5-Minute Analysis of a Remote Access Trojan

Published in

threatpunter

3 min readOct 1, 2018

--

Here is a brief analysis of a Remote Access Trojan (RAT).

File Details

SHA-256: f2d25b3610d4a5bd7a2940985fbb5091ac173220575c72a651e00d71fa997a81

MD5: 2983b3a85ed23a6eaaedfde08be513b8

File Name: Finance Approval.doc

Static & Behavioral Analysis

Let’s start by reviewing the file’s definitions and metadata using TrID and exiftool.

The document follows an XML-based format. Let’s unzip the contents of Finance Approval.doc

oledump.py identifies content embedded in the document, but not your typical macros.

We can see an embedded PE in the document.

Once the embedded executable, dgpf.exe is executed, a copy is written to %AppData%\dgp\ as dgp.exe.

dgp.exe also wrote a file, 29–07–2018 to %AppData%\dgp.

SHA-256 hash of dgp.exe: 8989E69F350D8E0AEAE84B2F88FFEE0AAB8C3E1785E1F67A75FE2DD9ABD3AA0F

Dropping dgp.exe into PPEE.

Reviewing the definitions of dgp.exe in TrID.

TrID is unable to identify the of the format of the additional file, 29–07–2018 that was written to the %AppData%\dgp directory.

Reviewing the PE file in PeStudio reveals imports that are typically used by malware:

RegCreateKeyExW and RegSetValueExW - Write data to the Windows registry
RegisterClipboardFormatW and IsClipboardFormatAvailable - Interact with the clipboard

We also see that the PE file has the import, IsDebuggerPresent to detect if it is being debugged/reverse-engineered.

dgp.exe establishes persistence by adding a value to the Run key in the registry:

Value name: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgp

Value data: C:\Users\REM\AppData\Roaming\dgp\dgp.exe

Registry Run Keys / Start Folder is MITRE ATT&CK Technique T1060.

C2 IP address identified in network traffic and strings in running process memory: 194[.]5.98.173

Interesting TCP port 4042 identified with IP address in strings in running process memory.

Uncommonly Used Port is MITRE ATT&CK Technique T1065.

The TCP connection to 194[.]5.98.173 was reset.

Indicators

File name: Finance Approval.doc

SHA-256: f2d25b3610d4a5bd7a2940985fbb5091ac173220575c72a651e00d71fa997a81

MD5: 2983b3a85ed23a6eaaedfde08be513b8

SHA-256: 8989E69F350D8E0AEAE84B2F88FFEE0AAB8C3E1785E1F67A75FE2DD9ABD3AA0F

IPv4 address: 194[.]5.98.173

TCP port: 194[.]5.98.173:4042

Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgp

File name: %AppData%\dgp\dgp.exe

Information Security

Malware Analysis

David French

Written by David French

Editor for

threatpunter

Detection & Response Engineering • Threat Hunting • Threat Research

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams