Malware.unknown.exe.Malz

Static Analysis


Strings -

	Floss.exe <malware name>

Interesting strings-

HttpRequestError
httpclient.nim
newConnection
ProtocolError
@HTTP/
@Proxy-Authorization: basic 
@Connection: Keep-Alive
@Connection
@Host: 
@Host
@ HTTP/1.1
@User-Agent
@user-agent
@tables.nim(1144, 13) `len(t) == L` the length of the table changed while 
iterating over it
@Content-Length
@Nim httpclient/1.6.2
@Desktop\cosmo.jpeg

This malware is written in nim. Now opening the file in peview.

It is also a 32 bit executable.

The values of virtual size and size of raw data aren't the same. So this is a packed executable.

The lack of IATs confirm that the malware is a packed executable. Now opening the file in pestudio.

The malware has 5 suspicious imports-->

Now we move onto dynamic analysis.

Dynamic Analysis


The malware sends a request for the dns address- hey.youup.local

The malware then continually makes http requests to that domain.

Maybe the malware is trying to exfiltrate data. Now we use tcpview to get host based network indicators.

The malware is making a lot of connections to the previous domain. Now using procmon.Adding some filters-->

We get a list of processes created by the malware.

We turn off inetsim and start fakedns.

	sudo fakedns

we get dns requests for - [*].cosmosfurbootsemporium.local

Conclusion


yara rule -

rule malware_unknown {
    meta:
        description = "Detects the Malware.Unknown.exe provided as part of the PMAT course"
        md5 = "812a7c7eb9d7a4332b9e166aa09284d7"
        sha1 = "ec0d565afe635c2c7863b2a05df8a49c58b703a3"
        filename = "Malware.unknown.exe.malz"
        author = "Dirk F."

	Block = true
	Log = true
	Quarantine = false

    strings:
        $malware_user_agent = "httpclient/1.6.2"
        $malware_exfil_file = "Desktop\cosmo.jpeg"
        $malware_kill_switch_url = "hwtwtwpw:w/w/whwewyw.wywowuwuwpw.wlwowcwawlw"
        $malware_exfil_domain = "@.BcBoBsBmBoBsBfBuBrBbBoBoBtBsBeBmBpBoBrBiBuBmB.BlBoBcBaBlB"

    condition:
        IsPeFile and 
        all of ($malware*)

Last updated