Malware Analysis & Reverse Engineering (Case Study)

 

malware.png

Summary of Findings 

  • Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
  • Malware creation Date: 2017-04-24 01:53:22Z
  • Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using  SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll. 

In the graphic below, Wireshark shows us that after a successful three-way handshake the dropper loads a Portable Executable file onto the victim host, as indicated on line 5 and the “MZ” identified in the hex section below. After the dropper has been successfully downloaded the malware establishes an encrypted connection using SSLv2, as indicated on line 12.

image1

Volatility displays suggested Operating System profile types using the imageinfo option.

image2

PSLIST identifies the suspected Notepad.exe as process 3860.

image3

image4

A close observation, in the snapshot above, reveals that the Parent Process ID (PPID) of 2624, which is EXCEL.EXE, spawned the Notepad.exe process of 3860.

image5

This is an unusual transaction that leads us to believe the Excell.exe file contains malware. Another indicator of compromise (IOC) is the fact that the EXCEL.EXE is still in the “active” list, as seen in the snapshot above, even though the process has terminated.

image6

Additionally, the two processes “system” and “smss.exe”, as seen above, have missing session IDs due to the system starting prior to any session establishments.  The actual session manager is the smss.exe process. At any rate, we know that it’s not normal for Excel to launch Notepad. This is an indication that the malware author intended to deceive it’s victim into believing they were launching an Excel spreadsheet attachment when in fact they weren’t.

There are many suspicious API calls made by Notepad.exe as seen below.

image7

Process 3860 Notepad.exe makes a number of unecessary and suspicous API calls that include processes for encryption, Internet communications, and Sam database access.

image8

Memory location 0x580000 contained an executable that’s not registered within the PEB module’s list, which caused it to be detected in this case.

image9

Upon further examination of the memory dump for memory location 0x580000, we can see that it is a PE file that’s suspect.

image10

image11

Strings output below revealed many areas of concern in regards to API calls that go far beyond the requirements of a built-in text editor with the most suspicious being crypt strings and registry enumeration activities.

image12        image13

There are numerous SAM database enumeration activities going on as indicated by the strings output.  We can see the malware accessing the SAM database below.

image14

The metsrv.dll isn’t a registered DLL. This malware uses Meterpreter to create a reverse shell to any specified listeners providing the attacker with remote access capabilities.

image15

The GETSIDS command shows the security identifiers associated with a specific process.

image16

As seen below, both the parent process of Excel and its associated child process of notepad both have escalated privileged of “High Mandatory Level”. With escalated privileges, the malware has more command and control over the victim host providing it with the ability to gain access, enumerate, encrypt, and transmit the stolen SAM hashes across the pre-established SSLv2 encrypted communications link.

image17

image18

References:

GiHub. (2017, April 22). Retrieved August 20, 2017, from https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#malfind

GitHub. (2017, April 22). Command Reference. Retrieved August 20, 2017, from https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#psscan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s