Static and Dynamic Analysis of Malware Sample

Introduction

The malicious attacks on computers are growing exponentially at present. Though the payload used, or the concept incorporated may be the same, ways of code shell used for armoring or anti-virtual machine detection are different. Different malware is used for different motives to take exploit or gain access to the systems that make the prevention and detection difficult. Malware can be majorly categorized into viruses, trojan, worm, ransomware, botnet, logic bomb. Though the way of exploit and motive differs they all serve the same purpose of exploiting and gaining access of victim’s computer. A Trojan Horse cannot run without the user of the system giving the privilege or access since it needs to run in the host as an executable binary, the victim should instantiate by running in the system to make it spread all over the network by itself. Therefore, the Trojan Horse is made to look to the user as legitimate software. If the user did not run the executable in the system, there is no way the hacker gets access to the system. A Trojan horse generally creates a backdoor for communication and creates a remote desktop connection to access other systems in the same network. The Trojan detection can be done by tracking its signature or by the increased network traffic spike. Since signature-based detection and prevention is difficult as the Trojan is present in polymorphic tendency and encrypted traffic over the network, network activity like port openings, active communication to external command and control servers makes it possible to detect. A trojan is a simple executable binary in windows however the properties of trojan make it hard to detect as they remain dormant before the malicious binary gets executed to perform exfiltration of data from the victim, encrypt victim’s data for ransom or perform Distributed Denial of Service (DDOS) attacks.

Static Analysis

As a part of static analysis, the Hex editor is used to examining the binary to check whether it is executable or not. Since the binary has the name ‘malware.tmp’ has file extension .tmp. For a binary to be an executable it should have the MZ stub and PE header. Fig 1. Hex editor helps to figure out the presence of PE header and three sections present inside the binary. MZ indicates that it runs in MS-DOS indicated by 4D 5A and PE header with hex value 50 45. It also mentions the architecture of chipset of the executable, compatible operating system version, and the number of sections available in this case it is 3 comprising .text, .rdata, and .data. The SHA-256 hash of the binary is taken and compared with the other online databases for potential malicious threats. The external sources identified this hash as malware called Trojan. Crypt that has a persistence mechanism and connects to a remote server. It also mentioned that malware has the capacity to reboot the system without the user’s consent. Using PEiD we can get the entry point RVA, Packer used File offset and type of OS compatibility which shows it executed on 32-bit windows. Fig 2 It also shows no mark of packer used on the executable. This is very useful in obtaining the type of packer used and shows in which version of the operating system the executable must execute. The RVA and offset helps to track the initial entry point which is useful when using a debugger. PEiD result Using Strings, the ASCII and Unicode formats present in the binary is displayed. It is observed that the binary uses many DLLs that are used for gaining remote access. It also shows the potential DLLs and other UNICODE text strings from the binary. It is observed that the binary has the capability to create registry entries, create service, modify file permission, create and delete temp files, shut down computers, spawn a shell, open socket connection, and download files from the internet. The kernal32 is used for spawning a shell and execute the payload. The executable files SVCH0ST.EXE and rs.bat resemble executable payload inside the binary. It also indicates altering Firewall permissions, creates service, and uses system functions like sleep, system’s version name. It appears that since it uses sleep, system’s version it could be possible that it uses these functions as a prior check before the execution of the main function of the malware.

PE Header TCP view

Below are the listed strings that are important and suspicious in the given binary and their functionalities are mentioned.

