5-Minute Analysis of a Remote Access Trojan
Here is a brief analysis of a Remote Access Trojan (RAT).
File Details
SHA-256: f2d25b3610d4a5bd7a2940985fbb5091ac173220575c72a651e00d71fa997a81
MD5: 2983b3a85ed23a6eaaedfde08be513b8
File Name: Finance Approval.doc
Static & Behavioral Analysis
Let’s start by reviewing the file’s definitions and metadata using TrID and exiftool.
The document follows an XML-based format. Let’s unzip the contents of Finance Approval.doc
oledump.py
identifies content embedded in the document, but not your typical macros.
We can see an embedded PE in the document.
Once the embedded executable, dgpf.exe
is executed, a copy is written to %AppData%\dgp\
as dgp.exe
.
dgp.exe also wrote a file, 29–07–2018
to %AppData%\dgp
.
SHA-256 hash of dgp.exe
: 8989E69F350D8E0AEAE84B2F88FFEE0AAB8C3E1785E1F67A75FE2DD9ABD3AA0F
Dropping dgp.exe
into PPEE.
Reviewing the definitions of dgp.exe
in TrID.
TrID is unable to identify the of the format of the additional file, 29–07–2018
that was written to the %AppData%\dgp
directory.
Reviewing the PE file in PeStudio reveals imports that are typically used by malware:
RegCreateKeyExW
andRegSetValueExW
- Write data to the Windows registryRegisterClipboardFormatW
andIsClipboardFormatAvailable
- Interact with the clipboard
We also see that the PE file has the import, IsDebuggerPresent
to detect if it is being debugged/reverse-engineered.
dgp.exe
establishes persistence by adding a value to the Run key in the registry:
Value name: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgp
Value data: C:\Users\REM\AppData\Roaming\dgp\dgp.exe
Registry Run Keys / Start Folder is MITRE ATT&CK Technique T1060.
C2 IP address identified in network traffic and strings in running process memory: 194[.]5.98.173
Interesting TCP port 4042
identified with IP address in strings in running process memory.
Uncommonly Used Port is MITRE ATT&CK Technique T1065.
The TCP connection to 194[.]5.98.173
was reset.
Indicators
File name: Finance Approval.doc
SHA-256: f2d25b3610d4a5bd7a2940985fbb5091ac173220575c72a651e00d71fa997a81
MD5: 2983b3a85ed23a6eaaedfde08be513b8
SHA-256: 8989E69F350D8E0AEAE84B2F88FFEE0AAB8C3E1785E1F67A75FE2DD9ABD3AA0F
IPv4 address: 194[.]5.98.173
TCP port: 194[.]5.98.173:4042
Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgp
File name: %AppData%\dgp\dgp.exe