Analyzing malware

Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for getting the results.

I used VMRay a couple of times for doing automated malware analysis for CERTs but for a recent sample I wanted to rely on public available information.

dfsdfff.exe

I got a sample of a suspected malicious file dfsdfff.exe.

MD5 = c37edcda89acf163085649cf139879a9 SHA1 = c656188aa246424429175b9094a20633ab97f3b6

Extracting the strings from this file returns that it uses one DLL (mscoree.dll) and has a reference to a path on the D: drive.

d:\vpVi\NqXLnduw\OtsTfDSSGytSWwMZGpTvSLvloj\GwjJRUknKVkFjufLKLk\YihSgAir \OlxRpTrg\DnG\DLm\wnrMdjv\YBNHidcnSZJWKWiGVYpAD.pdb

A PDB file is created when you enable debug mode when compiling a C/C++ program. The reference to this file might have been an error by the malware author.

It also contains parts of a .NET manifest file with the requested privileges

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>

Search for online malware analysis reports

The above data is more than enough to use Google to search for online analysis reports.

I found that the sample was analysed by different online sandboxes. I did not submit a new sample (except for Virustotal) because most of the analysis was already done previously.

The results of the different analysis are these IOCs :

Payload Security 3-Apr-2015 Windows 8.1 68.232.34.200 80 – 151.252.48.36 8080 POST 23.67.143.229 443 – 23.9.211.69 80 POST 157.55.236.125 443 – 23.9.212.165 80 – 157.56.122.47 443 – g7JrvSCyloK8C13.in DNS 151.252.48.36 foodanddrink.tile.appex.bing.com DNS 92.122.214.57 en-us.appex-rf.msn.com DNS 92.122.214.57 finance.services.appex.bing.com DNS 92.122.214.57 cdf-anon.xboxlive.com DNS 23.9.212.165 dfsdfff.exe Sophos 3-Apr-2015 151.252.48.36 8080 – 212.62.246.210 8080 – 74.123.9.41 8080 – 82.151.131.129 8080 – c:\edg2.exe Malwr.com 3-Apr-2015 151.252.48.36 ??? POST kansp1.exe edg1.tmp Virustotal 5-Apr-2015 dfsdfff.exe output.63790949.txt 63790949 dfsdfff.exe.dr kansp1.exe UrinaryRestoredSilent.exe kansp1.jpg

Summary of the results

If you take a look at the different malware analysis results you see a big difference between the one from Payload Security and the other ones.

The comments from Virustotal learned us that this is a Dridex malware. Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Dridex operates by first arriving on a user’s computer as a malicious spam e-mail with a Microsoft Word document attached to the message.

Indicators of Compromise

Our goal of these exercises is to extract useful threat intelligence and indicators of comprise. These IOCs serve as indicators to protect our constituency against further infection.

Based on these online results we can warn our constituency of a new banking malware called Dridex.

It needs Microsoft Office

Search for files dfsdfff.exe, output.63790949.txt, 63790949, dfsdfff.exe.dr ,kansp1.exe, UrinaryRestoredSilent.exe, kansp1.jpg, kansp1.exe, edg1.tmp, edg2.exe, dfsdfff.exe

Alert on DNS queries for g7JrvSCyloK8C13.in, foodanddrink.tile.appex.bing.com, en-us.appex-rf.msn.com, finance.services.appex.bing.com, cdf-anon.xboxlive.com

Monitor TCP traffic to 68.232.34.200, 151.252.48.36, 23.67.143.229, 23.9.211.69, ,157.55.236.125, 23.9.212.165, 157.56.122.47

One of the IPs that shows up in the different analysis’s is 151.252.48.36. This IP is hosted in Germany with Vautron Serverhousing.

inetnum: 151.252.48.0 - 151.252.51.255 netname: VAUTRON-HOUSING5-NET descr: Vautron Serverhousing country: DE

If you have limited capabilities to set detection rules then monitoring connections towards this IP will already greatly increases your chances of catching infections.

Conclusions

The online malware analysis returned different results. I found the results coming from Payload Security most useful. Additionally they allow you to download the full network capture so you can do further offline analysis.

If you want to provide useful IOCs for your constituency and you do not have your own malware analysis tool then it’s worth to

Get the hashes of the malware file

Upload the samples to different online sandboxes Make sure you get approval! Verify that these files do not contain *your* credentials (in the case of targeted malware) Be aware that by submitting the samples you basically give away that you are doing an investigation. This is not an issue for ‘standard’ malware but you might want to refrain from this if you suspect it’s a targeted malware. You should use your own private analysis environment for this.

Use Google (based on the different hashes) to search for previous analysis

Combine the results to extract protection filters

You can propagate the indicators manually or use STIX and CybOX to automate the process.