MD5 – 60d7e7d1522a81917dde26bb9b5f4260
SHA256 – 9017dc9b43b1e8442dd4d423bec02820fde2a0efef05dc81926762e0ff8f263c
I took a quick look at Malshare today and saw this interesting file named example.exe and I decided to analyze it. Let’s start with some static analysis.
On Malshare, it was reported to have a UPX Packer YARA hit. I took a look at it in Exeinfo PE and it seems to report UPX but it doesn’t state the version.
I decided to also analyze it using Detect It Easy 2.03 to see if it had anything different to show. According to DIE, it’s packed using UPX version 3.91.
So I managed to unpack it using UPX v3.95.
Now that the executable is unpacked, let’s take a look at the strings. There was an extensive amount of strings. Something to note though were the numerous mentions of AutoIt. AutoIt is a scripting language used typically to automate GUI actions but it can also be used to write basic scripts as well.
I then tried opening this executable in PE Studio but it kept crashing while analyzing so I used CFF Explorer instead.
We can see that this executable was compiled with Microsoft Visual C++ 8 and that it’s a 32 bit executable.
Now that we have some basic information about this executable, let’s run it and see what happens. The tools I’m using are as follows:
FakeNet – answers any outbound calls that the malware might make
ProcMon – captures each action the executable makes
Regshot – captures any registry changes and files added
ProcDot – takes the captured actions from ProcMon and graphs them
Upon running the executable, I immediately got this AutoIt error.
From the packets as well as what I see in the task list, it looks like it tries to ping outbound and connect somewhere. It looks like it then spawns a couple of rundll32.exe processes which then spawn a number of shell32.exe processes. Let’s try running it with some network connectivity.
I utilized the Any.Run sandbox environment to take a look at the networking information. There seems to be a couple of things occurring here.
First, the program pings outbound to make sure it’s able to connect outbound. It then seemingly acquires some certs from 188.8.131.52 and 184.108.40.206.
It looks like the malware also acquires two more executables. Example2.exe was grabbed from 220.127.116.11 and example3.exe was grabbed from 18.104.22.168. I grabbed these executables for further analysis. It seems like the original example.exe was simply a downloader.
MD5 – 7b0dfa51dc847dab847b141334cea536
SHA256 – 7c0ed0a86835e8b7d260c27104dd4436a3495f2b2aca5d8053cc8badb73a34c8
This was a strange executable. As we can see below, there’s a mention of base_library.zip as well as some file extensions. From the strings, I wasn’t quite sure what this executable did.
After a bit of research, I believe this could be a modified version of the Trojan.Seaduke virus or something very similar.
Below are the files that are created by the Trojan. Most of these are the same, if not very similar to the files created by this example2.exe.
Below are the RegShot results of files added on my Sandbox machine.
I performed a Wireshark trace while running the malware from my sandbox. An IP address that stuck out to me was 22.214.171.124. I then took a look at this using PassiveTotal.
In PassiveTotal I noticed a large amount of hashes for HybridAnalysis for very recently, including today.
I followed the full TCP stream and I noticed the very strange GET requests and the Microsoft Crypto API User-Agent which could indicate a proxy server.
I also found another interesting IP Address at 126.96.36.199 and it seems to be a bit busier according to PassiveTotal.
Note that the urls there like wireshark.org are actually being spelled with an L like wlreshark.org.
Here’s a bit of the TCP Stream from that IP.
So it looks like this piece of malware creates a backdoor to a C&C server or perhaps multiple C&C servers and grabs some certs.
This leads us to the executable example3.exe.
MD5 – 031371044f0270ef380cd1e8e7251280
SHA256 – f7e7bbd0ef20a1e55dc764191b16e818a7b56e7c3d7bb6402bdadbc7f03c757b
This was rather easy to understand as soon as it was opened in PE Studio. It’s an XMRig CPU Miner and is a very popular attack currently. At least it seems that way from the number of XMRig attacks I see on ThreatCloud’s Live Map.
I was unable to find any configuration file for this executable. I tried running it standalone but it needs information for things like username and password for the mining pool as well as possibly a wallet address.
My guess would be the attackers manually set that information through their C&C servers as to spread out their funds between multiple wallets and avoid detection. I might revisit this malware next weekend to see if I can find any sort of config file.
For now, at least we understand the behavior of this malware. Below is the flow for a quick tl;dr.
- Malware is executed
- Creates multiple processes to connect outbound
- Downloads multiple executables and certificates
- Executable 2 establishes a backdoor and connects to one or more C&C servers
- Executable 2 downloads certificates
- Executable 3 uses a config file created by attackers to mine XMR crypto