we first started our internet simulator(inetsim) on an Ubuntu VM in order to start our Dynamic Analysis
using Wireshark to intercept traffic and determine Network bases indicators, we then Detonate the Malware
- observations
shortly after running malware binary, we see a PowerShell spin up and PuTTY program starts up
this is important to take note of and we can use this information in later analysis
- upon detonation, we notice a DNS request to
bonus2.corporatebonusapplication.local - DNS is the highest layer in the OSI model in this packet capture
- we could give props to the malware author as there is no other information provided (IP Address, Usernames, Passowrds) encoded into this binary.
- all we get is a DNS record so far
- this is indicative of a request to a packet headed to the A record
bonus2.corporatebonusapplication.local: type A - having set up this REMnux box to catch the internet traffic that's outbound from our analyst workstation/sandbox - Flare VM.
now that we have detonated the malware binary, we want to know about certain processes this malware binary invokes and what they are doing
in order for us to analyze and monitor processes invoked in real time, we make use of three methods below;
-
First, we check the Process Tree to see the Child Process to
putty.exe-
we also see the PID of the PowerShell program
-
-
Second, we determine if there are any Network Connections at the time of Detonation using TCPView or Procmon
-
Filter → Process Name → is → putty.exe
-
Filter → Process Name → is → poweshell.exe
-
Filter → Operation → contains → TCP
-
Defang Binary
-
Run Binary
-
Potential call out to specified DNS Record on 8443 using TCP transport protocol
- the callback protocol at detonation is TCP
-
-
Lastly, we can we define our filters now that we know the PowerShell Process starts upon detonation
- Process Name → is → powershell.exe
- we see a very interesting detail here
- a PowerShell script is being executed also
we decode the base64 string using CyberChef. everything from powershell.exe to FromBase64String is deleted
-
we also see its been gzipped
-
The PowerShell appeared to give the malware author the ability to choose if they wanted to use a reverse or bind shell and if they connection required SSL. If a reverse shell was selected the script would reach out to
bonus2.corporatebonusapplication.localover port 8443 to establish a connection.
Tricking the Malware Binary that we are bonus2.corporatebonusapplication.local using the hosts file
-
using Cmder (run as Administrator)
-
nano C:\\Windows\\System32\\drivers\\etc\\hosts -
we specify the DNS record in the hosts file. we point it to our local host (127.0.0.1)
d. ctrl + o → ctrl +x
WE ARE NOW TRICKING THE BINARY INTO THINKING IT IS TALKING TO ITS HOMEBASE SERVER
basically also what inetsim does
We make use of Netcat to interact with that open socket (8443) - on REMnux
-
we were able to start up a reverse shell connection, but it kept dropping the connection
WHY?
because this is an HTTPS connection (8443) and I do not have a certificate that will make the connection to take place.
Alternative?
Try Bind Shell Instead
CyberChef → From: GZip → To : Base64
Alter the last statement from reverse → bind
Copy the new hash, include in the powershell.exe -nop … script
Open PowerShell (as Administrator) run the whole powershell.exe -nop script with the new edited hash included.
Lastly, we see a TCP successful connection when Binary is detonated
