Monday, May 26, 2014

What's Under the Hood

MalwareViz_0735b7781096c9de80ee1bd4619e5bbf Start FlashUpdate.exe VirusTotal VirusTotal Alerts=31 Start->VirusTotal

This file on looks interesting as somebody tagged it as Chinese APT.
The file did not run correctly as there was no network traffic and no created files.

The goal here is to find Network Traffic or Created Files.
Lets take a look "under the hood".

Start gathering information by just looking around.
Look at the "String" tab in under "Static Analysis".

Doing searches on the strings for "http" or "connect" can help, but does not help for this malware.
Lets drag and drop it into Immunity Debugger and look for some more English.
This is not debugging, we are just using a Debugger to look around.

Chinese APT

"English-ish" strings that stick out are in the far right column.
These can be Google searched to find their meaning.

Here is the part that we sound like Shawn Spencer from "Psych".
We are not really sure what's going on, but we "see" things.

We see something about Registry Query Values, Draw Icon, string lengths.
Wait I'm sensing something...

The string that sticks out is not the String Length "lstrlen" but the fact that it contains a Base64 string.
What? Why?
How do we know it is Base64 and what is Base64?

It is the equal signs at the end that gives it away.
The "=" or "==" is added to the end of a Base64 string if the characters it started with are not long enough to finish a Base64 encoding.

Decoding this string using Base64 and Python we see:
Python 2.7
>>> "d3d3Lmdvb2dsZS1ibG9nc3BvdC5jb206ODg4OA==".decode('base64')

This looks like Internet traffic!
But it looks kind of legitimate?
We recognize the words google and blogspot.

Just like biological viruses will try and trick your immune system that they belong there,
computer viruses also will try and hide by looking legitimate.

Red flags:
    1) Port 8888.
            This is not a common Internet port.
            Why isn't is using port 80 (http) or port 443 (https)?
    2) Creation date of this URL is 10-jan-2014.
            Why so recent?
            The real Google Blogspot or was created 22-jun-1999.
    3) Notice the Name Servers.
         An interesting side note is the name Xiaozhai_Tiankeng is apparently the worlds deepest sinkhole.
         It's found in China.

This looks like at least one callback.
We should not assume there is only one but it gives us something to go on.
We can use this to look through our Internet traffic to see how many machines in our network have tried to go to this site.

What about Created files?
We will take a look at that in another blog.

The graph can be updated to look like this:

MalwareViz_0735b7781096c9de80ee1bd4619e5bbf cluster1 Internet Traffic Start FlashUpdate.exe VirusTotal VirusTotal Alerts=31 Start->VirusTotal point1 VirusTotal->point1 point1->

No comments:

Post a Comment