Hello agent 0x00, welcome to the malware analysis training grounds. You are now being trained to become part of the most sophisticated malware analysis teams in the NSA.
To fully prepare you for the battlefield, we have created this small course for you to complete.
We have extracted this low grade sample from a cyber crime gang operating in Sudan.
We would like you to take a look at this sample and extract any meaningful artifacts from it.
Attached below is a malware sample that I’ve created, please run it in an appropriate Virtual Machine.
You must do the following tasks and please be verbose as possible:
Extract any host based indicators
Does the sample drop any files on disk? If yes where?
If a file is dropped, what is the contents of it?
Anti RE
How does the sample manage to “waste” debugging time? (Use a debugger for this one)
Extract any network based indicators
Does this sample connect to any website? if it does what is the host name of that website?
I will update this comment with more findings Extract any host based indicators
File dropped :
C:\Users\admin\AppData\Local\Temp\0x00sec
Content of the file :
Greetings from nullsec!
Anti RE
How does the sample manage to “waste” debugging time?
Once the file is written, there is a Sleep(10000000) before execution of Ordinal_3(param_1) call.
There is a recurring function that detects the number of params passed to the malware call. And the function keeps calling itself. This function has a reference in the initial stub. Pseudo code as under :
unaff_ESI = STOP_DEBUGGING();
inside STOP_DEBUGGING
if (param_3 < 2) {
Write_to_file();
ExitProcess(1);
}
else {
OutputDebugStringA(“Go away”);
STOP_DEBUGGING(param_1 + 3,param_2 + -4,param_3 - 1);
}
Extract any network based indicators
I see a HTTP call to 1.0.0.0:80 from my PCAP Dump.
n00bi3s pretty much is bang on with his/her analysis. I would just like to add that the IP 104.18.48.48 found from a string search of the binary actually misguides the analyst as the actual connection is made via the following assembly:
call inet_pton
mov dword ptr ss:[ebp-410],eax
push 50
call htons
mov word ptr ss:[ebp-412],ax
mov edx,2
mov word ptr ss:[ebp-414],dx
Which moves the success result (int 1) returned by inet_pton as a little endian DWORD to the stack ( 0x01000000) and result returned by ntohs 0x0050 as the next WORD on the stack. Then the address (ebp-414) is typecasted to (sockaddr *) and passed to connect() which reads the IP address in network byte order thus making it 01.00.00.00 and the port becomes 0x0050 or decimal 80. Therefore a connection attempt at 1.0.0.0:80 is made.
