF1F8195B5E77CAB0
        SHA1:   59D83AD05C6FB4EF1D17636692FA8CD9C60FFFC1
        PESHA1: A14BB471C1949E05C462EAB4143C494570C90944
        SHA256: DC36D538B7A1EE404DFD6E104B9A1EDD7046526E55B3F911BEEA2B422A0EB625

Followed by checking the md5 in VirusTotal... Not bad, initially it had a 19/46 detection rate. The analysis is 3 months old in VT, so let's re-upload the sample and see if we get a better detection rate and possibly some help with classification:

Okay, so we have a few more detections than the initial search I ran, up to 23/45 now. Most of the AV vendors classify this as a generic trojan. There are a few references to Kryptik, Simda, and Rodricter (which is part of the Simda family, it seems). Some quick google searching for these malware names leads to a few decent pages to research:



Note:  Later in the post I discovered that there is actually a 32-bit component in the form of Win32/Claretore, which is a member of the Simda family. More on that later.

Now that we have some reference material for when we do behavioral analysis later, lets finish collecting basic information about the file. Next, a quick auto scan via peframe:

C:\Users\admin\Desktop\Tools\PE Tools\peframe> -a C:\Users\admin\Desktop\unknown.exe
File Name:      unknown.exe
File Size:      177664 byte
Compile Time:   2010-02-26 00:43:11
DLL:            False
Sections:       5
MD5   hash:     464f4c6477613aaaf1f8195b5e77cab0
SHA-1 hash:     59d83ad05c6fb4ef1d17636692fa8cd9c60fffc1
Packer:         None
Anti Debug:     None
Anti VM:        None

File and URL:
FILE:           KERNEL32.dll
URL:            None

Suspicious API Functions:
Func. Name:     GetCommandLineA
Func. Name:     VirtualAlloc

Suspicious API Anti-Debug:

Suspicious Sections:
Sect. Name:     DATA
MD5   hash:     739c32c979bb45cad8563bfbbc15439d
SHA-1 hash:     10ba28ceb02a7479c7bc8aaaf8840ab751c71cd7
Sect. Name:     BSS
MD5   hash:     a3c0e191bd4eb60320d1e3781667397c
SHA-1 hash:     e5ed43c0c1e21bb881d3828ee7c875851a1ea5cd
Sect. Name:     .edata
MD5   hash:     90e0281621601ef5b4988bd0b9814939
SHA-1 hash:     cfaa206cc179211489c71ceb51d1e8393fbc73d9
Sect. Name:     .reloc
MD5   hash:     2c38765194d27b75f56d0565088a53ee
SHA-1 hash:     217125fcb30e489e2ecc55be03157344f4a06db8

No packer detected, so let's take a look at strings output to see if there's anything that stands out...


Those are pretty much the only readable strings in the file. "ExitVDM" in particular is something I haven't seen before. Running a quick google search for "ExitVDM" leads to a multitude of pages all related to malware, but nothing in particular stands out that allows us to identify the malware yet. These strings may be useful later, so let's keep going. Next up is exiftool output:

ExifTool Version Number         : 9.30
File Name                       : unknown.exe
Directory                       : C:/Users/admin/Desktop
File Size                       : 174 kB
File Modification Date/Time     : 2013:07:09 11:44:24-06:00
File Access Date/Time           : 2013:08:11 02:39:16-06:00
File Creation Date/Time         : 2013:08:11 02:39:16-06:00
File Permissions                : rw-rw-rw-
File Type                       : Win64 EXE
MIME Type                       : application/octet-stream
Machine Type                    : AMD AMD64
Time Stamp                      : 2010:02:26 00:43:11-07:00
PE Type                         : PE32+
Linker Version                  : 5.0
Code Size                       : 12288
Initialized Data Size           : 397312
Uninitialized Data Size         : 0
Entry Point                     : 0x1068
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
Subsystem                       : Windows GUI

The compile time here shows that either this was compiled in 2010, or the compile time was changed. With the fairly high detection rate, it's a safe bet to say that this is a pretty old piece of malware.

Behavioral Analysis

Next up, let's run this thing and see what it does. My standard tools for behavioral analysis are Procmon and Process Explorer, both of which can be found in Microsoft's Sysinternals Suite (you can get it here: This pretty much involves little more than setting up both programs, then executing the malware.

