Below is a malware analysis report for sample “MISA685,” that demonstrates a basic approach to static and dynamic malware analysis.
Verified Malware Sample Integrity
I validated the integrity of the malware sample misa685 using the MD5 Hash 11dd7da7faa0130dac2560930e90c8b1 and malware sample provided to me:
I uploaded the sample to VirusTotal (https://www.virustotal.com/#/home/upload) which runs malware samples through multiple antivirus engines to see if a sample has already been identified. 55 out of 64 engines detected this file. VirusTotal confirmed that the file was malicious:
According to VirusTotal, the file was compiled 2012-03-15 20:23:10 and first seen in the wild 2014-01-03 23:03:46. It is a small Win32 EXE that follows the Portable Executable (PE) format specification, usually tied to Windows Executables and Libraries. Known by many aliases, it targets Intel 386 or later processors and compatible processors. Most interesting, VirusTotal tagged the sample as ‘peexe’ (i.e., a short label of what the file is and what it does).
I conducted additional research and developed the hypothesis that this sample could be categorized as a trojan downloader (i.e., dropper). Downloaders and droppers are helper programs for various types of malware such as Trojans and rootkits. Usually, they are implemented as scripts (VB, batch) or small applications. They don’t carry any malicious activities by themselves, but just open a way for an attack by downloading/decompressing and installing the core malicious modules. A dropper to avoid detection may also create noise around the malicious module by downloading/decompressing some harmless files:
Using PEview I confirmed the file was a PE file with four sections .text, .data, .rsrc, and .reloc:
In the. rsrc section I find reference to a CONFIG file. This further supported my hypothesis:
Next, I used the ‘strings’ command to try and identify any useful strings to get hints about the functionality of a program. We found many interesting strings, which lead us to believe that the file was not packed or obfuscated and seem to further support my hypothesis. Also, I find the string ‘brbbot’ which further research confirmed to be a well-known malware sample. The information I found regarding brbbot further confirmed my hypothesis. Below is the most interesting strings below and their possible meaning/function:
|Software\Microsoft\Windows\CurrentVersion\Run||Malware persistence technique.|
|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)||Browsers|
|Sleep||Sleep and time trigger evasion technique. Waits until the specified object is in the signaled state or the time-out interval elapses|
|HTTP/1.1||Hypertext Transfer Protocol|
|POST||Submits data to be processed to a specified resource|
|RegOpenKeyExA||Opens a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a
host. The registry also contains a whole host of operating system and application setting information.
|CryptEncrypt||The CryptEncrypt function encrypts data.|
|CryptDecrypt||CryptDecrypt function decrypts data previously encrypted by using the CryptEncrypt function|
|GetComputerNameA||Retrieves the NetBIOS name of the local computer.|
|CreateProcessA||Creates a new process and its primary thread.|
|CreateFileA||Creates or opens a file or I/O device.|
|GetDC||The GetDC function retrieves a handle to a device context (DC) for the client area of a specified window or for the entire screen. Spyware that takes screen captures often uses this function.|
|InternetOpenA||Initializes the high-level Internet access functions from WinINet, such as InternetOpenUrl and InternetReadFile. Searching for InternetOpen is a good way to find the start of Internet access functionality. One of the parameters to InternetOpen is the User-Agent, which can sometimes make a good network-based signature.|
|InternetConnectA||Opens a File Transfer Protocol (FTP) or HTTP session for a given site.|
|InternetReadFile||Reads data from a previously opened URL.|
|msvcrt.dll||Reads data from a previously opened URL. the name of a Windows library i.e., the Microsoft Visual C Run-Time Library. We can conclude the program has been written with Visual C++.|
Strings also revealed many Dynamic-link libraries (DLL), shared library functions, which tell much about the functionality of the program, which I enumerate with Dependency Walker. These features further support my hypothesis.
Linked Libraries and Functions
Dependency Walker lists dynamically linked functions in an executable. First, I find and explore the ADVAPI32.DLL. This DLL provides access to advanced core Windows components such as the Service Manager and Registry. I find the CryptDecrypt and CryptEncrypt functions. The CryptEncrypt function encrypts data. The CryptDecrypt function decrypts data previously encrypted by using the CryptEncrypt function. From this I hypothesis that malicious file is encrypting and decrypting part of its behavior to try to keep it secret:
Second, I find and explore the KERNAL32.DL, a ubiquitous DLL that contains core functionality, such as access and manipulation of memory, files, and hardware. I find the CreateFileA, CreateProcessA, and GetComputerNameA functions. CreateFileA creates or opens a file or I/O device. CreateProcessA creates a new process and its primary thread. GetComputerNameA retrieves the NetBIOS name of the local computer. From this I hypothesize that the malware attempts to gather information about a local computer:
Third, I find and explore the USER32.DLL. This DLL contains all the user-interface components, such as buttons, scroll bars, and components for controlling and responding to user actions. We find the GetDC function. The GetDC function retrieves a handle to a device context (DC) for the client area of a specified window or the entire screen. Spyware that takes screen captures often uses this function. From this I hypothesize that the malware may function as spyware:
Four I find and explore MSVCRT.DLL the name of a Windows library, i.e., the Microsoft Visual C Run-Time Library. I can conclude the program has been written in Visual C++:
Fifth I find WS2_32.DLL. A program that accesses either of these most likely connects to a network or performs network-related tasks. I see the ‘connect’ function. Connect is used to connect to a remote socket. Malware often uses low-level functionality to connect to a command-and-control server. From this we hypothesize that the malware performs network-related tasks:
Finally, I find and explore WININET.DLL. This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP. I find the InternetOpenA and InternetReadFile functions. InternetOpenA Initializes the high-level Internet access functions from WinINet, such as InternetOpenUrl and InternetReadFile. Searching for InternetOpen is a good way to find the start of Internet access functionality. One of the parameters to InternetOpen is the User-Agent, which can sometimes make a good network-based signature. The Reads data from a previously opened URL. From this and the above strings I hypothesize that the malware uses HTTP, the Internet, and a website as a command-and-control server:
I use PEiD program to detect if the file was packed to thwart detection. As I suspected, it was not:
Digitally-signed malware used to be a rare occurrence, but over the past couple of years, the number of such programs has increased in response to operating systems making it harder to run non-signed files. For example, Windows displays User Account Control (UAC) security warnings for unsigned executable files that try to gain administrator privileges. Today, malware author used certificates containing differing algorithms with the hope of thwarting detection:
aSleep and aTickcount
Using IDA, I find aSleep_0 and attack count, which may be used to sleep and wake the program to hide its activity:
We find a function call that gives the malware the ability to supersede the top-level exception handler of each thread of a process.
After calling this function, if an exception occurs in a process that is not being debugged, and the exception makes it to the unhandled exception filter, that filter will call the exception filter function specified by the lpTopLevelExceptionFilter parameter.
This maybe is being used as a means to detect and avoid a kernel debugger:
Using IDA, we also find the gethostbyname and the gethostname subroutines. Gethostname is used to perform a DNS lookup on a particular hostname before making an IP connection to a remote host. Hostnames that serve as command and- control servers often make good network-based signatures. gethostname function retrieves the hostname of the computer. Backdoors sometimes use gethostname as part of a survey of the victim machine:
Based on the above static analysis I used INetSim and apateDNS was used to draw network traffic out from the malicious specimen and to monitor its behavior with RegShot, Procom with custom filters for malware analysis and forensics, Process Hacker, AutoRuns, and Wireshark order to determine its behavior and the type of network services that it was seeking. We also leveraged an online malware testing sandbox to run and evaluate the sample.
Modifies the Registry
I find 5 keys deleted and 85 keys added [snippet]:
When run as administrator, the malware creates brbbot in the c:\windows\syswow64\ to remain persistent (It also creates an instance c:\misa685.exe not shown here):
I prove this by rebooting the computer. Once rebooted I were greeted by the Windows displays User Account Control (UAC) security warning for unsigned executable files that try to gain administrator privileges:
Creates an Encrypted File
When running the sample as administrator, the malware creates a small file (probably a configuration file) in the directory it was launched:
The file is encrypted:
Olly view of reading configuration file and encryption processes:
Accesses the Network
Capture File Information
Initiates network connection. Instances: 184.108.40.206, 255.2.0.0, 255.255.255.255, 220.127.116.11. Accepts network connections. Instances: 10.149.15.74:
DNS Query for brb.2buts.by
Uses DNS to query for brb.3dtuts.by it command-and-control server:
NBNS Query for WPAD and BRB.3DTUTS.BY
This service is often called WINS on Windows systems.
The NetBIOS Name Service is part of the NetBIOS-over-TCP protocol suite, see the NetBIOS page for further information.
NBNS serves much the same purpose as DNS does: translate human-readable names to IP addresses (e.g., www.wireshark.org to 18.104.22.168). (As NetBIOS can run on top of several different network protocols (e.g., IP, IPX, …), other implementations of the NetBIOS services have their mechanisms for translating NetBIOS names to addresses.) NBN’s services are more limited, in that NetBIOS names exist in a flat namespace, rather than DNS’s hierarchical one (multiple flat namespaces can exist, by using NetBIOS scopes, but those are rarely used), and NBNS can only supply IPv4 addresses; NBNS doesn’t support IPv6.
The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate the URL of a configuration file using DHCP and DNS discovery methods. Once detection and download of the configuration file are complete, it can be executed to determine the proxy for a specified URL:
DHCP Inform and ACK JohnJohnson-PC
A DHCP client sends a DHCPRelease packet to the server to release the IP address and cancel any remaining lease. DHCPInform. DHCPInform is a new DHCP message type, defined in RFC 2131, used by computers on the network to request and obtain information from a DHCP server for use in their local configuration:
YARA Rule to Detect brbbot.exe We create a YARA rule to look for Malware that encrypts communications over its own command and control server using indicators we find in misa685 and research from other malware examples:
Snort Rule to Identify DNS Traffic
We create a Snort rule to track DNS queries from the ABC Corporation network to look for spyware domains like brb.3dtuts.by. This rule will track all A records and pointer records from hosts on ABC’s network internal and external DNS servers:
log $HOME_NET any -> $ANY 53 (msg: “DNS query”; content: “A”; content:”PTR “; logto: dnsqueires.log; sid:10501; rev:1;)
Based on our research outlined above, I believe that the file is a well-known trojan malware sample that modifies the registry to gain persistence. Then drops a program onto a system (i.e., spyware), then periodically collects information, opening an Internet connection using HTTP to a command-and-control sever to get instructions, upload and download additional commands or additional information (i.e., accepts commands through HTTP requests), targeting JohnJohnson-PC. The authors did little to try and hide their programs malicious intent.
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.