Malware Forensics
Peering Inside .exe files with Static and Dynamic Analysis
INTRODUCTION:
In a world where digital threats are evolving and cybercriminals continuously refine their techniques, understanding and combatting malware is a critical aspect of cybersecurity. Malicious software, or malware, takes on various forms, but executable files (.exe) are often the carriers of choice for cybercriminals seeking to infiltrate computer systems.
In this post we’ll take a deep dive into the malware analysis with static and dynamic approach before that let’s understand the PE structure of malware we’re going to analyze.
Hash values of malware file
SHA256: af63001bfd4ed850fb3bf50862ef7265a6822ffc20f6b24ed741975918c56f2c
SHA1: 08efa1e45c564077b2a6d0871cb56f77a5c41418
MD5: 3d5435c4f051e447cfe96c0815876d66
you can download the malware from Malware Bazaar Database with the help of above hash values.
— — -Disclaimer: Understanding the Risks of Malware Analysis — — -
This blog post aims to provide information about the analysis of malware for educational and cybersecurity awareness purposes. While we encourage readers to learn about malware analysis, it’s essential to understand the potential risks and responsibilities that come with these activities. I recommend you to firstly set up your Virtual Machine and then analyze it.
Let’s start…
TOOLS USED
⦁ HYPERVISOR: Hyper-V
⦁ OPERATING SYSTEM: Windows 10
⦁ PE STRUCTURE ANALYSIS: Hex Editor, CFF explorer
⦁ STATIC ANALYSIS: Resource Hacker, Detect It Easy, CFF explorer, PE studio, BinText
⦁ DYNAMIC ANALYSIS: Regshot, Network Monitor, AutoRun, 7-Zip
Tools used here requires some previous knowledge of using them.
PE STRUCTURE ANALYSIS
1) Dos Header:
DOS Header occupies the first 64 bytes of the file. i.e., the first 4 rows of the hex editor as seen in the image below.
⦁ e_magic- If you notice you will see the ASCII strings “MZ” mentioned at the beginning of the file. This MZ occupies the first two bytes (hexadecimal: 4D 5A or 0x54AD, Type: Word) of the DOS Header which is read as 5A 4D.
⦁ e_lfanew — The final field in the DOS header, it is a 4-byte offset (00 00 00 f0 ) (Type: DWORD) and tells where the PE Header is located.
How to find he PE header with help of e_lfanew:
e_Ifanew = f0 00 00 00
we have to rewrite the e_Ifanew value from the right to left because of the Little-endian scheme to get the offset value. In Little Endian scheme − low-order byte is stored on the starting address (A) and high-order byte is stored on the next address (A + 1).
Offset= 00 00 00 f0
2) Dos Stub:
Stub is a tiny program or a piece of code that is run by default when the executable of an application starts. This stub prints out the message “This program cannot be run in DOS mode” when the program is not compatible with windows.
3)Rich header:
It contains meta data such as build environment of PE file.
4)NT Headers:
It consists of following 3 components.
a) Signature: This is the 4 bytes Dword signature. In this case, the offset for the PE header is 000000F0 and the PE signature starts at 50 45 00 00 (the letter PE followed by two terminating zeroes).
PE.. = 00004550
b) Image File Header: It provides basic information about the structure and characteristics of the PE file.
Here are the key elements typically found in the Image File Header:
⦁ Machine:014C which means (Intel 386),from ‘L’ it is confirmed that file is 32 bit
⦁ NumberOfSections: 0003
⦁ TimeDateStamp: PE format in hexadecimal is in little endian so we have change it to the big endian to make it human readable/for calculations.
62998c5e hex = 1654230110 Dec
Epoch converter website result
⦁ PointerToSymbolTable: 00000000
⦁ NumberOfSymbols: 00000000
⦁ SizeOfOptionalHeader: 00e0 =224 bytes
⦁ Characteristics: 0103 following are the characteristics.
c)Image Optional Header: This header contains some critical information that is beyond the basic information contained in the IMAGE_FILE_HEADER data structure. This critical information contains some fields which tells whether the file is 32 bit or 64-bit, address or EntryPoint where execution of image begins, Image base where the file will be memory mapped any many more.
5) Sections:
There are 3 sections.
We can see them in Detect It Easy or CFF Explorer tool.
6) Overlays:
Overlay is the data that is appended to the end of a PE file which is not mapped into the memory.
