Sunday, August 11, 2013

The Mind of a Malware Analyst: Blogging While Doing 64-bit Malware Analysis

It certainly has been a while, hasn't it? Between playing with malware pretty much non-stop for a few months straight, followed by an unfortunate death in my family, going on vacation, and then getting sick - the combination of burnout and life getting in the way caused me to not make time to write up a post sooner.

The good news is, I'm here now, and I'm going to try something new(ish). This time around, I'm going to do an analysis on a 64-bit malware sample sent to me by @DarrelRendell. The difference here is that I don't know anything about what I'm getting into, other than the fact that it's 64-bit, before starting work on the blog post about it. That is to say, I'm writing this post as I do my analysis of it. My goal here is to give you a little glimpse into my thought process and understand the way I like to do things. This might also lead to a post that's a little more sporadic than my previous posts. With any luck, I won't hit a dead end.

The tl;dr version:


Here's the basic overview of my (dynamic) analysis process.. this gets covered in depth throughout the post
  • Gather basic info about the malware
    • md5, VirusTotal info, sigcheck, exiftool, strings
    • Make an educated guess about which malware family it belongs to
  • Use procmon and process explorer to gather behavioral information
    • Use filters in procmon to make life easier
    • Correlate behavioral information to try to more accurately identify the malware
  • Look at network traffic generated by malware (if applicable)
    • Analyze any secondary paylods

The game begins...

Basic Information Collection


Okay, let's get started. I've got my sample, so let's gather some basic info on it. Hash, header info, check for packers, strings output, etc.

First, let's run it through sigcheck:

Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\admin\Desktop\unknown.exe:
        Verified:       Unsigned
        Link date:      1:43 AM 2/26/2010
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    464F4C6477613AAAF1F8195B5E77CAB0
        SHA1:   59D83AD05C6FB4EF1D17636692FA8CD9C60FFFC1
        PESHA1: A14BB471C1949E05C462EAB4143C494570C90944
        SHA256: DC36D538B7A1EE404DFD6E104B9A1EDD7046526E55B3F911BEEA2B422A0EB625

Followed by checking the md5 in VirusTotal... Not bad, initially it had a 19/46 detection rate. The analysis is 3 months old in VT, so let's re-upload the sample and see if we get a better detection rate and possibly some help with classification: https://www.virustotal.com/en/file/dc36d538b7a1ee404dfd6e104b9a1edd7046526e55b3f911beea2b422a0eb625/analysis/1376211352/

Okay, so we have a few more detections than the initial search I ran, up to 23/45 now. Most of the AV vendors classify this as a generic trojan. There are a few references to Kryptik, Simda, and Rodricter (which is part of the Simda family, it seems). Some quick google searching for these malware names leads to a few decent pages to research:

Simda: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FSimda#tab=2

Kryptik: http://blog.fortinet.com/W32-Kryptik-AX-tr---A-Masterful-FTP-Trojan/

Note:  Later in the post I discovered that there is actually a 32-bit component in the form of Win32/Claretore, which is a member of the Simda family. More on that later.

Now that we have some reference material for when we do behavioral analysis later, lets finish collecting basic information about the file. Next, a quick auto scan via peframe:

C:\Users\admin\Desktop\Tools\PE Tools\peframe>peframe.py -a C:\Users\admin\Desktop\unknown.exe
File Name:      unknown.exe
File Size:      177664 byte
Compile Time:   2010-02-26 00:43:11
DLL:            False
Sections:       5
MD5   hash:     464f4c6477613aaaf1f8195b5e77cab0
SHA-1 hash:     59d83ad05c6fb4ef1d17636692fa8cd9c60fffc1
Packer:         None
Anti Debug:     None
Anti VM:        None

File and URL:
FILE:           KERNEL32.dll
URL:            None

Suspicious API Functions:
Func. Name:     GetCommandLineA
Func. Name:     VirtualAlloc

Suspicious API Anti-Debug:

