Malware Analysis

Part 1: - Basic Malware Analysis

First, we need to open the task manager to see which program is
running before running the Malware

1. Analyze the social engineering component of the malware. Translate it. How does it
try to get people to execute it?
When click on the rtf file and it will run when it clicks on the image inside the rtf file.
After we executed the malware 29-10-19_Quitting and we analyse in the Task manager then
the below highlighted task is the malware which is running by changing its name.
2. Your friend has already opened the document attachment. What happened? Is his
machine already infected? Find proof for/Argue your answer!

No, Machine will not be infected if he opening the document. The malware only run
when he clicks on the image, which is shown above in the steps. So, his machine is
safe till.

3. Extract the core malware and document the steps.

Since exe file is embeds in rtf file, we will use the simple way to copy and save it. Below is
the step.

i).

Ii). Paste it in the folder

 iii). Extracted malware

4. Perform a basic static analysis of the sample and document your findings. Is it
packed? What do the imports and exports tell you? Do you see anything
suspicious section- wise? Interesting strings? Remember: MSDN is your friend!

Ans:- Malware is a packed file which contains compressed/ encrypted data which clearly
shows our claim about the packed malware. This claim is also backed with the high
entropy value. Below is the dump.
Description Overall entropy of this PE file is high
packer name is claimed to be packer UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo
Molnar & John Reiser.

Import statement was importing these library

Library KERNEL32.DLL:

• 0x42c898 LoadLibraryA

• 0x42c89c GetProcAddress

• 0x42c8a0 VirtualProtect

• 0x42c8a4 VirtualAlloc

• 0x42c8a8 VirtualFree

• 0x42c8ac ExitProcess

String analysis reveal that it doesn’t have many information but it does try to obfuscate the
binary by saying it can’t execute directly.
Below is the extracted string sample. The complete log with report is attached.
5. Analyze the sample dynamically and monitor the activity on the system. What
changes? Is anything dropped, executed or deleted? If you use Regshot, be
careful to set the right scan directory (C:)!
Ans: - After running malware, I have seen that it has dropped many files when it was
communicating with the remote server. Few of them files are listed below.
i). db5020e82ac121a8_89Z8QNBX9EM9CDNFA88K.temp

ii). 51651f27f54c7261_powershell_analysiscacheentry_af7ced03-a6f9-4bd9-a763-e6cfd101d6ec

iii). e3b0c44298fc1c14_d93f411851d7c929.customDestinations-ms~RF80d33f.TMP

Many more screen shot is below

It does try to run PowerShell and other command below is the list of command
There is many more so all traces are attached with report
6. Can you find indicators for sandbox or VM detection? What can you do to
circumvent it? Restart your analysis after taking care of the anti-analysis
technique(s).

It sets of operation which can be used for detecting simulated/sandbox/vm/HoneyPot

 First it checks the computer name, where a noob can make a mistake by naming
simulated environment as vm, guests.
 Check when process start debugged by running in debug mode ( API :
IsDebuggerPresent)
 Checks the amount of memory in system (using: GlobalMemoryStatusEx)

7. Try to find out what the sample is about to do network-wise and set up an
appropriate fake environment. What is happening?
IP address and the URL this malware try to connect, we found that using Wireshark.
104.98.12.142

During analysis we observed that C2 server is 141.8.193.12 which is using proxy on port
8080 and serve it through actual C2 server 104.98.12.142
We make a fake C2 server for that we have routed the traffic with ip 104.98.12.142
to local host using iptables and also hosts file and then we observing that what this
malware is trying to do.
Below is our finding.
 a. After the malware started it has allocated read-write-execute memory space
b. It checks whether there is network adapter is available for network connection.
c. It tries to connect a remote host using http protocol
d. It has also sent data over the network using PowerShell
e. It has downloaded many files for the network
f. Microsoft-KB528694.exe has one process exe.

8. What are the sample’s runtime dependencies? What is it trying to download? Try to
play along and set up the environment it wants and determine what the malware
needs the additional software for.
Ans:- Other than those mentioned above it does also look for
a. Library KERNEL32.DLL: for run time dependency
b. Library ADVAPI32.dll: for Registry manipulation
c. Library SHELL32.dll: for expecting the command in shell
d. Library USER32.dll: for show/hide window
e. Library urlmon.dll: for downloading the payload/file from url and save it in a file
f. Library WININET.dll: To delete the cache/url entry

It starts downloading the binary file (Microsoft-KB528694.exe)

Also, it start to downloading a text file with the arbitrary name xjgsjkmw.txt so I
have doubt as it may be payload.

