5-Minute Analysis of a Remote Access Trojan

David French
Oct 1, 2018 · 3 min read

Here is a brief analysis of a Remote Access Trojan (RAT).

File Details

SHA-256: f2d25b3610d4a5bd7a2940985fbb5091ac173220575c72a651e00d71fa997a81

MD5: 2983b3a85ed23a6eaaedfde08be513b8

File Name: Finance Approval.doc

Static & Behavioral Analysis

Let’s start by reviewing the file’s definitions and metadata using TrID and exiftool.

The document follows an XML-based format. Let’s unzip the contents of Finance Approval.doc

oledump.py identifies content embedded in the document, but not your typical macros.

We can see an embedded PE in the document.

Once the embedded executable, dgpf.exe is executed, a copy is written to %AppData%\dgp\ as dgp.exe.

dgp.exe also wrote a file, 29–07–2018 to %AppData%\dgp.

SHA-256 hash of dgp.exe: 8989E69F350D8E0AEAE84B2F88FFEE0AAB8C3E1785E1F67A75FE2DD9ABD3AA0F

Dropping dgp.exe into PPEE.

Reviewing the definitions of dgp.exe in TrID.

TrID is unable to identify the of the format of the additional file, 29–07–2018 that was written to the %AppData%\dgp directory.

Reviewing the PE file in PeStudio reveals imports that are typically used by malware:

  • RegCreateKeyExW and RegSetValueExW - Write data to the Windows registry
  • RegisterClipboardFormatW and IsClipboardFormatAvailable - Interact with the clipboard

We also see that the PE file has the import, IsDebuggerPresent to detect if it is being debugged/reverse-engineered.

dgp.exe establishes persistence by adding a value to the Run key in the registry:

Value name: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgp

Value data: C:\Users\REM\AppData\Roaming\dgp\dgp.exe

Registry Run Keys / Start Folder is MITRE ATT&CK Technique T1060.

C2 IP address identified in network traffic and strings in running process memory: 194[.]5.98.173

Interesting TCP port 4042 identified with IP address in strings in running process memory.

Uncommonly Used Port is MITRE ATT&CK Technique T1065.

The TCP connection to 194[.]5.98.173 was reset.

Indicators

File name: Finance Approval.doc

SHA-256: f2d25b3610d4a5bd7a2940985fbb5091ac173220575c72a651e00d71fa997a81

MD5: 2983b3a85ed23a6eaaedfde08be513b8

SHA-256: 8989E69F350D8E0AEAE84B2F88FFEE0AAB8C3E1785E1F67A75FE2DD9ABD3AA0F

IPv4 address: 194[.]5.98.173

TCP port: 194[.]5.98.173:4042

Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dgp

File name: %AppData%\dgp\dgp.exe

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

David French

Written by

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade