Malware.unknown.exe.Malz
Static Analysis
Strings -
Floss.exe <malware name>

Interesting strings-
HttpRequestError
httpclient.nim
newConnection
ProtocolError
@HTTP/
@Proxy-Authorization: basic
@Connection: Keep-Alive
@Connection
@Host:
@Host
@ HTTP/1.1
@User-Agent
@user-agent
@tables.nim(1144, 13) `len(t) == L` the length of the table changed while
iterating over it
@Content-Length
@Nim httpclient/1.6.2
@Desktop\cosmo.jpeg
This malware is written in nim. Now opening the file in peview.

It is also a 32 bit executable.

The values of virtual size and size of raw data aren't the same. So this is a packed executable.

The lack of IATs confirm that the malware is a packed executable. Now opening the file in pestudio.

The malware has 5 suspicious imports-->

Now we move onto dynamic analysis.
Dynamic Analysis
The malware sends a request for the dns address- hey.youup.local

The malware then continually makes http requests to that domain.

Maybe the malware is trying to exfiltrate data. Now we use tcpview to get host based network indicators.

The malware is making a lot of connections to the previous domain. Now using procmon.Adding some filters-->

We get a list of processes created by the malware.

We turn off inetsim and start fakedns.
sudo fakedns

we get dns requests for - [*].cosmosfurbootsemporium.local
Conclusion

yara rule -
rule malware_unknown {
meta:
description = "Detects the Malware.Unknown.exe provided as part of the PMAT course"
md5 = "812a7c7eb9d7a4332b9e166aa09284d7"
sha1 = "ec0d565afe635c2c7863b2a05df8a49c58b703a3"
filename = "Malware.unknown.exe.malz"
author = "Dirk F."
Block = true
Log = true
Quarantine = false
strings:
$malware_user_agent = "httpclient/1.6.2"
$malware_exfil_file = "Desktop\cosmo.jpeg"
$malware_kill_switch_url = "hwtwtwpw:w/w/whwewyw.wywowuwuwpw.wlwowcwawlw"
$malware_exfil_domain = "@.BcBoBsBmBoBsBfBuBrBbBoBoBtBsBeBmBpBoBrBiBuBmB.BlBoBcBaBlB"
condition:
IsPeFile and
all of ($malware*)
Last updated