Basic analysis of simple malware#

  • Overview: I am working on increasing my ability to analyze malware to help discover what it does to protect my environment
  • Objective: understanding its behavior, capabilities, or indicators of compromise (IOCs) to create alerts in SIEM for future prevention of incidents.

Background#

  • Malware Family: No known malware family
  • Initial Discovery: This is a test malware that was made for training purposes
  • Targets: The target audience are those that want to dive deeper into cybersecurity
  • Known Impacts: Creates a file with unknown impacts currently needs further investigation if it was real malware and not a test sample.

Static Analysis#

  • File Details:

    • Hashes: ![[Malware.unknown hashs.PNG]]
    • Virus Total:
      • No matches found.
    • File size and type (PE, ELF, etc.) ![[Malware.Unknown_sice data.PNG]]

  • Metadata:

    • Compilation timestamp.
      • ![[Malware.Unknown Complitation Timestamp.PNG]]
    • Embedded resources (icons, strings). !Image Description !Image Description

  • Strings Analysis: Highlight any notable strings (e.g., URLs, command keywords).

    • API calls
      • `InternetOppenUrlW
      • `InternetOpenW
      • DownloadFromUrl
      • `ShellExec
    • Enumeration
      • GetCurrentThreadId
      • GetCurrentProcessId
      • GetSystemTimeAsFileTime
    • Anti-Debugging
      • `IsDebuggerPresent
      • `QueryPerformanceCounter
    • Strings

  • Packed or Obfuscated?: None.

Dynamic Analysis#

  • Environment Setup:

    • Tools used: (e.g., Cuckoo Sandbox, Wireshark, Process Monitor)./
      • Flare VM
        • Process Monitor
      • REMnux
        • inetsim
        • Wireshark
    • VM configuration (isolated, simulated environment).
      • Flare Vm with REMnux connected on a host-only Isolated network

  • Behavior Observed:

    • Host
      • Files created/modified. ![[Malware.Unknown ProcMon file creation.PNG]]
      • Processes spawned. ![[Malware.Unknown ProcMon File deletion.PNG]]
    • Network
      • Network communication (domains, IPs contacted).
        • 1.1.1.1:3000
      • Downloads
        • C:\Users\Public\Documents\CR433101.dat.exe
      • Wireshark Packet captures
        • search parameters
          • http.request.full_uri contains favicon.ico ![[Malware.Unknown Wireshark favicon.PNG]] ![[Malware.Unknown favicon http.PNG]]

  • Persistence Mechanisms:

    • Unknown -further investigation into what CR433101.dat.exe is during download is needed

Indicators of Compromise (IOCs)#

Mitigation and Detection#

  • Preventive Measures: Outline strategies to avoid infection (e.g., patching, email filtering).
    • Monitor API Calls:
      • Use tools like Process Monitor (ProcMon) or Sysmon to track usage of InternetOpenW and InternetOpenUrlW by suspicious processes.
    • Verify Files:
      • Check for the existence of the .exe files (CR433101.dat.exe) in C:\Users\Public\Documents\.
    • Network Monitoring:
      • Inspect traffic to helpdeskbros.local or favicon.ico.
    • Logs:
      • Review command-line execution logs to determine how these commands were invoked.
    • Block Network Traffic:
      • If helpdeskbros.local is identified as malicious, block it at the DNS or firewall level.
  • Remediation Steps: Cleaning up infected systems.
    • Remove file Malware.Unknown.exe and the seemingly own paired download CR433101.dat.exe

Conclusion#

  • Key Takeaways:

    • `cmd.exe /C ping1.1.1.1 -n 1 -w 3000 > nul & del /f /q “%s”

        • cmd.exe /C: Runs the specified command (ping) and then terminates the command prompt.
      • ping 1.1.1.1: Pings the IP address 1.1.1.1 (a valid IP, often used in scripts).
      • -n 1: Sends a single ping request.
      • -w 3000: Sets a timeout of 3000 milliseconds (3 seconds) for the ping.
      • > nul: Suppresses output by redirecting it to nul (essentially discards it).
      • & del /f /q "%s":
      • &: Chains commands; the next command runs after the previous one.
      • del /f /q: Deletes a file forcefully (/f) and quietly (/q) without confirmation.
      • "%s": Likely a placeholder for a file path or name that the script replaces dynamically.
      • Purpose: This command is likely used for:
        • Delaying execution (using ping for timing, a common trick in malicious scripts).
        • Deleting a file specified by %s.

    • `http://ssl-9302382347datamanager.helpdeskbros.local/favicon.ico

        • This is a URL pointing to a favicon.ico file.
      • Favicon.ico: Typically, this is a small icon associated with a website (e.g., a browser’s tab icon). However, in a malicious context, such URLs may:
      • Be used for command-and-control (C2) purposes.
      • Deliver a small payload disguised as an .ico file.
      • Be a decoy to appear harmless.
      • Purpose: The URL could:
        1. Signal back to a remote server (e.g., confirming execution or downloading commands).
        2. Serve a payload disguised as a legitimate .ico file.

    • `ping 1.1.1.1 -n 1 -w 3000 > Nul &

    • `C:\users\public\documents\CR433101.dat.exe

    • `open

        • ping 1.1.1.1 -n 1 -w 3000 > nul: As explained earlier, this delays execution for 3 seconds.
      • & C:\users\public\documents\cr433.dat.exe open:
        • Executes the file cr433.dat.exe from the Public Documents folder.
        • The open argument may be:
          • A command-line parameter passed to the executable.
          • A placeholder for further action (e.g., opening files, starting services).
      • Purpose: This command:
        1. Delays for a short period (possibly to allow another process to complete).
        2. Executes a file (cr433.dat.exe) with the argument open, likely triggering its malicious behavior.

  • Program flow upon execution:

    • if url exists
      • download favicon.io
      • create file C:\Users\Public\Documents\CR43.dat.exe
      • runs file C:\Users\Public\Documents\CR43.dat.exe
    • if url does not exist
      • delete Malware.Unknown.exe