Suspicious Sections:
Sect. Name:     DATA
MD5   hash:     739c32c979bb45cad8563bfbbc15439d
SHA-1 hash:     10ba28ceb02a7479c7bc8aaaf8840ab751c71cd7
Sect. Name:     BSS
MD5   hash:     a3c0e191bd4eb60320d1e3781667397c
SHA-1 hash:     e5ed43c0c1e21bb881d3828ee7c875851a1ea5cd
Sect. Name:     .edata
MD5   hash:     90e0281621601ef5b4988bd0b9814939
SHA-1 hash:     cfaa206cc179211489c71ceb51d1e8393fbc73d9
Sect. Name:     .reloc
MD5   hash:     2c38765194d27b75f56d0565088a53ee
SHA-1 hash:     217125fcb30e489e2ecc55be03157344f4a06db8

No packer detected, so let's take a look at strings output to see if there's anything that stands out...

GetCommandLineA
ExitVDM
Module32NextW
OpenMutexW
Module32FirstW
VirtualAlloc
KERNEL32.dll

Those are pretty much the only readable strings in the file. "ExitVDM" in particular is something I haven't seen before. Running a quick google search for "ExitVDM" leads to a multitude of pages all related to malware, but nothing in particular stands out that allows us to identify the malware yet. These strings may be useful later, so let's keep going. Next up is exiftool output:

ExifTool Version Number         : 9.30
File Name                       : unknown.exe
Directory                       : C:/Users/admin/Desktop
File Size                       : 174 kB
File Modification Date/Time     : 2013:07:09 11:44:24-06:00
File Access Date/Time           : 2013:08:11 02:39:16-06:00
File Creation Date/Time         : 2013:08:11 02:39:16-06:00
File Permissions                : rw-rw-rw-
File Type                       : Win64 EXE
MIME Type                       : application/octet-stream
Machine Type                    : AMD AMD64
Time Stamp                      : 2010:02:26 00:43:11-07:00
PE Type                         : PE32+
Linker Version                  : 5.0
Code Size                       : 12288
Initialized Data Size           : 397312
Uninitialized Data Size         : 0
Entry Point                     : 0x1068
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
Subsystem                       : Windows GUI

The compile time here shows that either this was compiled in 2010, or the compile time was changed. With the fairly high detection rate, it's a safe bet to say that this is a pretty old piece of malware.

Behavioral Analysis



Next up, let's run this thing and see what it does. My standard tools for behavioral analysis are Procmon and Process Explorer, both of which can be found in Microsoft's Sysinternals Suite (you can get it here: http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx). This pretty much involves little more than setting up both programs, then executing the malware.

Upon executing the malware, nothing visibly happens, aside from the mouse cursor changing to the "busy" circle briefly. However, watching process explorer revealed a few child processes being spawned, only to be killed moments later. A few moments after that, the original exe had deleted itself. I want to get a screenshot of this happening, but it happened so fast the first time that I missed it, so I'll probably run it again later just to get a process explorer screenshot for you.

Edit: Here's a shot of the processes being spawned (or rather, being killed shortly after spawning) in process explorer:



First, it's time to analyze our Procmon logs. The first thing I like to do to get a basic idea of the meaningful things that happened is use a filter in Procmon that shows only actions that involved writing data to disk (this also includes deletions). Set Procmon filter like this:

Category is Write -- you'll have to use the dropdown to select 'category' and then enter 'write' in the text box yourself. Here's the filtered output:


Here we can see a few interesting things happening:

  • Unknown.exe creates a file: 1438bh51ova3si-0.exe
  • Unknown.exe modifies the startup entries in the registry under: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Server
  • taskhost.exe deletes internat.exe from the startup entry from the registry
  • 1438bh51ova3si-0.exe creates a file: 1bh96u1i5ix6l-0.tmp
  • 1438bh51ova3si-0.exe creates a file: v9l6rc1k3k14t-0.tmp
  • Unknown.exe attempts to delete itself (it's not successful in this screenshot, but it is successful later)
There are some other interesting behavioral things going on in this screenshot, particularly with modification of UserAssist registry keys, but I'm going to ignore that for the moment and focus on the files that were created.

