Malware and Behavior Analysis – Series Three
A Worm in My Garden
The words malware, virus, and worm are always used to describe some form of cyber malfeasance. Before we go into the analysis of the worm discussed in this article, let us bring some clarity to the lexicon.
Malware: This is short for malicious software. From a technical level malware is software. It is a broad category for harmful code used in attacks. It is usually characterized by the intent of the creator. There are various subcategories for malware, and they consist of spyware, viruses, worms, and Trojans.
Worms – This is self-replicating malware that duplicates itself to spread to uninfected computers. The worm will often use parts of the operating system that function in the background unapparent to the user. The infection spreads without user interaction. The worm is usually not spotted until its uncontrolled replication consumes system resources.
Viruses – malicious code that replicates by copying itself to another program, boot sector, or document and changes the way the computer operates. A virus requires someone to knowingly or unwittingly spread the infection.
Trojan – On the surface the trojan is a program that may appear to look harmless. Unexpected changes to the settings of the computer are indication of a trojan being present. Trojans are not able to be replicated themselves nor can it propagate without the user’s assistance, which is why social engineering is very important when getting someone to launch the Trojan.
Spyware – This is software that is installed on a device without the user’s knowledge. Any software can be classified as spyware if it is downloaded without authorization. A Trojan can be considered spyware.
Analysis – Sandbox
Part One –
One of the first things we see in our sandbox report is that the family that this worm belongs is the Jorik Trojan family of malware. This type of nefarious entity when it is activated decrypts an auxiliary file contained inside the body of the malware, extracting the file to a temporary folder. The extracted program sends a request to the attacker’s server. A configuration file is usually the reply which the program uses to continue its work.
One of the first signs of trouble we note is that the entity has installed itself for autorun at Windows startup and created a hidden file. Obviously no good will come of this. Many times, we have pontificated that it is imperative to identify patient zero. The entity and the behavior that sets the engine in motion. Look no further than this behavior as no entity needs to be doing this.
More strange behavior follows which obviously indicates malicious intent – we see:
Below are the registry keys that are modified so the malware can perform these task –
The dropped file is listed below:
This is a blatant attempt to gain persistence in the operating system – particularly interesting is that it attempts to change the setting for hidden files as well as disabling auto updates. If the operating system is not being monitored this allows for no updates to occur. The writers of the worm most likely want this because usually when these issues are discovered they are patched quickly through an update.
In the DNS portion of the report we note some odd URL request which would fall out of the norm. What is the norm you may ask? This is a very good question – the norm would technically be what would fall out of line with a baseline that is established of your system. Hence if you have ninety days of network activity, this data contains what your company or yourself does. It is your “day to day” activities. Anything outside of what is in that data would be considered out of the norm. In this case we see dns references to something called ns1.musiczipz.com and other similar domain names. This is “odd” and whatever alert system you are using should pick it up.
When a malicious entity begins its work, it must read files. This is fuzzy. On one hand many programs read the system files of the operating system especially during an install, but if your alerts are setup correctly or you have Cybercrypto watching, you should be able to catch rogue files reading operating system files as they fall out of the norm. Here we see the initial file that was the malware read AFD as well as CMApi. CMApi along with DeviceApi allows a normal user to create arbitrary registry keys in the hive leading to privilege escalation. Here we see the malware reading the very files that will allow it to do damage.
Under modified files we find something alarming. The Afd device is a symbolic link that is used for transferring packets to the local network and internet. Here we see the dropped file modify this symbolic link –
Strings are ASCII or Unicode printable sequences of characters embedded within the malware. In this one, there are some bizarre entries. I have listed some interesting strings that were extracted, the purpose though is unclear as to why these strings where in the malware. A deeper dive would most likely help answer this.
|This program requires Microsoft DirectX7.||ERacer|
|welcome to ERACER ...||demonstrating industrial quality 3D using visual basic ...|
|use arrow keys to steer, space to jump, ctrl to fire ...||use menu buttons to change environment and start combat ...|
|new fighter arrived ...||Jaguar|
new island selected ...
incoming fighters detected, protect station ...
sector clear, no enemy activity reported ...
jumps use up lots of fuel, watch the blue fuel bar ...
|station destroyed ...||your fighter doesn't handle well on water, watch the green speed bar ...|
fuel tanks filled ...
fighter destroyed ...
out of fuel, return to station immediately ...
station under attack ... damage
cease fire, watch your aim ...