9. Extract and document all relevant IP addresses that are or might be contacted (static
and dynamic analysis) and determine domain ownership.

IP Address Status

104.98.12.142 Inactive

192.35.177.64 Active

2.16.155.11 Active

2.16.155.42 Active

2.16.155.67 Active

23.52.27.27 Active
 46.226.136.5 Active

52.1.22.171 Active

Using command nslookup we extracted few domain name

10. If you satisfied all the sample’s requirements (i.e. installed all the components it
needs) the malware will alter your system’s configuration. What is happening? Hint:
Certificates.
Ans:- Initially Malware tries to create a certificate by modifying registry file.
The registry is below: -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D
AC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
 Part 2: Ransomware Disassembly

1. Perform a basic static analysis of the sample and document your findings. Is it
packed? What do the imports and exports tell you? Do you see anything
suspicious section- wise? Interesting strings?

Ans: - When I run the cryptolock.exe on Virtual machine having installed XP Operating
System but it does not run without the dependency. Program has dependency which
has to full fill to run it. Below is the screenshot which shows clearly.

When Cryptolock.exe run on window 7 , but there was no activity in captured in process
monitor anything.
Process monitor screenshot is attached.

Clearly it is I unpacked PE32 executable and it is written in C++ which makes little tough to
analyse. This executable was lastly modified in 2017.
When I analyse through Wireshark of cryptolock.exe It is importing a lot of DLL. I have put
the screenshot of all the DLL.
 We see from the import that a many of activity it is creating a file by encrypting some of the file.

2. Attempt to execute the sample and use basic dynamic analysis tools to determine
whether the sample causes damage to the system. Can the sample be executed as
is? If yes, what happens? If no, why not?

Ans:- From the below image it is clear that it does execute as it is it has
unmatched decency may be C2 serve so it is not showing any activity.
3. Load the sample into IDA and attempt to locate the “main” function (which is not
necessarily called this way). You will see a lot of exit conditions that will terminate
the program when run. Where is the main function? Highlight it and expand it.

Main function is called sub_1287C29,>below is the screenshots attached which show the
Main function when dissemble the cryptolock.exe in IDA tools.
4. Document and interpret what’s going on in the sample’s main method. It helps to
rename functions whose purpose you have identified. Which function calls can you
identify and name? Hint: Pseudocode might help (there is an IDA plugin for that!).
You might also want to return to/continue this part of the exercise later during task 9.

From the reverse engineering of malware, we were able to extract the code and in
relevant section we found that it is making system call to check current time, Also it
is polling the process id to get the list of process id. Also, it is making 16 bit left shift

Below is the reverse engineered code

5. What parameters does the sample need to function? What are their types (integer,
string, etc.)? Combine fuzzing with disassembly (i.e. supply likely parameters and
see what happens and also locate the spot in the code where the parameters are
defined).

The parameters does the sample need to function are below: -

a) SystemTimeAsFileTime
b) PerformanceCount

SystemTimeAsFileTime is FileTime Type function and PerformanceCount is Integer

Type function
6. Armed with the correct parameters, use the crypto locker on some files of your
choice and document what’s happening (return to dynamic analysis). How is the
malware altering the test?
files (use hex editor)?

7. It can be assumed that the ransomware is first reading the file, change its
contents, and then writes the new version to a file. One possible analysis approach
can be to “follow” the source (victim) file through the encryption process. A combined
approach is most promising: Use Procmon to monitor file accesses while running a
debugger to locate the corresponding functionality in the code. Where are the
read/write operations located in the code?

Here in code Malware acquire the file information

Here it creates a new file

8. It is time to determine the kind of encryption that is being used by the sample.
Download and use the tool “signsrch” to get an idea of what is happening. Which
crypto algorithm does the malware utilize?

9. What is the key for the encryption process? Where does the crypto locker get it
from? How is it processed within the malware and where does it end up?

10. Now that you know what kind of encryption is being used on the files, use a tool
of your choice (e.g. online tools, GitHub apps, self- coded approach) to decrypt the
CFO’s file. Document the steps and the final (decrypted) result! If you fail to decrypt
the desired file, document the process with a file of your choice (where you know the
key) for half the points of this item.