The two .tmp files were deleted by the malware, but the created exe (1438bh51ova3si-0.exe) is there. Here's the sigcheck info for it:

Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\admin\Desktop\1438bh51ova3si-0.exe:
        Verified:       Unsigned
        Link date:      1:43 AM 2/26/2010
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    464F4C6477613AAAF1F8195B5E77CAB0
        SHA1:   59D83AD05C6FB4EF1D17636692FA8CD9C60FFFC1
        PESHA1: A14BB471C1949E05C462EAB4143C494570C90944
        SHA256: DC36D538B7A1EE404DFD6E104B9A1EDD7046526E55B3F911BEEA2B422A0EB625


You'll probably notice that the hashes match the original unknown.exe file. This is simply the original exe copying itself to C:\Users\admin\AppData\Local\Temp\ under a different filename. Now that we got that part figured out, what about the other exe files? Going to have to set the lab VM up again and try to grab the .tmp files before they delete themselves.

Edit: When I did the network analysis later in this post, I was able to grab copies of the .tmp files that the main exe creates. Here's the sigcheck info on them (note the filenames are somewhat randomized):

Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Users\admin\Desktop\ht5x0212c7hjs-0.tmp:
        Verified:       Unsigned
        Link date:      12:34 PM 3/26/2008
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    C36254EBF4819085CC714442E331B6F2
        SHA1:   85E6B52A28589FC8AFD100DFAC934F4F42C0447F
        PESHA1: DFA3ABDCC9EBA9AF88D0AF08F0E15D8E30763232
        SHA256: 90C17A1DD07536E7E23A8B0B4C2FFA681741142FEAE817DEFA973C34D4F29D01

VT info(34/45): https://www.virustotal.com/en/file/90c17a1dd07536e7e23a8b0b4c2ffa681741142feae817defa973c34d4f29d01/analysis/1376220409/

C:\Users\admin\Desktop\v9l6rc1k3k14t-0.tmp:
        Verified:       Unsigned
        Link date:      1:43 AM 2/26/2010
        Publisher:      n/a
        Description:    n/a
        Product:        n/a
        Version:        n/a
        File version:   n/a
        MD5:    91C95A72D439F93939A7B0BE8C995A36
        SHA1:   BAF6A9D6E61D9F5AB391E6D241B9C96AD8B8A187
        PESHA1: C3AC273E93C6FB4A38EABEA114281667EF841074

        SHA256: 9772E4BED9AAD3A2918176D6C218FBF5B0EA65F78D107FC5A2CF5FB27938C896

VT info(9/45): https://www.virustotal.com/en/file/9772e4bed9aad3a2918176d6c218fbf5b0ea65f78d107fc5a2cf5fb27938c896/analysis/1376220422/

While looking through VT results I noticed references to Win32/Claretore, which is part of the Simda family. A little research lead me to this article from Microsoft. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Claretore#tab=2. I suggest looking at that before you continue reading to see just how closely it matches up with the behavior, etc., of this sample. :)


And the strange startup entry for "Windows Update Server"? 


This is a pretty common attempt by the malware writer to throw off an average user into thinking their new startup entry is legitimate. The malware has added itself to the Run key under HKCU/Software, which will cause the malware to execute any time a user logs in (Edit: Thanks to Harlan Carvey for pointing out that I originally stated (incorrectly) that the malware would execute when the machine boots up). 

Now that we know a few things the malware does, including its persistence method, let's go back and remove the filter we set above. We're going to use a new filter: 

Process Name is unknown.exe

This shows us some more useful info, seen here:


Now things are getting more interesting.

  • Unknown.exe attempting to connect to: 46.105.131.121
  • Unknown.exe creating three new threads with the following PIDs: 1640, 1572, 504
At this point, we know now that the malware is trying to connect to something. I suspect that the process killed itself when it couldn't connect to the internet, and simply sets persistence so it will try to connect every time a user logs on. Being that this is likely some kind of backdoor trojan (based on the research we did earlier and the results from VT), the malware is probably trying to connect to something to await commands from the malware writer. This behavior also seems to match up with our research on Simda from earlier as well. Here's a brief snippet from the article on it:


Trojan:Win32/Simda connects to a remote host and provides information regarding the newly infected computer.

