In this section I will be performing some basic dynamic analysis on a binary in order to determine the following: Network Signatures, Host-Based signatures, Command-Execution Capabilities, and any other useful IOCs. Again, FlareVM will be used as the host-machine for the malware and REMnuxVM will be used to fake a DNS Resolver with the help of inetsim.
To start things of with this sample, before doing some basic dynamic analysis, it is always advised to take a look at the strings of the binary, using floss and redirecting the output to a txt file it can be read easier. Bellow are some interesting strings found in the binary that might prove useful in the following steps of the dynamic analysis.
After getting some strings, its time to “arm” the malware and try to execute it without the REMnuxVM faking a DNS server to see what happens. Doing that, gives the following error, which was also in the strings output.
After the detonation without the “fake internet access”, we will start inetsim and wireshark on the REMnuxVM and try to find any network activity generated by the malware.
We can see that the malware did a 3-way TCP handshake and immediately tried to make an HTTP request on the URI on the screenshot. Apart from the URI, there is also a very interesting user agent. And a second HTTP request, maybe this malware sample is a dropper since the 2nd HTTP request is on an executable. Staying on wireshark and following the HTTP stream of the 2nd HTTP request in order to try and search for a bit more information on the attempt of the malware to download an executable, but unfortunately the name that it’s trying to download will not always(if not ever) match the name that the file is written on the filesystem.
Moving forward we will try to find some host-based indicators/signatures trying to figure out what the malware sample is doing on the host it is running. In order to have a clear read on that, it is important to first reset FlareVM to a clean pre-detonation state, “re-arm” the malware, and run it again with REMnux faking as a DNS resolver. Based on the strings found from the malware sample, a hypothesis can be made that the malware will try to download an executable and save it in the startup path, in order to verify that, procmon will be used.
Following the hypothesis based on the strings, and filtering the procmon output to show “file” related operations with “path” that contains the path found in the strings. Also, as it seems the malware appears to be able to dynamically “create” the file path adding in the “Users\\<username> portion of the path.
From comparing the host-based indicators and the network ones it is pretty safe to assume that the malware sample is indeed writing the file on the disk using a different name than that it is requesting from the URI.
For the next set of indicators, (host-based) since the host is making a TCP connection we will be looking for TCP Artifacts using TCPView, one of those can be a TCP Open socket connection. TCPView is part of the sysinternals suite.
So from this GUI we can short alphabetically and run the sample and look for the process it is creating.