Upon executing the malware, nothing visibly happens, aside from the mouse cursor changing to the "busy" circle briefly. However, watching process explorer revealed a few child processes being spawned, only to be killed moments later. A few moments after that, the original exe had deleted itself. I want to get a screenshot of this happening, but it happened so fast the first time that I missed it, so I'll probably run it again later just to get a process explorer screenshot for you.

Edit: Here's a shot of the processes being spawned (or rather, being killed shortly after spawning) in process explorer:

First, it's time to analyze our Procmon logs. The first thing I like to do to get a basic idea of the meaningful things that happened is use a filter in Procmon that shows only actions that involved writing data to disk (this also includes deletions). Set Procmon filter like this:

Category is Write -- you'll have to use the dropdown to select 'category' and then enter 'write' in the text box yourself. Here's the filtered output:

Here we can see a few interesting things happening:

  • Unknown.exe creates a file: 1438bh51ova3si-0.exe
  • Unknown.exe modifies the startup entries in the registry under: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Server
  • taskhost.exe deletes internat.exe from the startup entry from the registry
  • 1438bh51ova3si-0.exe creates a file: 1bh96u1i5ix6l-0.tmp
  • 1438bh51ova3si-0.exe creates a file: v9l6rc1k3k14t-0.tmp
  • Unknown.exe attempts to delete itself (it's not successful in this screenshot, but it is successful later)
There are some other interesting behavioral things going on in this screenshot, particularly with modification of UserAssist registry keys, but I'm going to ignore that for the moment and focus on the files that were created.

The two .tmp files were deleted by the malware, but the created exe (1438bh51ova3si-0.exe) is there. Here's the sigcheck info for it:

Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals -

        Verified:       Unsigned
        Link date:      1:43 AM 2/26/2010
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    464F4C6477613AAAF1F8195B5E77CAB0
        SHA1:   59D83AD05C6FB4EF1D17636692FA8CD9C60FFFC1
        PESHA1: A14BB471C1949E05C462EAB4143C494570C90944
        SHA256: DC36D538B7A1EE404DFD6E104B9A1EDD7046526E55B3F911BEEA2B422A0EB625

You'll probably notice that the hashes match the original unknown.exe file. This is simply the original exe copying itself to C:\Users\admin\AppData\Local\Temp\ under a different filename. Now that we got that part figured out, what about the other exe files? Going to have to set the lab VM up again and try to grab the .tmp files before they delete themselves.

Edit: When I did the network analysis later in this post, I was able to grab copies of the .tmp files that the main exe creates. Here's the sigcheck info on them (note the filenames are somewhat randomized):

Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals -

        Verified:       Unsigned
        Link date:      12:34 PM 3/26/2008
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    C36254EBF4819085CC714442E331B6F2
        SHA1:   85E6B52A28589FC8AFD100DFAC934F4F42C0447F
        PESHA1: DFA3ABDCC9EBA9AF88D0AF08F0E15D8E30763232
        SHA256: 90C17A1DD07536E7E23A8B0B4C2FFA681741142FEAE817DEFA973C34D4F29D01

VT info(34/45):

        Verified:       Unsigned
        Link date:      1:43 AM 2/26/2010
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    91C95A72D439F93939A7B0BE8C995A36
        SHA1:   BAF6A9D6E61D9F5AB391E6D241B9C96AD8B8A187
        PESHA1: C3AC273E93C6FB4A38EABEA114281667EF841074

        SHA256: 9772E4BED9AAD3A2918176D6C218FBF5B0EA65F78D107FC5A2CF5FB27938C896

VT info(9/45):

While looking through VT results I noticed references to Win32/Claretore, which is part of the Simda family. A little research lead me to this article from Microsoft. I suggest looking at that before you continue reading to see just how closely it matches up with the behavior, etc., of this sample. :)

And the strange startup entry for "Windows Update Server"? 

This is a pretty common attempt by the malware writer to throw off an average user into thinking their new startup entry is legitimate. The malware has added itself to the Run key under HKCU/Software, which will cause the malware to execute any time a user logs in (Edit: Thanks to Harlan Carvey for pointing out that I originally stated (incorrectly) that the malware would execute when the machine boots up). 