It then receives the configuration information on where to download additional files, and other locations from which to download additional configuration files. Downloaded files are written to the %TEMP% folder, for example C:\Users\<user name>\AppData\Local\Temp. These files may include additional malware.


My guess is the .tmp files from earlier were created by the malware when it attempted to connect to the internet, but ended up deleting them when the connection to the internet failed. We'll come back to the network traffic later when we run the malware with wireshark running. Maybe I'll get a wild hair and let my analysis VM out to the net to see if it's just a backdoor, or if it's a downloader (or both!).

Let's figure out what those PIDs are. Again we can use a filter in Procmon to filter by PID. You may notice that the threads exit not long after they are created, so it's possible that it's spawning a process that doesn't do much. Only one way to find out!


Creating 3 separate filters in Procmon to display activity from PIDs 1640, 1572, and 504 didn't display anything. This indicates that the threads were created to do something, but then ended before the threads themselves performed any actions. However, creating a filter for "Parent PID is 1376" (the PID of unknown.exe from our last screenshot) shows us actions performed by 1438bh51ova3si-0.exe which has the PID of 976, seen here:


I've pointed out the interesting parts of this that seem match up with the previous research on Simda. This appears to be the malware collecting information about the operating system and various settings, presumably to send back to the malware writer when it connects to the internet. Speaking of connecting to the internet...

Network Traffic Analysis



We already know the malware tries to get out to the net, so let's reset the lab and then capture all the traffic generated by the malware using Wireshark. In this case, I've pointed my malware analysis VM to my Remnux VM (set default gateway and DNS IP address on the analysis vm to the IP of the Remnux vm) in order to capture the traffic. Depending on what type of queries the malware makes, netcat, honeyd, ircd, or a combination of the three may be needed.

Without using anything but wireshark, we can see the malware trying to query an oddly named domain (dryqvazjcobtr.com/.net):


It also attempts to connect to the same IP address mentioned earlier: 46.105.131.121 on port 80, and we need to know what it's trying to do.

How do we tackle this? honeyd to the rescue! Remnux VM has honeyd already installed, so starting it up is a manner of entering honeyd start at the terminal. Honeyd is a lightweight honeypot client that can intercept IP based traffic. In this case, I have honeyd configured to spoof a web server (using the web.sh script that's already written on Remnux). The malware wants to connect to a web server on port 80, so I'm giving it what it wants. Here's another snippet of the packet capture while honeyd is running:


We can see it issuing some GET requests for something, so following the TCP stream gets us some more intel:


The "404 Not Found" response is honeyd responding just like a real web server would. :) Notice the host: report.w713ue157.com. The full GET request it's issuing is: hxxp://report.w713ue157.com/?qa5y7i9=%96%98%A8%B0%B5%A5c%ACyth%B8%9Cr%7Bjs%A4%A5%A5%A7%96v%B1g%AEl%A9%A7%A5%A3%B4%A6T%EE%ADn%AA%EB%9CW%AA%A0%92%A0%9F%93%DD%CF%9C%B6%9C%D7f%C7%B8%96%DC%DB%D8k%AAorv%A6%9Afwzc%A6%A6%AE%B7%94z%BAm%A1o%A7%A6%A8%9F%B7%A7e%B9leu%A7%8B%A3%9A%AAk%93%9F%9D%A1%91j%ABg%99i%A2%96%A0%9F%A2%A4%5E%A7gaY%EB%A2aeg%5E%93%A1%A6%B2%85

I attempted to wget the URL above but did not find anything. It's not surprising, but due to the age of the malware, it's likely that the web server that's hosting the malicious content is no longer live. Doing some research into the IP 46.105.131.121 provides even more evidence that we are, in fact, dealing with a variant of Win32/Claretore (which is, again, part of the Win32/Simda family). The article can be found here: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FClaretore.J#tab=2


Conclusion and Summary



My goal here was to accomplish a few things:

  1. Analyze the behavior of the malware, including network activity
  2. Identify with reasonable certainty the specific type of malware I was analyzing
There is certainly a lot more I could analyze here (such as the .tmp files), but I think I've accomplished my original goal quite well of giving readers some insight into malware analysis and my particular thought process, as well as my analysis process. Hope you enjoyed it! Comments are most welcome, and you can always find me via Twitter if you'd like to keep an eye on what I'm working on (or ranting about!).

