Monday, January 11, 2021

Continuing Malware Analysis - Ghyte / ZBot - Static and Dynamic Analysis

This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.

First up, I loaded the suspicious file in CFF Explorer taking a copy of the MD5 hash and providing it to VirusTotal to see if there were any hits. There were 65 engines which detected this file as malicious.


Looking at the VirusTotal report, I would definitely conclude this file is malicious. 


With the aforementioned considered, time to FLOSS and take a look at the strings by writing FLOSS's output to a Text file.

C:\Users\SecurityNik\Desktop\Malware\day1>floss ghyte.exe > ghyte.txt

Looking at the strings nothing immediately stands out.

C:\Users\SecurityNik\Desktop\Malware\day1>Type ghyte.txt | more
....
;NNt
8n+|Bj
GjUl
terras
lunt
summer                                                                                                                             momenr
Arial
dip quip
edit
static
DestroyWindow
loret
button
SetTimer
KillTimer
SetWindowPos
GetWindowRect
FillRect
LoadCursorA                                                                                                                        LoadIconA
SendMessageA
DefWindowProcA
RegisterClassExA     
...

Going back to CFF Explorer to see which Windows API and their associated functions are seen within the executable we see that there seems to be only 24 functions which are imported. interesting.


With such small number of imports and nothing really standing out as suspicious by PE Studio, I thought the file might be packed. However, it does not seem to be so according to Detect It Easy (DIE)


Transitioning to look at what happens when this run in a live environment by loading up Wireshark, ProcessHacker, RegShot, Procmon, ProcDot, FakeDNS, Fiddler and INETSim.

Taking a quick look at the Fiddler output, we see connection was being made to talonstamed.com on port 443.


The above information is further confirmed from the packet capture taken via Wireshark and analyzed via TShark.

C:\tmp>tshark -r ghyte.pcapng -n -Y "(dns.qry.name==talonstamed.com) || (tls.handshake.extensions_server_name==talonstamed.com)"
    7   7.153950   10.0.0.103 → 10.0.0.113   DNS 75 Standard query 0xef83 A talonstamed.com
    8   7.155315   10.0.0.113 → 10.0.0.103   DNS 91 Standard query response 0xef83 A talonstamed.com A 10.0.0.113
   12   7.335830   10.0.0.103 → 10.0.0.113   TLSv1.2 230 Client Hello

As we see above, the DNS request was made to talonstamed[.]com and an IP address of 10.0.0.113 was returned by FakeDNS. We also see once the DNS resolution was completed, the host then made a TLSv1.2 connection to 10.0.0.113. At this point the communication is starting the encryption process and since we were not decrypting the traffic, we are at a loss as to what was requested.

Well that is not really true. Let's now see what INetSim reported.. 

[2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] recv: Host: talonstamed.com
[2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] recv: Cache-Control: no-cache
[2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] info: Request URL: https://talonstamed.com/images/1m6r.exe
[2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] info: Sending fake file configured for extension 'exe'.
[2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: HTTP/1.1 200 OK
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Content-Type: x-msdos-program
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Content-Length: 24576
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Connection: Close
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Server: INetSim HTTPs Server
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Date: Thu, 03 Dec 2020 15:32:23 GMT
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] info: Sending file: /var/lib/inetsim/http/fakefiles/sample_gui.exe
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] stat: 1 method=GET url=https://talonstamed.com/images/1m6r.exe sent=/var/lib/inetsim/http/fakefiles/sample_gui.exe postdata=
[2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] disconnect

Good stuff, above we see the via INetSim, compromised host attempted to download another executable. Maybe this is why we did not see a larger number of imports within the initial executable. Then I guess we can conclude this is simply a downloader. 

Digging a bit deeper by looking at a the output from ProcMon in conjunction with ProcDot with a focus on particular components, we see (and do note I am leaving out contents from the image in the interest of space):


Above we see my ghyte[.]exe process in the day1 folder was deleted. At the same time, we see a new ghyted[.]exe process was created with PID 5828. We also see a ghyte[.]exe process in the Temp folder. I did not put this file there, so it must be ghyte[.]exe that place that file there. Let's confirm if this file is still in this directory:

C:\tmp>dir %TEMP%\ghy*.*
 Volume in drive C has no label.
 Volume Serial Number is 6C10-15EA

 Directory of C:\Users\SECURI~1\AppData\Local\Temp

12/03/2020  10:31 AM            26,730 ghyte.exe
12/03/2020  10:31 AM            24,576 ghyted.exe
               2 File(s)         51,306 bytes
               0 Dir(s)  36,239,482,880 bytes free

Looks like the ghyte[.]exe file as well as ghyted[.]exe are both there. Interesting. 

Looking at additional information which was produced by ProcDot.


Above we see where the file ghyted[.]exe was created. At the same time, we see an additional file 1m6r[1].exe which seems similar to the file which was requested via the download and which was provided via INetSim. Confirming this file exists:

C:\tmp>dir c:\users\securitynik\appdata\local\microsoft\windows\inetcache\ie\5gfu9wn4\1m6r[1].exe
 Volume in drive C has no label.
 Volume Serial Number is 6C10-15EA

 Directory of c:\users\securitynik\appdata\local\microsoft\windows\inetcache\ie\5gfu9wn4

12/03/2020  10:31 AM            24,576 1m6r[1].exe
               1 File(s)         24,576 bytes
               0 Dir(s)  36,239,409,152 bytes free

At this point we have gathered quite a few Indicators of Compromise (IOC) which we can now use to add as intelligence into our security tools and operations.

If we dig a little deeper into ProcDot output, we see process with PID 5828 ends up loading the ghyted[.]exe file in the Temp directory as seen below. 


At this point I will close off this post. Nothing more for me to gather here at this time.

References:

Virus Total Report of the MD5Hash
SANS FOR610 - GREM 

1 comment: