SHA256 Hash: 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
I searched the daily list of MalShare.com and pulled a random hash for investigation today, downloaded through my REMnux box and then used a Python web server to pull it onto my Windows box, since my windows vm has no internet connection.
I renamed the file (which was just named after the sha256 hash) to m2.exe. I imported this into peID and received a
Nothing Found * message which indicates it could be obfuscated.
Next I imported this into peStudio, and one of the IOCs it is highlighting is the use of the winhttp.dll library along with function calls over HTTP.
Further metadata about the file reveals the file is trying to mask itself as being from the Intel Corporation:
My current suspicion is that this is a trojan dropper. It has some code already like in our Malware Analysis #1, and will try to make a call home to fetch further code that can be executed by the ShellExecute. Once again, all traffic is routed through my REMnux box so it will never actually be able to call home.
I tried loading the file into dotPeek but it is unable to do anything with it.
I have my REMnux box fired up and ready to monitor calls. On windows I fired up procmon and ProcessHacker. I also used Regshot to take a before capture of our registry.
After running it, it took over a minute before I noticed any activity. Eventually a new folder named PS_Transcripts appeared on the desktop and inside was a file with this in it:
It copied the original file to C:\ProgramData\SystemData\igfxCUIService.exe, so it is trying to pretend to be an actual Intel executable. It then spawns a new Process from this new file named igfxCUIService.exe, instead of my original m2.exe. Periodically I will see a sub-process for Powershell or CMD execute in Process Hacker that turns red for about 5 seconds then disappears:
In the new SystemData folder, there is a new file named microsoft_Windows.dll that is only 1 kb. I’ve noticed some TLS calls in wireshark to drive.google.com. I cannot prove at this time it’s this process calling it, but I have nothing else on the computer that would need to make a connection to Google Drive.
Every two minutes or so a new file has dropped in the PS_Transcripts folder. It seems to be trying to exfiltrate data about my machine such as wmic data and environment variables to temp files. I’m watching the SystemData folder in an open Explorer and they never seem to actually appear. My guess is they maybe drop there for a second, try to exfiltrate then are deleted.
It’s been probably 10 minutes. I decided to kill the process in Process Hacker and I waited another minute just to see if it would try to auto-launch itself back up or not. So far it appears it is down. The calls to drive.google.com have stopped since killing the application as well.
I sent my wireshark PCAP file over to the windows box along with the procmon file (be sure to change some of the settings before exporting to csv. See the README.md for procmon for more info).
- m2.exe creates new thread (2376) and writes data to file in C:\Windows\rescache
- Like in Malware Analysis #1, this thread sets a bunch of registry keys in \HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap relating to internet options
- It sets an autostart registry key to powershell.exe
- Several Powershell.exe threads appear running different things
- One creates a powershell script file in the %TEMP% folder
- Another creates the first logfile I saw and then sets the Internet Settings keys again in the registry before cloning itself to igfxCUIservice.exe, which we also saw.
- The igfxCUIService.exe just continually creates new powershell scripts, spawns powershell, runs the script, deletes the script and usually dumps some sort of temp file in the SystemData folder which then also gets deleted shortly after.
- It does create the microsoft_Windows.dll file as well
- It finally spawns a cmd.exe that creates an autostart registry key for igxCUIService.exe
- Interestingly, it tries sending traffic to win1710.ipv6.microsoft.com:443
- svchost.exe does a bunch of queries on stuff related to the original m2.exe file
- System.exe is also shown sending data to the same microsoft address.
I finally decided to search the hash here on VirusTotal, and found the community is referring to this as SysJoker. One step I missed was monitoring the memory. The application was writing those temp files then storing the contents in memory, that’s why it was able to write, read and delete them.
Also inside the binary was a hardcoded XOR key which would have allowed me to decode the exact endpoint it was trying to reach. It was in fact trying to reach google drive in order to download a file that contained the IP of the C2 server. It was also programmed to randomly wait between 90-120 seconds before doing it’s next command, which I noticed with the log files being spaced out.
Since I had my internet proxied so it could not have actually reached its endpoint, I found a fantastic article that shows further steps along with the XOR key and more here.
When they performed the analysis, it seemed the malware was lying dormant and was not actually issued any commands from the C2 server to actually activate. The server had the ability to receive a callback to see if the executed commands were successful or not. This malware also works on linux and MacOS, where it is virtually undetectable by Virus Scanners.
After browsing through that link, I opened the igfxCUIService.exe file with CFF Explorer and found the XOR key and path:
To get the code over to my linux box to decode, I outputted the ascii to text and then used the following command:
pscp C:\ProgramData\SystemData\xor.txt [email protected]:/home/remnux/Downloads/xor.txt
I did this for both files, then booted up CyberChef to perform the operation:
The string was originally base64 (notice the == at the end is usually a giveaway). By decoding this first, then performing the XOR operation with the key, it reveals the google drive link!
Downloading the file through curl, I received another base64 string that I popped into CyberChef and got the following JSON:
The domain is registered, however I receive a 500 error for GET or POST requests.
If we try a PUT request, we get a Laravel error message:
So know we know this C2 server is running Laravel PHP to listen for requests.
I tried sending some sort of POST with JSON of fake mac address, IP, av, and os to see if it would respond but it still hangs on a 500 error so there appears to be a misconfiguration and it isn’t going to respond at all.
I’ve done more research into volatility and dumping memory from VirtualBox, i will try to implement that in a future malware analysis. I also need to figure out if I can allow certain domains as a pass-thru in my linux box. That way, in this case, the malware could reach drive.google.com but then not be able to actually proceed and contact the C2 server.