Intel:
Research:

Tools Used:

7 comments:

  1. Thanks for providing this write-up...it's very interesting to see this information being shared.

    I would suggest one update, though...in the write-up, you say:

    "The malware has added itself to the startup so it will execute every time the system boots."

    The ProcMon tool showed the "Windows Update Server" value being added to the Run key within the HKCU hive; as such, the malware would start up not when the system is booted, but when that user logs in. Reboot the system, and the malware won't run; the same is true if you log in as a different user.

    Again, thanks for sharing the information.

    ReplyDelete
    Replies
    1. Harlan,

      Thanks so much for your comment! I'm quite flattered to find you here. I've learned a lot from your work, especially with registry analysis.

      Thank you as well for pointing out my error; I have made the correction to the post. :)

      Glad you enjoyed the info even with the mistake! Take care.

      -SM

      Delete
  2. Well, I think that what this really illustrates is, much like many of Corey Harrell's posts, is that it's not difficult and it doesn't take a great deal of effort to perform a modicum of malware analysis. Too many times, I think that analysts tend to simply go with assumption, rather than perform any analysis, because they think, "I don't have/know how to use IDAPro, so I can't do malware analysis...", and that simply isn't the case. After all, you've laid out a pretty simple and easy-to-follow process for getting _some_ information about a sample, even in just the early stages of analysis...none of which required any knowledge of PE file formats, etc.

    I do think that it's important to point a couple of things out, as well:

    1. You'll find that some of the artifacts are self-inflicted, due to how the malware was launched. For example, the sample's SubSystem is listed as "GUI", and your ProcMon output shows modifications to the UserAssist subkeys. This is likely a result of how the sample was launched, which may not be the same way that the sample was launched on the infected system, on which the sample was originally found. You'll find the same sort of thing with respect to AV vendor write-ups. For example, here's a blog post that's almost 8 yrs old that illustrates an example of self-inflicted artifacts:
    http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html

    2. Host-based analysis of the infected system can provide significant information about the threat itself, beyond just what you're getting from analyzing the sample. There's a lot of malware that infects a system as a result of a multi-stage delivery mechanism; analysis of the infected system may provide intelligence WRT the different stages, which you're not getting from analyzing the sample in isolation. So, be wary of AV vendor write-ups that state how the malware is delivered...if you pulled a sample off of an infected system, don't rely on the vendor to tell you how the sample was delivered; instead, analyze the system itself.

    ReplyDelete
    Replies
    1. Great tips! I'm still relatively new to malware analysis and certainly have only one direction to go, and that's "up". I do agree that many people who are interested in malware analysis don't even bother getting started with it because of the "stigma" surrounding obtaining and learning to use IDAPro.

      Regarding self-inflicted artifacts, this is something that has never crossed my mind. Definitely something to keep in mind in the future. When I'm doing malware analysis at work, performing host forensics is often included in the process, and that does tend to provide a lot of extra information that isn't necessarily available when analyzing the sample in isolation. This particular sample was sent to me by a friend, so it was just a random sample I chose to analyze without knowing anything about it or the victim's machine. :)

      Thanks again for the valuable feedback!

      Delete
    2. I think that's a good point regarding the sometimes daunting 'learning curve' to IDA and disassembly tools in general and second the creative ideas put forth here. I've found malware research to be much like a puzzle without the picture. Sometimes you have to be creative and inventive.

      Great article and thanks!

      Delete
    3. Jon,

      Nice analogy! Thanks for stopping by - I'm glad you liked the post!

      SM

      Delete
  3. Online Slots in Oklahoma - Where to Play Slots in Oklahoma
    Play online slots in Oklahoma for real money in 2021 with top casino and 원주립카페 slot machines 먹튀 신고 in Oklahoma. Choose from 슬롯 게임 over 70 free 실시간 배팅 사이트 slots and 피망 슬롯 머신

    ReplyDelete