_                           _    _____                      _ _           ____  _             
      | |                         ( )  / ____|                    (_) |         |  _ \| |            
      | | __ _ _ __ ___   ___  ___|/  | (___   ___  ___ _   _ _ __ _| |_ _   _  | |_) | | ___   __ _ 
  _   | |/ _` | '_ ` _ \ / _ \/ __|    \___ \ / _ \/ __| | | | '__| | __| | | | |  _ <| |/ _ \ / _` |
 | |__| | (_| | | | | | |  __/\__ \    ____) |  __/ (__| |_| | |  | | |_| |_| | | |_) | | (_) | (_| |
  \____/ \__,_|_| |_| |_|\___||___/   |_____/ \___|\___|\__,_|_|  |_|\__|\__, | |____/|_|\___/ \__, |
                                                                          __/ |                 __/ |
                                                                         |___/                 |___/ 
    Home    Twitter: @Xtrato    Email: james[at]jamesdotcom.com    PGP Key    GitHub: Xtrato    Youtube: Xtratozorz    RSS Feed

19th October 2013 || Malware Analysis Part 2: First Attempt

Please read part 1 first if you would like to know how the analysis lab is set up.

There are various sites you can use to download sample malicious software. The one i used is called openmalware.org. I wasn't completely sure which sample to choose. I wanted one which was recent so i decided to get a a sample called "BC.Heuristic.Trojan.SusPacked.BF-6.A" I'm not going to link to it for obvious reasons but the MD5 hash of the sample is 0148d6e7f75480b3353f1416328b5135. This can be used as a search term on the open malware site to find sample i used in this analysis attempt.

Once i downloaded the file i took a snapshot of the registry and files on the machine using Regshot. I then ran the file, took another snapshot and compared the two. The restults shows that multiple files and folders were created when it executed.

Files added: 3
----------------------------------
C:\Program Files\Windos\logg.dat
C:\Program Files\Windos\Windos.exe
C:\WINDOWS\Prefetch\MALWARE.EXE-155B9235.pf
----------------------------------
Files [attributes?] modified: 3
----------------------------------
C:\Documents and Settings\james\NTUSER.DAT.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
----------------------------------
Folders added: 1
----------------------------------
C:\Program Files\Windos
----------------------------------

I also noticed that the Debian server has received a flood of DNS requests from the malware infected machine. (Part of the query redacted with ##.)

Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104
Oct 12 19:32:52 debian dnsmasq[1028]: query[A] se7aaaaa.no-##.### from 192.168.56.104

^C^X
root@debian:/home/james#

So the malware is attempting to fetch its IP for its server and i assume either download additional stuff or send some data to the server.

Because of this DNS request the next step i figured was to put my DNS server to good use and respond to the request with one of my own IP's to see what it did next. So i opened the /etc/hosts file and added a new entry pointing se7aaaaa.no-##.### (redacted) to my debian server 192.168.56.101. I then started Wireshark on the malware infested machine and reset the DNS daemon.

This part i'm not 100% sure on. But what i can gather from this is that it is trying to start a TCP connection with my Debian server on the port 81 which is the TOR port. Although it doesn’t necessarily mean its trying to connect in any way to the TOR network. Whatever its trying to do the server isn’t responding appropriately (or not at all) and therefore the connection isn’t fully made. The next step i made was to set a netcat listener on the port and see what is being sent. To do this i entered the following command:

nc -l -p 81

-l specifies a listener and -p the port i want to listen on.

What i received is unintelligible.