Malware Analysis Part 1 : Basic Static Analysis

File Name: 64.exe
MD5 2241f43eca01bf059daada7a537d754b

       Virus engine was  identified this sample as malware as per uploaded to the VirusTotal.com.

AVG
Generic11_c.LGF
20140806
AVware
Trojan.Win32.Generic!BT
20140807
Ad-Aware
Dropped:Trojan.Generic.11321666
20140807
Agnitum
Trojan.Reconyc!
20140806
AhnLab-V3
Trojan/Win32.Generic
20140806
AntiVir
TR/Agent.1986048.3
20140807
Antiy-AVL
Trojan/Win32.Reconyc
20140806
Avast
Win32:Malware-gen
20140807
Baidu-International
Trojan.BAT.CoinMiner.bHN
20140806
BitDefender
Dropped:Trojan.Generic.11321666
20140807
Bkav
HW32.InfFil.dmys
20140806
CAT-QuickHeal
Trojan.Reconyc.g3
20140806
CMC
Packed.Win32.Zcrypt.3!O
20140806
Comodo
UnclassifiedMalware
20140806
DrWeb
Trojan.KillFiles.13982
20140807
ESET-NOD32
BAT/CoinMiner.HN
20140806
Emsisoft
Dropped:Trojan.Generic.11321666 (B)
20140807
F-Secure
Dropped:Trojan.Generic.11321666
20140807
GData
Dropped:Trojan.Generic.11321666
20140807
Ikarus
Trojan.BAT.CoinMiner
20140806
K7AntiVirus
Trojan ( 0049e6e41 )
20140806
K7GW
Trojan ( 0049e6e41 )
20140806
Kaspersky
Trojan.Win32.Reconyc.cbcn
20140806
Kingsoft
Win32.Troj.Undef.(kcloud)
20140807
Malwarebytes
Trojan.Agent
20140807
McAfee
Artemis!2241F43ECA01
20140807
McAfee-GW-Edition
Artemis!2241F43ECA01
20140806
MicroWorld-eScan
Dropped:Trojan.Generic.11321666
20140807
Microsoft
Trojan:Win32/Sulunch!gmb
20140807
NANO-Antivirus
Trojan.Win32.Reconyc.ddkcla
20140807
Norman
Suspicious_Gen2.VXPSS
20140806
Panda
Trj/CI.A
20140806
Qihoo-360
HEUR/Malware.QVM18.Gen
20140807
Sophos
Mal/Generic-S
20140807
Symantec
Trojan.Gen
20140807
Tencent
Win32.Trojan.Reconyc.Hoej
20140807
TrendMicro
TROJ_SPNR.3CGS14
20140807
TrendMicro-HouseCall
TROJ_SPNR.3CGS14
20140807
VBA32
Trojan.Siscos
20140806
VIPRE
Trojan.Win32.Generic!BT
20140807



When were these files compiled?

Next we open the files in PEview. Foe each file, we navigate to the IMAGE_NT_HEADERS > IMAGE_FILE_HEADER > Time Date Stamp field, which tell us the compile time. So based on our analysis, this files were compiled on February 7, 2009, on Saturday, 06:33:08 UTC.

Are they ay indications that either of these files is packed or obfuscated? If so, what are these indicators?



By using PEview, several indicators tell us that this file is packed. The most obvious indicators are sections named UPX0 and UPX1 – section names for UPX-packed malware. 


Even if PEiD fails to identify the file as UPX-packed, notice the relatively small number of imports and that the first section, UPX0, has a virtual size of 0x17000 but a raw data size of 0. UPX0 is the largest section, and it’s marked executable, so it’s probably where the original unpacked code belongs.


Having identified the program as packed, we can pack it by using UPX:



 The –d option says decompress the file, and the –o option specifies the output filename.


    Do any import hint at what this malware does? If so, which imports are they?



After unpacking, we look at the imports sections and the strings. The imports from kernel32.dll and msvcrt.dll are imported by nearly every program, so they tell us little about this specific program
- The imports from GDI32.dll are graphics-related and simply confirm that the program probably has a GUI.
- The imports from Shell32.dll (ShellExecuteExA) tell us that this program can launch other programs-a feature common to both malware and legitimate programs.                                
The library file Ole2.dll, is required by windows and is used when performing OLE (Object Linking and Embedding) operations. OLE allows objects created in one application to be embedded in documents/objects created by a different application e.g. embedding an Excel spreadsheet inside a Word document. OLE is used fairly extensively in windows applications, so if possible you should not remove this file. Ole32.dll is flagged as a system process and does not appear to be a security risk. However, removing Microsoft OLE Library may adversely impact your system.


When we look at the strings, we see several commands (taskkill, del, and move) that been executed once the malware was infected.  There is one line that malware was modified the registry key.

Comments

Post a Comment

Popular posts from this blog

Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Image
Motivated from the following article, http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf Then, I’ve setup Virtual Lab to see how to analyze the different type of scanning on packet and IDS perspectives. Kali Linux as an attacker machine that will running Nmap for scanning activities and capturing traffics by using Wireshark. I’ve installed Snort on Ubuntu 12 LTS Server as IDS and enable portscan configurations and store log in /var/log/snort/portscan.log.   Metasploitable Linux as a victim machine. Portscan detection.   For more information, see README.sfportscan preprocessor sfportscan: proto   { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log } Configurations of my Virtual Lab:    Kali Linux                  Snort IDS               Metasploitable Linux [192.168.197.209] --->   [192.168.197.217]  --->     [192.168.197.216]             
Read more

Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

{Requirements:} ———————— All Machines Running on VM 1. Kali Linux (172.16.66.193) 2. Windows XP SP2 (172.16.66.193) 3. IDS - Suricata {Scan for open ports:} ———————————- root@fikri:~# nmap -n -sV 172.16.66.199 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT Nmap scan report for 172.16.66.199 Host is up (0.11s latency). Not shown: 918 closed ports, 79 filtered ports PORT    STATE SERVICE      VERSION 135/tcp open  msrpc        Microsoft Windows RPC 139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:D1:55:23 (VMware) Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds {Exploit:} ————— msf > use exploit/win
Read more

Malware Analysis Part 2: Using RemNux

Malware Analysis  Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan} ———————————————————————————————————————————————————— remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe  Short information ------------------------------------------------------------ File Name          Lab01-02.exe File Size          3072 byte Compile Time       2011-01-19 11:10:41 DLL                False Sections           3 Hash MD5           8363436878404da0ae3e46991e355b83 Hash SHA-1         5a016facbcb77e2009a01ea5c67b39af209c3fcb Imphash            096aa05b8a2e1f2dc66fc73a1a978a7b Detected           Packer Directory          Import Packer matched [1] ------------------------------------------------------------ Packer             UPX -> www.upx.sourceforge.net Suspicious API discovered [8] ------------------------------------------------------------ Function           CreateServiceA Function           ExitP
Read more