[Malware Challenges] AnalyzeMe No1

Background

Hello agent 0x00, welcome to the malware analysis training grounds. You are now being trained to become part of the most sophisticated malware analysis teams in the NSA.
To fully prepare you for the battlefield, we have created this small course for you to complete.

We have extracted this low grade sample from a cyber crime gang operating in Sudan.
We would like you to take a look at this sample and extract any meaningful artifacts from it.

File: https://github.com/DanusMinimus/Malware-challanges

Good Luck.
img


Technical Assignment

Attached below is a malware sample that I’ve created, please run it in an appropriate Virtual Machine.
You must do the following tasks and please be verbose as possible:

Extract any host based indicators

  1. Does the sample drop any files on disk? If yes where?
  2. If a file is dropped, what is the contents of it?

Anti RE

  1. How does the sample manage to “waste” debugging time? (Use a debugger for this one)

Extract any network based indicators

  1. Does this sample connect to any website? if it does what is the host name of that website?

Tools

You can use any tools in your arsenal.

6 Likes

Thanks for this challenge @Danus

I will update this comment with more findings :slightly_smiling_face:
Extract any host based indicators

File dropped :
C:\Users\admin\AppData\Local\Temp\0x00sec
Content of the file :
Greetings from nullsec!

Anti RE

How does the sample manage to “waste” debugging time?

  1. Once the file is written, there is a Sleep(10000000) before execution of Ordinal_3(param_1) call.
  2. There is a recurring function that detects the number of params passed to the malware call. And the function keeps calling itself. This function has a reference in the initial stub. Pseudo code as under :
    unaff_ESI = STOP_DEBUGGING();
    inside STOP_DEBUGGING
    if (param_3 < 2) {
    Write_to_file();
    ExitProcess(1);
    }
    else {
    OutputDebugStringA(“Go away”);
    STOP_DEBUGGING(param_1 + 3,param_2 + -4,param_3 - 1);
    }

Extract any network based indicators

I see a HTTP call to 1.0.0.0:80 from my PCAP Dump.

5 Likes

n00bi3s pretty much is bang on with his/her analysis. I would just like to add that the IP 104.18.48.48 found from a string search of the binary actually misguides the analyst as the actual connection is made via the following assembly:

call inet_pton
mov dword ptr ss:[ebp-410],eax
push 50
call htons
mov word ptr ss:[ebp-412],ax
mov edx,2
mov word ptr ss:[ebp-414],dx

Which moves the success result (int 1) returned by inet_pton as a little endian DWORD to the stack ( 0x01000000) and result returned by ntohs 0x0050 as the next WORD on the stack. Then the address (ebp-414) is typecasted to (sockaddr *) and passed to connect() which reads the IP address in network byte order thus making it 01.00.00.00 and the port becomes 0x0050 or decimal 80. Therefore a connection attempt at 1.0.0.0:80 is made.

4 Likes

Good find! You get an A+!

5 Likes

Hi, could you please reupload the file, I wanted to give it a try but I cannot access to the link anymore. Thanks a lot!

1 Like

Link has been updated, thanks for reaching out!

2 Likes

Thanks a lot for your fast reply, appreciated :slight_smile:

1 Like

This topic was automatically closed after 121 days. New replies are no longer allowed.