Calculate overlay:
Size of image = 38,87,104 bytes (convert the hex value to dec)
Size of Image> File Size. Hence, overlay not present.
Also, there is another method to check overlay.
Last section is .rsrc, by adding its raw data size and address of raw data we can reach to the end of the section.
end of the section offset = 2D200
hence Overlay is not present.
STATIC ANALYSIS
It is a method of examining code, design, or other artifacts without executing the program.
1) Resemblance:
Below is the icon of file, which is present in Resources, we can see the content of Resource in “CFF Explorer” as well as in “Resource Hacker” tool.
Malware authors often use deceptive tactics to hide or disguise their malicious files one common tactic is to make the malware file appear as a system file or any other legitimate-looking file.
2)Architecture:
File is 32-bit Exe having following compiler Information. It can be confirmed in “Detect It Easy” tool.
3)Packed:
We can check if the file is packed or not in various tools, mainly I have used “Detect It easy”. If the file is packed by known packer such as “UPX Packer” then we can unpack the whole file using UPX packer tool available on internet and analyze it.
File is 89% packed, but only .text section in packed and its entropy is 7.43
4)Libraries:
In PE Studio and CFF Explorer we can see libraries used by file
WINHTTP.dll: WinHTTP is designed for use in system services and HTTP-based client applications.
Malware can use WINHTTP.dll to establish communication with remote command and control servers. It can send and receive commands, transmit stolen data, or receive updates or instructions from a remote server.
5)Imports:
Following are some imports flagged by PE Studio which are used by file
⦁ SetVolumeLabelW: Malware can use this function to rename volumes to mimic legitimate system or software names, potentially tricking users into opening or interacting with the malware.
⦁ SetComputerNameA: Malware could use this function to change the computer’s NetBIOS name, potentially hiding itself or confusing network administrators trying to identify the infected machine,by changing the NetBIOS name, malware can potentially evade network.
⦁ GetCurrentProcessID
⦁ WinHttpWriteData: This function is typically used when an application needs to send data, such as a POST request with a payload, to a web server as part of an HTTP request. Malware can use this function to send sensitive or stolen data to a remote server, which is a common technique for data theft and exfiltration.
⦁ MapUserPhysicalPages : Malware could potentially misuse MapUserPhysicalPages to manipulate or access physical memory directly, which can be extremely dangerous and pose a significant security risk. This function is a powerful and low-level Windows API, and its use is generally restricted to trusted system software and drivers.
⦁ VirtualProtect: is a Windows API function used to modify the protection attributes of a range of pages in the virtual address space of a process. Malware can use VirtualProtect to make a memory region executable, enabling the injection of malicious code that can then be executed.(Process Injection)
⦁ FindFirstFileW
⦁ ReplaceFileW
⦁ RemoveDirectoryA
⦁ DeleteFileA
⦁ WriteFile
⦁ GlobalAddAtomA, AddAtomA: These functions are used for data exchange.
⦁ ReadConsoleInputW: It could potentially be used by malicious software for various purposes, such as capturing keyboard input, monitoring user activities, or attempting to interfere with user interactions.
6)String Analysis:
Following are some suspicious strings.
These two exe files are the versions of our main file.
WUSE32.dll: This library contains various functions and resources related to the user interface and window management. It is part of the User32 library, which plays a crucial role in managing the graphical user interface (GUI) in Windows applications.
Malware could potentially misuse functions in WUSER32.dll to manipulate windows or user interfaces, intercept user input, or carry out other malicious activities.
this file should be located in “C:\Windows\System32\” folder otherwise it could be Trojan.
After analyzing file in Resource Hacker, inside string table following content was found which is marked as “SINDHI” Language.
This could be the suspicious indicator regarding translation of language.
If the version of file resembles to the IP like structure, then it could be malicious indicator.
7)Dumping the sections
In Detect It Easy tool, we can dump the sections present in file and analyze them separately.
After dumping and analyzing the .text section, following multilingual content was found.
Malware authors might obfuscate their code by converting it to MSIL, making it more challenging to reverse engineer or analyze. Obfuscation techniques can hide the malware’s intent and functionality.
translation of some of the content present in .text is
From the above text it cannot be confirmed that text is malicious, but it is multilingual encoded text.
DYNAMIC ANALYSIS
It refers to the examination and evaluation of a program’s behavior while it is actively running or executing in a controlled environment.
Before Executing the file there are some things that should be taken into consideration.
Dynamic analysis flow:
i. Set up the environment: Use virtual environment, here in our case, we are using Hyper-v.
ii. Download required tools: SysInternal suit, NetMon, Wireshark, regshot.
iii. Disable Windows Defender/ Antivirus: If it is not disabled then windows defender will remove the malware automatically from the system.
iv. Download the malware: Download the malware in zip and extract it using 7-Zip tool. We can download the malware from Malware Bazaar website.
v. Disable Internet: We can perform the analysis while net is connected but it will add the extra entries and make the analysis bit difficult, also there is risk of network getting misused by malware.
vi. Execute the malware: Execute the malware after launching the analysis tools.
Let’s start the analysis…
Step 1) Launch ProcExp, ProcMon, Wireshark, NetMon tools for monitoring the behavior of file.
Step 2) Take a System shot 1 using regshot before executing the file.
Step 3) Execute the file.
Step 4) Analyze the behavior of file and after few seconds take second reg shot.
Step 5) Now analyze the text file created by regshot.
In our case, after executing the file “ProcExp, ProcMon,Wireshark” these tools crashed and were not opening again.
They were giving an error that “you don’t have enough access to perform this task”.
1) RegShot Analysis:
In regshot flags of ProcExp, ProcMon,Wireshark were changed.
Keys added:
This specific key is getting added into the registry HKLM(HKey Local Machine)
Values Added:
The exact same value is also getting added to the registry under tasks, schedule.
These registry entries could possibly mean that file is performing privilege escalation.
Files added:
In the above file, following name was found.
piratekingonline which seems to be the part of some network activities as there were many network activities present in the file.
On Navigating to the bsvvddh file location it was not visible even after setting view to hidden capture, but by directly pasting the file path it was opening within tools.
Hashes of original file and bsvvddh are same.
After running the file again, following files were added.
Apart from bsvvddh there was yet another file named Firefox Default Browser Agent 71A0AC91F4F8EBF3, inside this file following content was present.
The file is performing execution and has some special rights, I checked it by right clicking on the file and seeing the security tab.
This means the dropped file bsvvddh is getting executed by the above file and has some special access above read write and execute.
On the basis of this we can say that “Firefox Default Browser Agent 71A0AC91F4F8EBF3” file has done privilege escalation.
Files deleted
above files names seems suspicious (includes money, reward, currency, market)
Original file got deleted at the end.
This means file is deleting itself after dropping files.
2)Autorun:
Same file Firefox Default Browser Agent 71A0AC91F4F8EBF3 is present in Autorun tool, also it does not have verified publisher.
This indicates the persistence of the file. Original file itself is getting deleted and copying itself to another location and getting run by Firefox Default Browser Agent 71A0AC91F4F8EBF3 which itself is a dropped file.
3)NetMon:
Following are the suspicious network activities found in network monitor.
DNS query for piratia.pw
192.168.112.7
204.79.197.203
DNS query for go-piratia.ru
msedge is performing tcp connections with lot of IPs
Above are the IPs with which malware is interacting.
Now finally we can check the file on threat intelligence.
4) VirusTotal:
39 vendors out of 72 have marked the file as malicious.
Following are the tactics and techniques that the malware is performing given by VirusTotal.
We have already found out that file is performing above techniques.
These three domains we have found are reported and detected malicious by many vendors.
192.168.112.7 this ip we have found is private and various malicious files are communicating with it.
204.79.197.203 ip has above communicating file which are detected malicious by majority of vendors.
Understanding the process flow of malware
As shown in the above diagram, main file is creating a remote thread and performing injection in explorer.exe to add the keys and values within registry and perform privilege escalation, after that it is dropping some files among which Firefox Default Browser Agent 71A0AC91F4F8EBF3 named file is added as task in task scheduler to perform persistence and executing the dropped file bsvvddh.
CONCLUSION:
On the basis of above analysis, we can conclude that:
⦁ File is crashing ProcExp, ProcMon, Wireshark hence it is performing privilege escalation, modifying the accesses and performing process injection.
⦁ It is performing http requests with malicious domains.
⦁ File contains multilingual/encoded content present in .text section and .rsrc section.
⦁ It is making the copy of itself and renaming it as “bsvvddh”. After spreading itself it is getting self-delete.
⦁File bsvvddh is getting executed by Firefox Default Browser Agent 71A0AC91F4F8EBF3 which is created by adding the keys and values to the registry.
Finally, we can state the behavior of file as dropper, injector, spreader and self-delete, alternate name can be TROJAN.