Exposing the Modern-day Trojan Horse: A Journey through Binary Forensics on PE (Portable Executable) Files

The modern-day Trojan Horse

In the realm of modern-day cyber threats, Trojans have evolved to adopt insidious disguises, often masquerading as desirable or “wanted” files such as PDFs or portable executables (PEs). These digital predators exploit the allure of legitimate documents or applications, luring unsuspecting users into downloading and opening them. Unbeknownst to the victim, these seemingly innocuous files harbor malicious code that grants unauthorized access to their system, leading to potential data theft, espionage, or even complete compromise of the targeted device. This deceptive packaging exemplifies the ingenuity of cybercriminals, urging users to exercise utmost caution and implement robust security measures to safeguard against these cunning cyber-espionage tactics.

Binary Forensics on portable executable files is a critical area of research in the field of cybersecurity. Portable Document Format (PDF) files have long been known as a common vector for cyber threats due to their widespread use and ease of distribution. However, in recent times, a significant rise in cyber threats has been observed through Portable Executable (PE) files, necessitating a comprehensive understanding of these files to combat the escalating risks.

This blog post delves into the analysis of portable executable files, employing a range of powerful tools and techniques to identify potential risks and vulnerabilities. Throughout this investigation, several cutting-edge tools will be explored, with each one playing a crucial role in unraveling the intricate layers of these executable files.

We will begin by briefly introducing some of the industry-standard tools, utilities and platforms in the domain of digital forensics that will be used in this demonstration. They include:

· REMnux

REMnux is a specialized Linux distribution designed for malware analysis and reverse engineering. It comes pre-configured with a comprehensive set of tools for dissecting malicious software, making it an indispensable asset in examining and understanding various types of malwares.

· FLOSS

FLOSS (Fast Library for Open-Source Software) is a powerful tool used for analyzing Portable Executable (PE) files. It aids in the automatic deobfuscation and extraction of strings from malware samples, helping analysts unveil hidden information within the code.

· Capa

Capa is a static analysis tool used in the identification of behavioral patterns and capabilities within executable files. It assists in categorizing and determining whether a given file behaves similarly to known malware or exhibits malicious traits, aiding in threat intelligence and detection.

· PEFrame

PEFrame is a utility focused on the detection of anomalies and suspicious attributes within Portable Executable (PE) files. By examining headers, sections, imports, exports, and other properties, PEFrame helps in identifying potentially malicious files for further investigation.

· DIE (Detect It Easy)

DIE is a cross-platform application used for identifying file types and determining the nature of executables. It employs signature-based detection to recognize common file formats and assists in understanding the inner workings of unknown files.

· VirusTotal

VirusTotal is a collaborative online platform that allows users to submit files and URLs for scanning by multiple antivirus engines. It provides a quick and comprehensive overview of potential threats associated with the submitted samples, leveraging the power of community-driven threat intelligence.

· Any.Run

Any.Run is a cloud-based malware analysis platform that facilitates the dynamic execution and observation of suspicious files and URLs in a controlled environment. It allows security analysts to observe real-time behavior and interactions, aiding in the identification and understanding of malware actions.

OBJECTIVE:

To familiarize readers with the steps involved in analyzing PE (Portable Executable) files using various industry-standard tools available within the REMnux linux distribution, as well as online platforms like VirusTotal and Any.Run.

TOOLS USED:

• REMnux
• FLOSS
• Capa
• PEFrame
• DIE (Detect It Easy)
• VirusTotal
• Any.Run

Note: To run REMnux, any virtualization software such as VirtualBox or VMWare can be used on any host with Virtualization capabilities. For this demonstration, VirtualBox is used.

PROCEDURE

1. Lab Environment Setup

• Launch the REMnux Linux distribution using VirtualBox.

VirtualBox interface with REMnux VM set up and running

REMnux workspace

• Download the sample malicious PE file from TekDefense (https://www.tekdefense.com/downloads/malware-samples/) and extract it.

TekDefense sample malware files

Extracting the archived sample PE file

2. PEFrame Analysis

• Use the PEFrame tool (peframe command) to perform static analysis on the sample executable.

Static analysis of sample PE file using PEFrame — file sections

• Observe the presence of a wildcard section in the file, which may indicate potential obfuscation or malicious intent.

From the output above, some key observations can be made. Firstly, in the file section, we observe the presence of a wildcard (*) used in addition to all the other standard file sections such as text, data and rsrc. This could be completely harmless and merely an additional custom section added by the software developer for specific purposes since custom sections are sometimes used for unique functionalities or specialized data storage. However, in certain cases, malware authors use packers or obfuscation techniques to modify the section names, potentially using wildcards to disguise their presence. Packings are used to compress or encrypt the executable, while obfuscation aims to make analysis and detection more difficult.

In the context of cybersecurity, the presence of a wildcard section could be indicative of malware or other malicious intent. Some sophisticated malwares may employ custom sections with non-standard names to evade detection by security software.

On rare occasions, the wildcard section might be the result of artifacts left behind by compilers or linkers during the software development process. These artifacts are usually harmless and can be considered as remnants of the build process.

As a result, it is essential to proceed with caution and conduct further analysis to understand its purpose and potential implications. Additional steps to investigate the content and behavior of the section would be required to ascertain if it poses any security risks or if it’s merely a benign artifact.

• Analyze the imported functions to gain insights into the executable’s behavior and capabilities.

Static analysis of sample PE file using PEFrame — function import

It can also be observed that the PE file integrates 43 imported functions into its file components. This is crucial for several reasons including the possibility of gaining insights into the behavior and capabilities of the executable. Some imported functions might be associated with networking, file manipulation, or interactions with the system, indicating potential malicious activities or specific functionality of interest.

