Note: This challenge write-up is a “blind analysis”, which was written prior to viewing the answer section of this course. I include how I answered questions, if I got it right or wrong, and why as a reflection for further learning. (Contains spoilers!)
Practical Malware Analysis and Triage “Silly Putty” Challenge
This write up comes from the PMAT course that was produced by Husky Hacks. At the time of writing, I am about halfway through the course and have found it very valuable from a SOC analyst perspective. It has given me a newfound interest in malware research that I will continue to pursue in the future.
The course is available here for $30 Monthly Subscription (All Access Pass TCM Academy)-
https://academy.tcm-sec.com/p/the-all-access-pass?affcode=770707_o6lvcuwx (Affiliate Link)
Challenge Intro
First viewing the challenge info available in the GitHub repository (https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/1-3.Challenge-SillyPutty) provides the following scenario-
“Hello Analyst,
The help desk has received a few calls from different IT admins regarding the attached program. They say that they’ve been using this program with no problems until recently. Now, it’s crashing randomly and popping up blue windows when its run. I don’t like the sound of that. Do your thing!
IR Team”
There is also a list of challenge questions that I will be answering as I conduct my analysis. I will also notate if I got the question correct or incorrect from my analysis.
Basic Static Analysis Questions
I first double checked my Virtual Box settings to make sure my adapters were set to “host only” as this is very important when handling live malware. I first extracted the malware sample (putty.exe) to my desktop and immediately added another extension (putty.exe.mal) to effectively “defang” the malware during my static analysis to prevent accidental execution. Using the certutil function in the command line I answered the first question
What is the SHA256 hash of the sample? (Correct)
Method- I used the command “certutil –hashfile putty.exe SHA256”
0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83
What architecture is this binary? (Correct)
Method- I loaded the binary into PE Studio and made the following observations:
Magic Byte: MZ (4D 5A) - Windows/DOS executable file
Architecture: 32 Bit Executable .
Are there any results from submitting the SHA256 hash to Virus Total? (Correct)
Yes- Virus Total: 52/66 Threat Score, trojan, not signed, Copyright © 1997-2021 Simon Tatham, product PuTTY suite (https://www.virustotal.com/gui/file/0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83/details)
Describe the results of pulling the strings from this binary. Record and describe any strings that are potentially interesting. Can any interesting information be extracted from the strings? (This one has no correct answer)
Method- This question was tricky as pulling strings via Floss or strings returned what I believe is strings that would be observed in the correct Putty executable. Some interesting strings I pulled were:
“SSHCONNECTION@putty.projects.tartarus.org-2.0-
Release 0.76
Please contact <putty@projects.tartarus.org> and pass on the above information "
Describe the results of inspecting the IAT for this binary. Are there any imports worth noting? Is it likely that this binary is packed? (Incorrect on the packing question, no correct answer for the IAT question)
Packing
Method- For the packing question, I opened the binary in PEView and compared the Virtual Size to the size of the raw data fields in the IMAGE_SECTION_HEADER.text:
Virtual Size: 614,253 Bytes
Raw Size: 96,000 Bytes (The higher virtual size indicates this binary is packed)
Reflection note- I must have looked at the wrong field on accident to get such a large byte size difference. When I reviewed this question the byte sizes are only about 200 bytes difference. Also, there were no headers that would indicate packing was used.
Notable IAT
This question was also difficult due to many libraries being present that also appeared to be used in a standard putty executable. However, I did not a few that were interesting that I looked into for the sake of my own knowledge-
ShellExecuteA - Shell32.dll “Performs an operation on a specified file.”
RegEnumValueA - Advapi32.dll “RegEnumValueA is used to enumerate the values for the specified open registry key”
RegQueryValueExA - Advapi32.dll “RegQueryValueExA is used to retrieve the type and data for the specified value name associated with an open registry key.”
RegSetValueExA - Advapi32.dll “RegSetValueExA is used to set a value and type for a given registry key.
RegSetKeyValueA - Advapi32.dll “RegSetKeyValueA is used to set a value for a given registry key.”
CreateFileA - Kernel32.dll “CreateFileA is used to create a new file or opens an existing file.”
CreatePipe - Kernel32.dll “CreatePipe is used to create an anonymous pipe and returns handles to the read and write ends of the pipe. Could be used to add a sub-process for execution via cmd.”
GetCurrentThread - Kernel32.dll “GetCurrentThread is used to retrieve a handle for the calling thread.”
GetCurrentProcess - Kernel32.dll “GetCurrentProcess is used to retrieve a handle for the current process.”
GetCurrentProcessId - Kernel32.dll “GetCurrentProcessId is used to retrieve the process identifier of the calling process.”
HeapAlloc is used to allocate a block of memory from a heap.”
LoadLibraryA - Kernel32.dll “LoadLibraryA is used to load a specified module into the address space of the calling process. Malware commonly use this to load DLLs dynamically for evasion purposes.
Dynamic Analysis Questions
Describe initial detonation. Are there any notable occurrences at first detonation? Without internet simulation? With internet simulation? (Correct observations)
With Anti-Virus correctly disabled, it was observed that with INET Sim a DNS request was observed to “bonus2.corporatebonusapplication.local” the binary immediately exited after. This indicates that this domain is possibly a kill switch. Also, upon detonation a PowerShell Window was observed that quickly disappears. After the PowerShell window, it appears to be a normal putty application.
With INET Sim not running, it was observed that the binary did not exit after execution. A PowerShell Window spawned again and a “PS_Transcript” folder was observed being created on the desktop.
From the host-based indicators perspective, what is the main payload that is initiated at detonation? What tool can you use to identify this? (Correct, PowerShell De-obfuscation was a bonus observation)
It appears that the main payload upon detonation was the PowerShell script. Correlating the PPID shows that Powershell was listening over port 1190 and attempting to connect to the IP 10.0.0.4. The Powershell command line was observed in the “PS Transcript file” and in the process monitor tool. Viewing the PowerShell command being executed shows it to contain Base64 encoding. I wrote this encoding to a PowerShell prompt (I did the PowerShell analysis section prior to this) which gave the following output-
What is the DNS record that is queried at detonation? (Correct)
Method- I had Wireshark running on my Remnux VM machine that the host VM machine is connected to:
Bonus2.corporatebonusapplication.local
What is the callback port number at detonation? (Correct)
Method- I had this observation while using Wireshark on the Remnux machine.
Source Port 1190, Destination port was 8443
What is the callback protocol at detonation? (Incorrect)
TCP
Reflection note- I believe I answered TCP due to not investigating port 8443 more thinking it was a random port. However, this port is used for Tomcat SSL and thus uses SSL/TLS.
How can you use host-based telemetry to identify the DNS record, port, and protocol? (Correct)
Wireshark and Procmon
Attempt to get the binary to initiate a shell on the localhost. Does a shell spawn? What is needed for a shell to spawn? (Correct-ish)
Method- On my Remnux host I ran the command “netcat –lvnp 8443” and noticed a connection was established. However, it would fail when attempting to execute shell commands.
Reflection note- From this question I failed to see the reasoning why the connection would drop when executing commands. This is due to the TLS handshake failing from no x509 certificate being present.
Takeaways
- Do not go down static analysis rabbit holes
- From the strings and IAT analysis I went a little deeper than I should have. The opportunity cost of this provided little. I the future, I will try to realize when an analysis technique is providing little value sooner and move on.
- Follow the course hands on
- Using some of the tools I had to go back and re-watch the videos, even with detailed notes. I realized that practicing the muscle memory of tools/techniques is just as important as taking notes.