This Report is going to be in two phases;

1. Basic Static Analysis and;
2. Basic Dynamic Analysis

Tools:

• Cmder
• File hashes
• VirusTotal
• FLOSS
• PEStudio
• PEView
• Capa

Basic Static Analysis Methodology

1. Fingerprinting

It is important to note that for Static Analysis, we DO NOT EXECUTE the Malware Binary

This is done to understanding the features /characteristics of what the malware could be doing

• We have to pull the hashes (sha256 & md5) of every malware sample - THIS IS NEEDED TO FINGERPRINT THE SAMPLE

Steps

1. Pull the SHA256 hash for this particular malware sample - using Cmder

2. Pull the MD5 hash

   • we pull the malware binary into Desktop from the Desktop\\PMAT-labs-main\\labs\\1-3.Challenge-SillyPutty file path
   • the malware zip is encrypted with a password, after inputting that, we can then drag to Desktop so as to make it easier to run the fingerprint

   λ sha256sum.exe putty.exe
   # OUTPUT
   # 0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83 *putty.exe - SHA256 HASH
   
   λ md5sum.exe putty.exe
   # 334a10500feb0f3444bf2e86ab2e76da *putty.exe - MD5 HASH
   

3. Check the malware and if its been known/has any digital signatures in the real world - using VirusTotal

   https://www.virustotal.com/

• We notice few things from initial investigation in the Detection Pane.

• We see the Malware Binary name - PuTTY

• The category of said Malware Binary - Trojan

• Flagged by 86% of Security Vendors as malicious

• Details Pane

  • We see the names the Malware Binary bears in the Wild

    ![image.png](<https://prod-files-secure.s3.us-west-2.amazonaws.com/a3043a24-26b1-458a-830d-b30a6a452275/764156af-f707-4a08-9668-1ca632686c82/image.png>)
  

  • Graph Summary to show Relations

    • This tells us what the malware does once detonated
    • It makes url calls to certain IPs and Domains
    • It performs CreateFile and WriteFile processes - as seen in the Files Dropped category

    

2. String Extraction

Strings & FLOSS

Strings: An array of characters

• computers don’t understand this
• hello : 0 1 2 3 4
• if the malware author wants to configure/program the malware to reach a web page, they would have to code the url into the program so the computer can assemble the array of characters into a string so it can make a web request to it.

Floss pulls the strings out of the binary and decodes/de-obfuscates any strings it finds

floss.exe putty.exe > floss.txt
#to make it easier to analyze the floss strings

• Not much was seen here, but it can be noted that its operations is mostly remote connection based (judging by the number of “ssh” and “tcp socks” keywords seen