The behavioral analysis report is technical but tells you every little thing that happened at the granular level. It can be downloaded from here.
Below is the network section of the behavioral analysis. We see here the connections to ns1.musicmixc.com and similar domains being attempted along with the API.
Analysis – The Logs
As you know a sandbox is very controlled. Let us now run the same malware in our office and see what alerts we get.
The user at the workstation uses Edge as their web browser. The browser serves as the delivery agent of the malware.
The first sign of the malware shows up in the logs with Event ID 4656 – A handle to an object was requested. We see that the entity was opened using Microsoft Edge. This is the first sign of the malware in the logs. We are alerted to this as we capture items in the Object Name field
Here is where we see bad things beginning to happen. We alert ourselves to any program using the browser to install itself by making sure that we capture what is going on in the C:\Users\Administrator directory. This would be the case with any user. Therefore, when we see items in this directory reading various dll files of the operating system, this is of concern, most likely if you are not aware of what is going on you can safely make the hypothesis that something is being installed. Below we see from the logs some alarming activity. Run fast ---
A) ole32.dll - allows objects created in one application to be embedded in documents/objects by a different application.
B) sechost.dll – host for SCM/SDDL/LSA lookups APIs – this dll is used for reading and is exactly what it says – it is used for the Service Control Manager, Security Descriptor Definition Language, and the Local Security Authority. This dll is being called from a user’s directory. Nothing good is coming from this. Event ID 4663 : an attempt was made to access an object –
C) rpcrt4.dll – Remote Procedure Call API – this is used by Windows application for network and internet communications. This malicious file obviously has something to say and it want to say it. Event ID 4656: A handle to an object was requested
D) bcryptprimitives.dll – From the Microsoft Windows Cryptographic Primitives Library, it is a general purpose, software based cryptographic module. The primitive provider functionality is only offered through one module and that would be the one mentioned here. What we have here is an attempt being made to access this object.
E) sortdefault.nls – used for reading the locale of the machine
F) kernelbase.dll – A general overview of what this dll is would be to think of it as part of the heart of the operating system. It contains core processes, at startup it load into memory and regulates programs and streams – it is a fundamental dll and no one in your office should be installing anything that would be calling this dll without your authorization. Event ID 4663 – an attempt was made to an access an object.
G) windows.storage.dll – This dll provides classes for managing files, folders, and application settings. If you recall in the sandbox analysis the malware tries to alter explorer to prevent hidden files from being displayed. This is one of the dlls that help accomplish this task.
In this entry we see something that not only triggers an alert but should be viewed as an alarm. If one maintains a strict sense of discipline, then the alerts that our logging system has given us as shown here should have prompted a visit from the Systems Operator. This one in our humble opinion is your last shot to stop the contagion.
The malware has dropped a file in the currently logged in user. We capture a Product name as well as the parent (the malware) spawning the new process.
The new file wxyet.exe literally creates handles across the entire operating system. The list is voluminous, with all the handles that are generated, operating system objects are compromised, and the machine becomes a tool of someone else. By the time the malware makes its connections to the following servers:
it is simply too late as the damage is done and you are playing forensics. Anything at this point is possible from exfiltration of data to the malware downloading something else. It is imperative to catch the disease before it spawns out of control. Our alerts are based on handles as well as looking at certain fields for items that are out of the norm.
Always keep in mind, malware is software. As it is software this means that it has a function and it will interact with the operating system. That means, we look for things that are not normal.