Cyberc0re
283 words
1 minutes
Malware Analysis of RATs
2022-05-01
Malware Analysis
Malware Analysis

Malware Analysis#

1. Malware.Unknown.exe#

File hash & VT Analysis#

NOTE

VT - Virustotal

command:
sha256sum.exe Malware.Unknown.exe.malz
Hash
92730427321a1c4ccfc0d0580834daef98121efa9bb8963da332bfd6cf1fda8a <Malware.Unknown.exe.malz>

command:
md5sum.exe Malware.Unknown.exe.malz
Hash
1d8562c0adcaee734d63f7baaca02f7c <Malware.Unknown.exe.malz>

Basics Static Analysis#

  • String and Floss Output

Floss Malware.Unknown.exe.malz#

FLOSS static Unicode strings
jjjj
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
http://ssl-6582datamanager.helpdeskbros.local/favicon.ico
C:\Users\Public\Documents\CR433101.dat.exe
Mozilla/5.0
http://huskyhacks.dev
ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR433101.dat.exe
open

Most of the important Strings were found at the end. ::

IAT & PEView Results#

Windows API calls found:
  • DowloadFromURL
  • InternetOpenURLA
  • ShellExec

Basic Dynamic Analysis#

  • Host and Network Indicators
HostNetwork
1. Delete Files.1. Calls out to a Domain.
2. Install Persistence.2. Downloads a file.

Network Signature#

  • Wireshark has been used to find the Network Signatures

Host Indicator#

  • If inetsim was not running, the Malware is designed to self delete once it is detonated as it wouldn’t be able to fetch request from the DNS. So, once I terminated inetsim in my Remnux terminal the Malware deleted itself, when I tried to detonate again.

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Cyberc0re\Desktop\Malware.Unknown.exe"
Program execution flow

If URL exists -> Download favicon.ico -> Run favicon.ico

If URL doesn’t exists -> Delete from disk -> Do not run

Name: Dropper.DownloadFromURL.exe

2. RAT.Unknown.exe.malz (Dynamic Analysis)#

  • String/Floss Output:#

@SSL support is not available. Cannot connect over SSL. Compile with -d:ssl to enable.
@https
@No uri scheme supplied.
InternetOpenW
InternetOpenUrlW
@wininet
@wininet
MultiByteToWideChar
@kernel32
@kernel32
MessageBoxW
@user32
@user32
@[+] what command can I run for you
@[+] online
@NO SOUP FOR YOU
@\mscordll.exe
@Nim httpclient/1.0.6
@/msdcorelib.exe
@AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
@intrt explr
@http://serv1.ec2-102-95-13-2-ubuntu.local

Initial Detonation#

Wireshark observation after detonation.#

Dechaining/ Decoupling: The data can be transmitted first and can be written into the disk with some other name.

Potential#

File Download -> msdcorelib.exe

Host Base Indicators#

Persistence Binary File#

TCP Socket in Listening State#

Command Injecting Capabilities#

NOTE

This is a “Bind shell script”, a Trojan that can be remotely connected.

Re-evaluated#

Name: "RAT.commandshell.exe"

Malware Analysis of RATs
https://fuwari.vercel.app/posts/malware-analysis/
Author
Cyberc0re
Published at
2022-05-01
🧪 Topology - Hackthebox