A botnets compromise - Pt 1

Like i have stated in earlier posts, i tried Dionaea Honeypot to receive malware samples during my studies.
I decided to do a live analysis of one sample i received - which i ran on a highly monitored network with a OpenBSD transparent bridge acting as a honeywall to log and control network traffic.
While i analyzed the network traffic i realized the malware infected the machine with several different specimens of malicious software.
In this post i will do both static and dynamic analysis on each of the received specimens to determine what characteristics, how they work together (and how to remove them safely). As these samples are all old when i write this post one could easily use a anti-virus scanner to remove them. C&C represented here are also no longer alive.

The exploit used to compromise the honeypot was MS08-67 a well known vulnerability which was critical to windows systems. It used this vulnerability to download H2.exe and this is the file i ran on the malware-lab environment.
 To extract files from the network dump i used Wireshark, the file-streams are shown below.

 Downloaded files

Static Analysis

I tried out Yara to find out whether the file was packed or not and yara was not able to identify a packer on the files except from Bren.exe. 

As i had done some research on the binary received on my honeypot once before during my studies i knew that this was packed with a unknown packer, but for the rest of the files i did not have a clue but one would assume they were packed as well.
I will only display Virustotal information and Fileinfo / Imports information on each file in this Part of the blog. 

VirusTotal Information

#	Filename	File type
1	H2.exe	PE32 executable (GUI) Intel 80386, for MS Windows
2	Hj3.exe	PE32 executable (GUI) Intel 80386, for MS Windows
3	Iii	PE32 executable (GUI) Intel 80386, for MS Windows
4	69n.exe	PE32 executable (GUI) Intel 80386, for MS Windows
5	Dqs.exe	PE32 executable (GUI) Intel 80386, for MS Windows
6	Usb.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
7	Bren.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
8	Ngusp.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Window

File info & Imports

I played around with Ruby and Metasm to extract imports table and other information from the files, alternatively one could use objdump but it is very verbose. All of the files used alot off imports to either unpack it self or as anti-debugging as one will see in the pictures i took from a CLI using the tool i made in ruby.
I will not comment on all of these pictures, but one can see hints in some of the sections that the files might be packed. Some funky sizes and addresses is one good hint, indeed.

h2.exe

There was quite a huge list of imports this file uses. Up on first glance i would believe some of these functions are used to confuse the analyst and some used to unpack this file.

The section ".cod\x1F\x1F" is suspicious and with strings i can confirm that this file is packed.

As this blog-post it not about unpacking malicious software nor analyse them i will continue this post in a Part2 - where i will perform Static and Dynamic analysis on the unpacked files.