Now that we know a few things the malware does, including its persistence method, let's go back and remove the filter we set above. We're going to use a new filter: 

Process Name is unknown.exe

This shows us some more useful info, seen here:

Now things are getting more interesting.

  • Unknown.exe attempting to connect to:
  • Unknown.exe creating three new threads with the following PIDs: 1640, 1572, 504
At this point, we know now that the malware is trying to connect to something. I suspect that the process killed itself when it couldn't connect to the internet, and simply sets persistence so it will try to connect every time a user logs on. Being that this is likely some kind of backdoor trojan (based on the research we did earlier and the results from VT), the malware is probably trying to connect to something to await commands from the malware writer. This behavior also seems to match up with our research on Simda from earlier as well. Here's a brief snippet from the article on it:

Trojan:Win32/Simda connects to a remote host and provides information regarding the newly infected computer.

It then receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder, for example C:\Users\<user name>\AppData\Local\Temp. These files may include additional malware.

My guess is the .tmp files from earlier were created by the malware when it attempted to connect to the internet, but ended up deleting them when the connection to the internet failed. We'll come back to the network traffic later when we run the malware with wireshark running. Maybe I'll get a wild hair and let my analysis VM out to the net to see if it's just a backdoor, or if it's a downloader (or both!).

Let's figure out what those PIDs are. Again we can use a filter in Procmon to filter by PID. You may notice that the threads exit not long after they are created, so it's possible that it's spawning a process that doesn't do much. Only one way to find out!

Creating 3 separate filters in Procmon to display activity from PIDs 1640, 1572, and 504 didn't display anything. This indicates that the threads were created to do something, but then ended before the threads themselves performed any actions. However, creating a filter for "Parent PID is 1376" (the PID of unknown.exe from our last screenshot) shows us actions performed by 1438bh51ova3si-0.exe which has the PID of 976, seen here:

I've pointed out the interesting parts of this that seem match up with the previous research on Simda. This appears to be the malware collecting information about the operating system and various settings, presumably to send back to the malware writer when it connects to the internet. Speaking of connecting to the internet...

Network Traffic Analysis

We already know the malware tries to get out to the net, so let's reset the lab and then capture all the traffic generated by the malware using Wireshark. In this case, I've pointed my malware analysis VM to my Remnux VM (set default gateway and DNS IP address on the analysis vm to the IP of the Remnux vm) in order to capture the traffic. Depending on what type of queries the malware makes, netcat, honeyd, ircd, or a combination of the three may be needed.

Without using anything but wireshark, we can see the malware trying to query an oddly named domain (

It also attempts to connect to the same IP address mentioned earlier: on port 80, and we need to know what it's trying to do.

How do we tackle this? honeyd to the rescue! Remnux VM has honeyd already installed, so starting it up is a manner of entering honeyd start at the terminal. Honeyd is a lightweight honeypot client that can intercept IP based traffic. In this case, I have honeyd configured to spoof a web server (using the script that's already written on Remnux). The malware wants to connect to a web server on port 80, so I'm giving it what it wants. Here's another snippet of the packet capture while honeyd is running:

We can see it issuing some GET requests for something, so following the TCP stream gets us some more intel:

The "404 Not Found" response is honeyd responding just like a real web server would. :) Notice the host: The full GET request it's issuing is: hxxp://

I attempted to wget the URL above but did not find anything. It's not surprising, but due to the age of the malware, it's likely that the web server that's hosting the malicious content is no longer live. Doing some research into the IP provides even more evidence that we are, in fact, dealing with a variant of Win32/Claretore (which is, again, part of the Win32/Simda family). The article can be found here:

Conclusion and Summary

My goal here was to accomplish a few things:

  1. Analyze the behavior of the malware, including network activity
  2. Identify with reasonable certainty the specific type of malware I was analyzing
There is certainly a lot more I could analyze here (such as the .tmp files), but I think I've accomplished my original goal quite well of giving readers some insight into malware analysis and my particular thought process, as well as my analysis process. Hope you enjoyed it! Comments are most welcome, and you can always find me via Twitter if you'd like to keep an eye on what I'm working on (or ranting about!).


Tools Used: