GREY TEAM JRNL

Tools Write-Ups R.E. | Malware MISC ABOUT CONTACT

“ x3asic Static Analysis”

Written on October 28th, 2019 by |3ASS3XE

“x3ASIC Static Malware Analysis”

My first Analysis “LAB01-01.exe”

Sample from Practical Malware Analysis Lab Chapter 1| Lab1-1

KEY POINTS

  • Using a host of high-level tools and analysis tactics,a lot of info can be gained on potentially malicious binaries *
  • Malware generally rely on living off the land principles. *
  • Limitations of high-level static analysis.

SECURITY RECOMMENDATIONS

* Only run trusted applications

TABLE OF CONTENTS

INTRO

ANALYSIS

  • LAB01-01.exe
  • LAB01-01.dll

CONCLUSION

MITRE ATT&CK

IoC

  • A:1: DLL Lab01-01.dll matches 35/72 Engines.

  • MD5 HASH: 290934c61de9176ad682ffdd65f0a669

  • A:1: EXE Lab01-01.exe matches 40/70 Engines.
  • MD5 HASH: bb7425b82141a1c0f7d60e5106676bb1

LAB01-1.DLL / LAB01-01.exe are samples from the Practical Malware Analysis series as saying. Despite the malicious characteristics it harbors, the executable and binary duo are not actually malicious. The learning objective from both samples was the value that can be obtained with initial basic static analysis of malicious files.*

VIRUS_TOTAL | Doing the heavy lifting.

Uploading both executable and dll to virus total not only reveals successful signature matches, but also a treasure trove of information on both binaries. LAB01-01.DLL reveals a total of 35/72 signature matches for malicious samples, with an origin date of December 12th, 2010(16:16:38)

While LAB01-01.exe matches a total of 40 engines and an origin time of December 12th, 2010 (16:16:38).

D.O.B.

The near-identical origin dates for both DLL and EXE are good indicators that both programs were created simultaneously and more than likely designed to be work together to complete the same objective.

IMPORT/EXPORT TABLE

With some background information, we can dive a little deeper into our static analysis by trying to piece together malware functionality. Both files designed for win32 architecture, we can look at the Import Tables to derive what functions the Malware is calling.

LAB01-01.dll LAB01-01.exe
KERNEL32.DLL KERNEL32.DLL
MSVRCT.DLL MSVRC T.DLL
WS2_32.DLL —————————-

KERNEL32.DLL MSVRCT.DLL

Why is looking at the Import/ Export tables important? Although malware may have malicious intentions, they are designed like any other program which is to effectively communicate with host computers. While diving into thousands of lines of assembly code may sound exciting, a much more effective method is to see how the binary is communicating and then referencing this information with the assembly code dump.

At a very basic level, we can surmise that LAB01-01.exe being the executable, assumes the role of the dropper. The dropper installs the LAB01-01.dll which has more functionality than the executable. Inspecting the imports that of the DLL, we see kernel32.dll is calling upon the following:

HANDLE OpenMutexW(
                DWORD   dwDesiredAccess,
                BOOL    bInheritHandle,
                LPCWSTR lpName
);

So we can see that DLL at the very minimum this malware is expected to be opening objects within the environment, potentially enumerating what is on the host system.

STRINGS

Using strings is a quick and minimalistic way to pull critical information from suspicious binaries, to extract more information, and ultimately create host bad signatures on the fly. Running strings against the DLL we can make out an IP Address (127.26.152.13). More than likely if this were a real malware this would be the callback address for the Command and Control server. If we run with this theory this can further validate that the payload itself is the DLL; the executable installing the DLL to enable a backdoor for an attacker listening for an incoming connection.

What other indicators can we establish from a deeper static analysis? Well going back to our imports we see several functions being imported by our DLL. The functions inett, addr, connect, and sleep imported for use within our binary. While not malicious in nature, we can create rules to monitor for this behavior to validate if the behavior is indeed not an indicator of compromise.

MITRE / ATT&CK

While this malware is only for training purposes for static analysis technique development, we have still derived enough information to map functionality to the MITRE / ATT&CK framework. Our Executable and DLL seem to have been purposed for both enumerating files on the network using window’s search functions and implement command and control activity on host systems.

The purpose of this file is to both enumerate files on the network using window search functions and implement command and control activity on the objective. The main payload utilizing built-in features of windows creates “PERSISTENCE”(Accessibility Features) within the host environment to enable further threat actor activities.

OpenProcess Function
HANDLE OpenProcess(
  DWORD dwDesiredAccess,
  BOOL  bInheritHandle,
  DWORD dwProcessId
);

Reference:

OpenProcess Function

https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess

AnyRun

  • A:1: DLL Lab01-01.dll matches 35/72 Engines.
  • MD5 HASH: 290934c61de9176ad682ffdd65f0a669

  • https://any.run/report/f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba/b3048910-6bc0-47c3-b490-3b19ca5f1092

  • A:1: EXE Lab01-01.exe matches 40/70 Engines.
  • MD5 HASH: bb7425b82141a1c0f7d60e5106676bb1
  • https://any.run/report/58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47/28331926-01a1-4c2e-8119-5093cf491091

Accessibility Features | MITRE |ATT&CK

https://attack.mitre.org/techniques/T1015/

Feel free to share!

You may also enjoy...