After i unpacked h2.exe i was able to do static analysis and get a good understanding of what was going on without execute the file. It has various tricks to obfuscate the malware and made analysis harder. When executed it will connect to an irc server, join a channel and await further orders which are typical for RAT or a bot if you want.
md5sum: 8359679bbfedeb343f105a1490b992ef
sha1sum: dcc583732e7e00a8f64e873bea6445742d9cd7f2
Imports:
KERNEL32.DLL: lstrcmpiA, GetProcAddress, ExitProcess, GetSystemTime, GetTickCount, lstrlenA, GetCurrentProcess, LoadLibraryA, CloseHandle,
ADVAPI32.dll: LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken,
Based on the imports-table we could expect some sort of process injection as it use LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken from the ADVAPI32 library.
When i first ran strings utility i got a pretty good idea of what was going on but those findings didn't add up with the imports-table above. Based on the output i would expect the malware to use privilege escalation with SeDebugPrivilege and that the bot has the ability to flood. Further on we could expect persistence by hiding it self somewhere on the harddrive with the name avmngs.exe. It will also connect to a domainname as shown in the picture below. And again, since the imports table looks quite incomplete one should lookout for decryption loop to import library functions.
When i opened the file in IDA Freeware i found privilege escalation with SeDebugPrivilege and a Decryption loop to get encoded library strings. It calls the decryption loop with "f424" as argument. Below we can see the difference before it decrypt library names and after.
Immediately after this the malware starts to inject it self into a new process, this will make the malware harder to analyse as well as it will be much harder to detect when a machine is compromised. It parses through running processes with the help of CreateToolhelp32Snapshot and process next etc, which is pretty easy to identify. It injected small portions into explorer.exe so in order to analyse the file further i renamed the process, set a breakpoint on CreateRemoteThread and injected it into a non system process and attached OllyDBG.
Now i could continue to analyse the file and it will repeat the step to decode functions and library names as well as path's to make the malware persistent were obfuscated. Next it created a Mutex with the name cniv,s and i learned how the malware made it self persistent; namely by copying it self into C:\RECYCLER\R-1-5-21-1482476501-1644491937-6820003330-1013\avmngs.exe and added a new entry into windows registry with the name Taskman.
The bot then tries resolve an IP to the domainname we saw in the strings-output earlier and connects to it on port 3322. The IRC server it is connecting to accepts custom made commands as we can see below. It goes through several loops to generate nickname and user information to send. The malware sends PASS eee, KCIK(NICK) nickname, and ssrr(user) and automatically joins a channel by name #dpi. When the bot has joined the channel it gets commanded to download a file with the command !dl <location>, and join another channel - namely #}. Now it just idles those channels and awaits for further instructions.
I started a netcat session listening on port 3322 and used a fakedns ruby script to simulate a real network connection to get the supported commands. The commands i found are similar to this post, as are rest of the bots functions and behavior.
In part 3 i will analyse hj3 executable that got downloaded by this bot.
sha1sum: dcc583732e7e00a8f64e873bea6445742d9cd7f2
Imports:
KERNEL32.DLL: lstrcmpiA, GetProcAddress, ExitProcess, GetSystemTime, GetTickCount, lstrlenA, GetCurrentProcess, LoadLibraryA, CloseHandle,
ADVAPI32.dll: LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken,
Based on the imports-table we could expect some sort of process injection as it use LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken from the ADVAPI32 library.
When i first ran strings utility i got a pretty good idea of what was going on but those findings didn't add up with the imports-table above. Based on the output i would expect the malware to use privilege escalation with SeDebugPrivilege and that the bot has the ability to flood. Further on we could expect persistence by hiding it self somewhere on the harddrive with the name avmngs.exe. It will also connect to a domainname as shown in the picture below. And again, since the imports table looks quite incomplete one should lookout for decryption loop to import library functions.
When i opened the file in IDA Freeware i found privilege escalation with SeDebugPrivilege and a Decryption loop to get encoded library strings. It calls the decryption loop with "f424" as argument. Below we can see the difference before it decrypt library names and after.
Immediately after this the malware starts to inject it self into a new process, this will make the malware harder to analyse as well as it will be much harder to detect when a machine is compromised. It parses through running processes with the help of CreateToolhelp32Snapshot and process next etc, which is pretty easy to identify. It injected small portions into explorer.exe so in order to analyse the file further i renamed the process, set a breakpoint on CreateRemoteThread and injected it into a non system process and attached OllyDBG.
Now i could continue to analyse the file and it will repeat the step to decode functions and library names as well as path's to make the malware persistent were obfuscated. Next it created a Mutex with the name cniv,s and i learned how the malware made it self persistent; namely by copying it self into C:\RECYCLER\R-1-5-21-1482476501-1644491937-6820003330-1013\avmngs.exe and added a new entry into windows registry with the name Taskman.
The bot then tries resolve an IP to the domainname we saw in the strings-output earlier and connects to it on port 3322. The IRC server it is connecting to accepts custom made commands as we can see below. It goes through several loops to generate nickname and user information to send. The malware sends PASS eee, KCIK(NICK) nickname, and ssrr(user) and automatically joins a channel by name #dpi. When the bot has joined the channel it gets commanded to download a file with the command !dl <location>, and join another channel - namely #}. Now it just idles those channels and awaits for further instructions.
I started a netcat session listening on port 3322 and used a fakedns ruby script to simulate a real network connection to get the supported commands. The commands i found are similar to this post, as are rest of the bots functions and behavior.
In part 3 i will analyse hj3 executable that got downloaded by this bot.
Ingen kommentarer:
Legg inn en kommentar