From the Zero to Malware Discovery
Hello people, I was with some time, and I decided to made an analysis using some tools that I commented last post Tools.
I'll start to do a static analysis, so first I start using the command file in Linux, it's really useful to identify the correct format from a file.
Another command I like to use in Linux is exiftool, normally it give me some information about date of the access and modification, type extension, type (You can see that is possible confirmed the first checked I did using command file.
Below using DIE (Detect It Easy) we can find out more information about the sample, like how it was compiled (Microsoft Visual Studio 2022) using language C++, with architecture AMD64, mode 64 bits, the file size is 1.02MB (mega bytes).
Could I put this in a sandbox and received a report? yes, but the big problem that some malware have features against sandbox, virtual machine or anything like it. That's why, I'm doing everything manually using several tools.
Now let's use the PE-Bear, often executable / binary files are divide in sections .text (executable code) .data (data) .rdata (resources). But the PE-Bear show more sections that can be useful during an investigation
I like to use PE-bear because we have a lot of information like: Headers, Sections, Disasm (disassembly), Strings, Imports and etc. . We can collect the file hashes MD5, SHA, and SHA256 to use this in security tools and create a eradication / prevention.
This window displays all strings (sequences of characters) found in the PE file. Strings can include:
Identified command line in powershell trough PE-Bear String tab.
Explaining the command found above.
Get-WmiObject Win32_Shadowcopy: This command retrieves information about shadow copies on the system. Shadow copies are automatic or point-in-time backups of files and folders in Windows, typically used for data recovery.
Remove-WmiObject: This command removes the objects returned by the previous query (Get-WmiObject), meaning it deletes the shadow copies.
So the full command:
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
Will look for all shadow copies (automatic backups of the system) on the computer and delete them, removing those shadow copies from the system.
Continuing the analysis, in the image below we can identify one kind of extension and a message, in other words, we can see precious information that will help to discovery what is possible purpose of the file.
After found this text I exported all strings in binary.
File > From all loaded > Export strings to.
I chose a folder to send the TXT file. (In my case I selected Download Folder)
Here we can see the TXT file was created with all strings identified inside the binary.
When I opened this file and I did a research about the same text I found using PE-Bear, I identified the extension (.akira) used by file.After hits I did a simple research about the word akira, there were a lot of article of many vendors talk about this malware (now we confirmed this is a ransomware)
Above in the text we can find .akira (extension) the message leave by the group when they have succeeded in target someone. The group leave instructions how to make contact to try recover the data encrypted, and etc.
Some articles related to this malware for further reading:
Look for now I just made static analysis, I didn't to run the malware to discovery all this information and details about the sample, that now we can call of malware / ransomware.
PEstudio
Now I'll present PEStudio, another tool very used for many malware researcher, incident responder, threat hunter and forensics analyst. With it I'll present another point of view for the same sample, but with more information about the same.
Note: it's my favorite to make analysis of malware.
Beginning with lateral window of left you'll several topics, and each one have more information when you click it. Someone will be with a different collor like light gray, red, orange, and yellow.
Yellow or orange may indicate alerts about suspicious behaviors, such as the lack of a digital signature or unusual function imports.
Red is often used to highlight critical areas, such as the presence of known malicious behaviors or other indications that the file may be dangerous.
Indicators
Here you'll identified a overview about the file like hashes (sha256, MD5), virustotal check, libraries, type, size, signature, imports, when it was compiled, if is executable or not. the entropy, in the context of malware, entropy refers to the level of randomness or complexity in the binary code of a file. Malware authors often use techniques like obfuscation, encryption, or packing to increase the entropy of a file, making it appear more random and harder to analyze or detect.
Note: High entropy values (typically above 7.5 or 8.0 on a scale from 0 to 8) generally indicate that the file may have been packed, encrypted, or obfuscated.
VirusTotal
In this Tab we can see the report returned by VirusTotal about this sample (malware) from 72 tools 59 identified this binary as malware (Trojan, Ransomware. malicious, unsafe and etc).
Could I stop here? yes, because I confirmed during my static analysis that it's a malicious file. But let's continues a little bit more :).
Libraries
In section libraries you can see the libraries used by malware during the execution.one caught my attention WSTAPI32.dll a tried of use some resource Remote Desktop during the malware execution.
Here you'll find more details about it:
Imports
Conclusion
I didn't need to run the file in a sandbox to discovery that was a malware or had suspicious behavior. I just needed to use some tools, a little bit creativity, patience and do a good investigation. If you work like forensics analyst, incident responder, malware research and etc. This kind of approach can be useful a day.
Sandbox is not an absolute truth! Helps? yes but the malware authors always create a way to bypass this.
About the tools I made a post a month ago Tools.
Enthusiast of all kinds of tech, art and creativity
1 天前Lindasso mano!
Technical Account Manager at Fortinet
2 周ótimo trabalho meu amigo. Utilizei o exiftool para resolver um problema em um cliente. Muito util para pegar as informa??es do arquivo.
Information Security Specialist | OSEP | OSCP | OSCE | DCPT | eCPPTv2 | eCPTXv2
2 周arrebenta demais ... ah isso numa talk hein
Threat Intelligence Specialist | OPSEC | Threat Hunting | OSINT | Dark Web Intelligence | Threat Research
2 周Very interesting and simple analysis, of course, it is necessary to know what the tools return and what to look at, but in a few steps analyzing an artifact and informing that it is ransomware in this way as demonstrated is useful and accurate.
--
2 周Parabéns pelo artigo Zozi!!!