Here is a brief analysis of a Remote Access Trojan (RAT).
Static & Behavioral Analysis
Let’s start by reviewing the file’s definitions and metadata using TrID and exiftool.
The document follows an XML-based format. Let’s unzip the contents of
oledump.py identifies content embedded in the document, but not your typical macros.
We can see an embedded PE in the document.
Once the embedded executable,
dgpf.exe is executed, a copy is written to
dgp.exe also wrote a file,
SHA-256 hash of
dgp.exe into PPEE.
Reviewing the definitions of
dgp.exe in TrID.
TrID is unable to identify the of the format of the additional file,
29–07–2018 that was written to the
Reviewing the PE file in PeStudio reveals imports that are typically used by malware:
RegSetValueExW- Write data to the Windows registry
IsClipboardFormatAvailable- Interact with the clipboard
We also see that the PE file has the import,
IsDebuggerPresent to detect if it is being debugged/reverse-engineered.
dgp.exe establishes persistence by adding a value to the Run key in the registry:
Registry Run Keys / Start Folder is MITRE ATT&CK Technique T1060.
C2 IP address identified in network traffic and strings in running process memory:
Interesting TCP port
4042 identified with IP address in strings in running process memory.
Uncommonly Used Port is MITRE ATT&CK Technique T1065.
The TCP connection to
194[.]5.98.173 was reset.