Today in our journey to save Christmas we’ll be digging into the mysterious executable we found from the memory image yesterday by utilizinf some new (at least to me) tools to try and find clues about the origins and aims of the malware we’re dealing with.
Day 12
What is the architecture of the malware sample?
We’ll start off by doing few quick checks on the malware sample that’s located on the desktop in the Malware Sample
directory. Detect It Easy
is already installed, so we just need to right click and select detect it easy to get the overview information about the executable.
We can see the architecture listed under somewhat unsurprising title Architecture
, so that’s an easy score for us.
What is the packer used in the malware sample?
The sample has been scanned automatically, and in the Scan
box we can see a row named packer.
What is the compiler used to build the malware sample?
Next we’re going to dive into CLI and open up CMD, navigate to the Malware Sample directory and use CAPA
to analyze the file. Since the file has been packed we have to unpacking first, so after using the command upx -d mysterygift
we can proceed. If you happened to run capa before unpacking you get told that the file cannot be analyzed, and you need to remove the mysterygift.viv result file before you can run the analysis again.
When reading the output we can find a row that starts with "compiled with..."
, which would be the answer to this question, all lowercase.
How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
The analysis is quite thorough, and in the output we even get a list of MITRE ATT&CK techniques that the executable makes use of. Looking at the DISCOVERY
tactics we find the answer to our question.
What is the registry key abused by the malware?
Moving into dynamic malware analysis we need to get ready to execute the malware ourselves, but let’s ready ourselves first. ProcMon
is installed on the system, and launching it we are able to add a monitor for the mysterygift.exe executable. Finally we need to rename the executable since it’s missing the .exe
file extension, and then we can simply double click the file to start the infection.
After a while we can start seeing entries populate on ProcMon, and since the first question relates to registry entries we’ll first want to limit the entries to registry only, and since we should be looking for a written value we should look for Operation RegSetValue
, possibly filtering to just those values. Not too many to be seen, so finding the one that creates persistence on the system is pretty easy, just take out the (Default)
from the string.
What is the value written on the registry key based on the previous question?
We can look into the Event Properties
to find the actual data written to the registry key and copy that, since that’s the answer we’re looking for. Don’t forget to include the file extension as well.
What are the names of two files created by the malware under the C:\Users\Administrator\ directory?
Let’s clear our filters and focus on File System Activity
next. We can filter by mysterygift.exe and CreateFile operation to find couple files that we created by the mysterygift.exe process.
What are the two domains wherein malware has initiated a network connection?
Next we’ll focus on network connections, so clear any other filters than the process one if you had any, and enable Show Network Activity
. There are only two domains the malware tried to reach out to, so we got our answer right there.
Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
Finally we’ll make a little jump back to Detect It Easy since now we have a domain to look out for. Make sure you add the file extension if you didn’t close DiE since now the original file no longer exists, and then click on the Strings
button. Quickly filter by the beginning of the longer domain from the last question and only one entry will pop up. That’s our answer, and that’s malware analysis completed!