For this malware sample, to get things started, using the FlareVM, let’s extract the sample’s most “common” hashes, sha256 and md5, and check them on virus total to get an initial understanding of what is going on with the specific sample.

After collecting the file’s hashes, it is time to check them on virus total. 

As shown, the file/sample has been flagged as malicious by fifty out of sixty-eight security vendors, which is a good indicator that more analysis needs to take place. So moving on it is time to extract the strings that are “hidden” in the malware, using the tool FLOSS to try to find any initial indicators that can be used as a guideline in the later stages of the dynamic analysis. Sadly tho, the strings alone did not have much to offer apart from a big amount of APIs/API calls taking place when the sample is run. 

The next move will be to import the file into PEstudio, an amazing tool for static analysis, in order to find the architecture of the binary, possible indicators that PEstudio marks as malicious, “likely” malicious strings and much more.  

And some of the indicators/malicious strings identified from PEstudio

So far, the information collected can “verify” in a way that this sample is just an instance of the well known ssh client, putty(hence the name silly putty of the sample) but a closer look might be needed in order to come to a final conclusion.

So to move forward, some basic dynamic analysis needs to be conducted, for that, again, FlareVM will be used as the detonating host, without faking a DNS Resolver with REMnuxVM. The initial detonation appears to be “normal” and “expected” since putty.exe runs normally and starts up the putty UI we are all familiar with, but taking a closer look after a couple more executions, for a second after execution, a powershell window opens up and closes instantly, possibly some short of powershell cmdlet running in the background. 

In order to get a better understanding of that flickering blue window that pops up after putty’s execution, procmon will prove quite handy. In order to have a good understanding of what’s going on, first we filter on “`process name contains putty`” in order to get the ParentPID and then we filter on “`ParentPID is XXXX`”(where XXXX is the number of putty’s PID).

From the first process created, a powershell one-liner is being executed. 

Also, this cmdlet appears to have some base64 in it, in fact the cmdlet is creating a gziped `New-Object` . In order to decode that we will head over to the REMnuxVM, decode the base64 text and output it into the file it is creating, which should be a zipped file.