Monthly Archives: December 2013

Enriching your Malware analysis reports with Open Source Intelligence (OSINT)

Often, while analyzing a malware sample, I open Google and start searching for the hash or for some other Indications in the malware sample like Mutexes, User agents, Registry keys, Filenames, URLs and  IP Addresses. Searching for all those indications in Google and other search engines is too cumbersome. A couple of days ago I came across Malformity. Malformity is a collection of Maltego transforms to assist with malware and malicious infrastructure research. Malformity queries data from many sources (Ex. VirusTotal, Bit9, ThreatExpert…) in order to perform Maltego transforms. To get started with Malformity, you create with Maltego entities from the data you already have:

entities

 

Then you can run transforms:

Screenshot from 2013-12-14 17:34:47

 

Using those transforms It is possible to get useful information about the malware you are analyzing. For example in the example below I took a malware and found out URLs related with it, and even a Mutex (The one on the left).

Screenshot from 2013-12-14 21:59:36

 

In the next example, I created a URL entity out of a URL address from which the malware sample downloaded a DAT file. I found information about the website (Infrastructure information) and also some information from known security companies.

Screenshot from 2013-12-15 21:47:59222

 

In the example below, I took the same hash and found different virus signatures, and alternative names for the same malware:

Screenshot from 2013-12-15 21:50:51

 

Maltego and Malformity are nice tools to have when researching for malware indicators and malicious infrastructure, and can be really helpful at times. It is important to note that those searches are not silent, and doing those transforms can expose and reveal that the malware has been discovered and is under investigation.

Some additional honorable mentions of tool that can help and ease the research:

Anatomy of a traffic generating trojan

This is a trojan with interesting behavior, That I came across during the third part of November. I have decided to analyze this malware (chosen from the pile of thousands i have for days of boredom…) because its behavior seemed very interesting when executing it in the sandbox. Aside from achieving persistence and making a DNS query for smtp.live.com, It did not do much. I suspected it had something to hide…

About The Analysis Process: 

After the first execution in my custom sandbox, as I have noticed nothing too exciting happened and the execution timed out after the max value set by the sandbox, I started suspecting this malware has awfully long sleep timers in its code.

I have started the static analysis phase, but noticed this malware has a small amount of imports, and a strange procedure with lots of lodsb assembly commands. That procedure was a Custom Packer, which was not identified by PEid.

The imports before unpacking:

croppedimports

For easy unpacking, I executed the malware until the return of what seemed to be the unpack procedure:

croppedunpackproc

Setting the breakpoint:

croppedbreakpoint

Right after the breakpoint, I did a took a memory memory dump to easily dump the processes from memory. Those are the imports after the unpack procedure returned:

croppedexports

While analyzing the dump I have noticed that this executable launches three svchost.exe processes. Each one of those svchost processes main purpose is traffic generation, but each one has an extra purpose. (Ex. Mutex creation, Persistence, Downloading the DAT files)

croppedpstree

A short static analysis of one of the svchost processes proved me right about the sleep timers:

croppedlongsleep

Sleep2This malware does not have to be executed from an administrator account, we can see that because it achieves its persistence by adding itself to:

HKU\software\microsoft\windows\current version\run 

with the executable pofpopitegra.exe as the value,  which is dropped at c:\document and settings\%username%\pofpopitegra.exe

Network behavior:

This malware generates a pretty big amount of web traffic, to sites it probably gets from this DAT file downloaded over the network, and from some html files with encoded comments. No evidence was found inside any of the svchost files or the malware executable itself for URL or IP addresses of any kind, except for the URL from which the DAT file is downloaded from.

unkwondatclippedcontent

DATlocation

The encoded comments:

croppedURLencoded

croppedsmtthttptrffic

The malware generated some SMTP traffic as well. The next part of the analysis, I will dive deeper into the traffic generated by this malware sample, and try to reverse engineer the encryption of the DAT file.