This post and all others for this month are part of the series which I used to help me prepare for my GIAC Reverse Engineer Malware (GREM) certification.
First up, I loaded the suspicious file in CFF Explorer taking a copy of the MD5 hash and providing it to VirusTotal to see if there were any hits. There were 65 engines which detected this file as malicious.
Looking at the VirusTotal report, I would definitely conclude this file is malicious.
With the aforementioned considered, time to FLOSS and take a look at the strings by writing FLOSS's output to a Text file.
C:\Users\SecurityNik\Desktop\Malware\day1>floss ghyte.exe > ghyte.txt
Looking at the strings nothing immediately stands out.
C:\Users\SecurityNik\Desktop\Malware\day1>Type ghyte.txt | more .... ;NNt 8n+|Bj GjUl terras lunt summer momenr Arial dip quip edit static DestroyWindow loret button SetTimer KillTimer SetWindowPos GetWindowRect FillRect LoadCursorA LoadIconA SendMessageA DefWindowProcA RegisterClassExA ...
Going back to CFF Explorer to see which Windows API and their associated functions are seen within the executable we see that there seems to be only 24 functions which are imported. interesting.
With such small number of imports and nothing really standing out as suspicious by PE Studio, I thought the file might be packed. However, it does not seem to be so according to Detect It Easy (DIE)
Transitioning to look at what happens when this run in a live environment by loading up Wireshark, ProcessHacker, RegShot, Procmon, ProcDot, FakeDNS, Fiddler and INETSim.
Taking a quick look at the Fiddler output, we see connection was being made to talonstamed.com on port 443.
The above information is further confirmed from the packet capture taken via Wireshark and analyzed via TShark.
C:\tmp>tshark -r ghyte.pcapng -n -Y "(dns.qry.name==talonstamed.com) || (tls.handshake.extensions_server_name==talonstamed.com)" 7 7.153950 10.0.0.103 → 10.0.0.113 DNS 75 Standard query 0xef83 A talonstamed.com 8 7.155315 10.0.0.113 → 10.0.0.103 DNS 91 Standard query response 0xef83 A talonstamed.com A 10.0.0.113 12 7.335830 10.0.0.103 → 10.0.0.113 TLSv1.2 230 Client Hello
As we see above, the DNS request was made to talonstamed[.]com and an IP address of 10.0.0.113 was returned by FakeDNS. We also see once the DNS resolution was completed, the host then made a TLSv1.2 connection to 10.0.0.113. At this point the communication is starting the encryption process and since we were not decrypting the traffic, we are at a loss as to what was requested.
Well that is not really true. Let's now see what INetSim reported..
[2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] recv: Host: talonstamed.com [2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] recv: Cache-Control: no-cache [2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] info: Request URL: https://talonstamed.com/images/1m6r.exe [2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] info: Sending fake file configured for extension 'exe'. [2020-12-03 10:32:23] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: HTTP/1.1 200 OK [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Content-Type: x-msdos-program [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Content-Length: 24576 [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Connection: Close [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Server: INetSim HTTPs Server [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] send: Date: Thu, 03 Dec 2020 15:32:23 GMT [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] info: Sending file: /var/lib/inetsim/http/fakefiles/sample_gui.exe [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] stat: 1 method=GET url=https://talonstamed.com/images/1m6r.exe sent=/var/lib/inetsim/http/fakefiles/sample_gui.exe postdata= [2020-12-03 10:32:24] [1920] [https_443_tcp 13781] [10.0.0.103:10654] disconnect
Good stuff, above we see the via INetSim, compromised host attempted to download another executable. Maybe this is why we did not see a larger number of imports within the initial executable. Then I guess we can conclude this is simply a downloader.
Digging a bit deeper by looking at a the output from ProcMon in conjunction with ProcDot with a focus on particular components, we see (and do note I am leaving out contents from the image in the interest of space):
Above we see my ghyte[.]exe process in the day1 folder was deleted. At the same time, we see a new ghyted[.]exe process was created with PID 5828. We also see a ghyte[.]exe process in the Temp folder. I did not put this file there, so it must be ghyte[.]exe that place that file there. Let's confirm if this file is still in this directory:
C:\tmp>dir %TEMP%\ghy*.* Volume in drive C has no label. Volume Serial Number is 6C10-15EA Directory of C:\Users\SECURI~1\AppData\Local\Temp 12/03/2020 10:31 AM 26,730 ghyte.exe 12/03/2020 10:31 AM 24,576 ghyted.exe 2 File(s) 51,306 bytes 0 Dir(s) 36,239,482,880 bytes free
Looks like the ghyte[.]exe file as well as ghyted[.]exe are both there. Interesting.
Looking at additional information which was produced by ProcDot.
Above we see where the file ghyted[.]exe was created. At the same time, we see an additional file 1m6r[1].exe which seems similar to the file which was requested via the download and which was provided via INetSim. Confirming this file exists:
C:\tmp>dir c:\users\securitynik\appdata\local\microsoft\windows\inetcache\ie\5gfu9wn4\1m6r[1].exe Volume in drive C has no label. Volume Serial Number is 6C10-15EA Directory of c:\users\securitynik\appdata\local\microsoft\windows\inetcache\ie\5gfu9wn4 12/03/2020 10:31 AM 24,576 1m6r[1].exe 1 File(s) 24,576 bytes 0 Dir(s) 36,239,409,152 bytes free
At this point we have gathered quite a few Indicators of Compromise (IOC) which we can now use to add as intelligence into our security tools and operations.
If we dig a little deeper into ProcDot output, we see process with PID 5828 ends up loading the ghyted[.]exe file in the Temp directory as seen below.
 |
At this point I will close off this post. Nothing more for me to gather here at this time.
References:
very interesting. Congratulations.
ReplyDelete