Windows firewall might be adding exceptions in windows firewall or spawning any service spoofed as a legitimate process.
GetSystemVersion is used for getting the system version details.
SVCH0ST.EXE can be a spawned process by the malware.tmp.
Del /F is used for force deletion of files. It is used by the malware for leaving no trace in the system.
HTTP indicates it has the potential to transfer data in the network.
Kernal32.dll has an inbuilt function to spawn a command prompt and trigger any process.
WSASocket is used for opening sockets and establishing a connection with a remote server.
The memory dump has a string URL that is malicious for an external connection named ‘http://www.baidu.com’ and ‘http://localhost:1234/ip.jpg’.
It uses DLLs and libraries that give read, write, and modify permission of files services and processes.
It spawns a shell to execute malicious code and for shutdown/restarting the system.
It uses an anti-detection mechanism that creates a resource fork file to make the malware stealthy and deletes the file after its use making it difficult for behavioral analysis.
Shutdown privilege is access given to the malware to gain boot options of the system. Some of the strings in malware binary are user32.dll, SVCH0ST.EXE, del /F %temp%, %ss.bat c:\pagefile.pif, Shell Execute.

Dynamic Analysis

When the binary is run with TCP view active, it monitors all the TCP connections made. Fig 5 We can see that it spawns a TCP connection from spawned process name SVCH0ST.EXE in port 1052 creating remote access to localhost in port 1234. The red indicator marks the close of the internet socket after establishing a connection with the remote host. From the network activity, we could determine the binary perform malicious activity. The command and control lie with a remote server that is accessed by this remote connection is used to store and download any file from the remote server. Since this analysis is done that doesn’t have an active internet connection, a proxy server could help to find out to the server it is contacting and the files that are downloaded from the server. When checked in an online source, it connects to a remote server with IP address in range 95.100.252.*. The process monitor is run to record the registry, file, and process changes after executing the binary. It is observed that creates and queries registry for creating and accessing tokens. It creates multiple registry entries to check the operating system image compatibility, alters the system policies, connecting to a remote server. In registry modifications, it queries and creates a number of registry keys. Some of the important registry keys are mentioned below in Fig 6. It accesses inbuilt DLL files along with the Terminal server which means that it has potential communication in the network. As a part of file system activity, it also creates, reads, writes and executes files. It creates temp file names rs.bat and deletes the file using del /F rs.bat in the temp folder after usage. It also triggers SVCH0ST.EXE that spoofs as a legitimate process that is windows owned in name as SVCH0ST.exe performing malicious activity. The dynamic analysis helps to analyze the behavior of the malware during its execution. It is very essential to identify the purpose and motive of the malware and its infection vectors. Some malware can have a VM check which might remain dormant when tested in VM but executes on the physical machine. For those cases, we patch the binary to jump those prechecks and test in the virtual machines.

Netstat output

The dynamic analysis also helps to identify the places infected by the malware is used to estimate the cost of the data loss. We can come to a series of conclusions after dynamic analysis as mentioned below.

Binary is saved as a temp file extension named ‘malware.tmp’ but when triggered spawns a process which concludes the binary is executable.
It creates a number of modifications in the registry for accessing system .dll functions and for accessing windows terminal server.
It creates a service named windows firewall which remains active in the windows service manager that makes the malicious file persistent after bootup.
The spawned SVCH0ST.EXE creates an entry in service manager to look like a legitimate service named ‘Windows Firewall’ that spawns the executable after bootup.
It creates a temporary file in temporary cache location %temp% named as rs.bat to force delete the file upon execution that can make the spawned file difficult to analyze and must be patched to skip deletion to debug.
In network analysis, it is found that the process spawns a TCP connection that contacts a remote host in port 1234 and trying to access a file ‘ip.jpg’.

Conclusion

On performing static and dynamic analysis on the given binary it is observed that the binary is a malicious file of the Trojan family. In static analysis, many suspicious parameters are observed like wrong file extension type and calling system API functions and URL presence in the application of the string. The dynamic analysis helps to analyze the behavior of the malware during execution. It is observed that it creates a process ‘SVCH0ST.EXE’ and spawns command shell to create a file in temp location with persistence mechanism as creating a service named ‘Windows Firewall’. It also tries to establish a TCP connection to connect and has the potential to download data from the external remote server. With the above analysis, it is concluded that the binary is a malicious Trojan with backdoor access for executing any malicious payload.