3. DIE (Detect It Easy) Preview

• Utilize the DIE utility to preview the file type, header, hash, and strings.
• Look for unfamiliar file paths or URLs that might indicate malicious activity.

Using the DIE (Detect It Easy) utility to preview the file type and other information such as hash and strings for the sample portable executable — file type.

Using the DIE (Detect It Easy) utility to preview the file type and other information such as hash and strings for the sample portable executable — file info.

06 — Using the DIE (Detect It Easy) utility to preview the file type and other information such as hash and strings for the sample portable executable — file header and hash value.

06 — Using the DIE (Detect It Easy) utility to preview the file type and other information such as hash and strings for the sample portable executable — strings.

4. Capa Behavioural Analysis

• Employ Capa to identify and assess the capabilities of the portable executable.
• Categorize and determine if the file exhibits traits similar to known malware.

Using Capa to identify and assess the capabilities of the portable executable

From the preview above, it can be observed that the PE file potentially incorporates the capacity to run native code. The ability to run native code, which executes directly on a system’s CPU, can introduce significant cybersecurity risks. Attackers can exploit code execution vulnerabilities and buffer overflows to inject and execute malicious code, leading to unauthorized access and data breaches. Additionally, native code provides access to hardware, making it susceptible to hardware-based attacks like Meltdown and Spectre. Attackers can also develop stealthy rootkits and malware that evade detection, compromising the system’s integrity. Furthermore, analyzing native code can be challenging, hindering the identification of potential threats. To mitigate these risks, organizations must implement robust security measures, regularly update software, and adopt defense-in-depth strategies to protect against diverse attack vectors and safeguard their systems and data.

5. FLOSS String Extraction

• Use Floss to extract obfuscated strings in the executable.
• Analyze the extracted strings for potential indicators of compromise.

Attempting to use Floss to extract obfuscated strings in the executable

In this instance, the output of Floss, as seen above, does not reveal any obfuscated string, however, this may not definitely identify the origin or intent of this PE file as non-malicious. Instead, this presents a valid basis to carry out further forensic analysis on the file, especially using advanced and mature platforms like VirusTotal or Any.Run — which both have a comprehensive database of hashes and signatures that are typically associated with malicious activities, or that have been previously flagged.

6. VirusTotal Analysis

• Upload the sample executable to VirusTotal for additional analysis.

Using VirusTotal to run additional analysis on the portable executable

• Check the results to see if the file is flagged as malicious by multiple antivirus engines.

Using VirusTotal to run additional analysis on the portable executable (file flagged as malicious)

7. Any.Run Dynamic Analysis

• Leverage Any.Run for dynamic execution and observation of the sample file in a controlled environment. Extract MD5 hash of the executable to run a search against the public database on Any.Run

Extracting the MD5 hash of the sample portable executable file

Using the Any.Run public submissions database to scan the MD5 hash of the portable executable — results clearly mark suspicious activity on the file.

CONCLUSION

In the world of cybersecurity, portable executable files (PE files) have become a hotbed of cyber threats. Just like PDF files, they can hide cunning dangers that wreak havoc on our digital lives. But fear not! We’ve embarked on a thrilling adventure to understand these mysterious files and combat the rising tide of cyber threats.

Our quest took us through the exciting realm of binary forensics, where we wielded powerful tools like Floss, PE Frame, Capa, and DIE. These trusty companions helped us peel back the layers of PE files, revealing their hidden secrets and potential risks.

Unraveling the Clues: Our Investigative Journey As we delved deeper into our sample .exe file, we stumbled upon fascinating discoveries! Obfuscated strings, non-standard headers, and peculiar file sections sent our excitement soaring. Each finding provided valuable insights, like puzzle pieces waiting to be assembled.

The Plot Thickens: Unmasking the Malware With our preliminary insights in hand, we knew it was time to dig even deeper. So we turned to VirusTotal and Any.Run, two powerful allies in the fight against malware. Their collaborative intelligence and dynamic analysis revealed the undeniable truth — our sample file was indeed malicious!

The Dynamic Duo: Lab Analysis and Cloud Power Our journey wasn’t just limited to the confines of our lab. With REMnux as our trusty Linux companion, we harnessed the power of cloud-based services to enhance our understanding. The combination of controlled lab analysis and cloud might proved to be a formidable force in the world of binary forensics.

From Geek to Sleuth: Embracing the Importance of Collaboration Throughout this exhilarating expedition, we came to appreciate the importance of continuous research and collaboration. As cyber threats evolve, so must our strategies. Together, we stand strong against emerging malware techniques, securing the digital ecosystem for all.

The Final Verdict: A Call to Action In conclusion, binary forensics on PE files is an essential weapon in our cybersecurity arsenal. Armed with the knowledge gained from this thrilling journey, we’re better prepared to face the challenges ahead. The results of our analysis serve as a launching pad for further research and a reminder of the ever-present need for vigilance in safeguarding our digital world.

Join the Adventure: Safeguarding the Digital Frontier As technology evolves, so do the threats. But fear not! With the right tools, collaboration, and unwavering determination, we can create a safer and more secure digital frontier for everyone. So, let’s unite in our quest to unmask cyber threats and ensure a brighter and protected digital future.

REFERENCES

David Westcott. (n.d.). PEframe: Portable Executable (PE) Forensic Framework. Retrieved from https://github.com/guelfoweb/peframe

FireEye. (n.d.). FLOSS: The FireEye Labs Obfuscated String Solver. Retrieved from https://github.com/fireeye/flare-floss

VirusTotal. (n.d.). VirusTotal — Free Online Virus, Malware and URL Scanner. Retrieved from https://www.virustotal.com/

Any.Run. (n.d.). Any.Run — Interactive Malware Analysis. Retrieved from https://app.any.run/