Let's start the examination of the malware sample with static analysis. In static analysis, since the malware sample is not executed, it can be performed on either the Linux VM or the Windows VM, using the tools and techniques covered in Chapter 2, Static Analysis. We will start by determining the file type and the cryptographic hash. Based on the following output, the malware binary is a 32-bit executable file:
$ file sales.exe
sales.exe: PE32 executable (GUI) Intel 80386, for MS Windows
$ md5sum sales.exe
51d9e2993d203bd43a502a2b1e1193da sales.exe
The ASCII strings extracted from the binary using the strings utility contains references to a set of batch commands, which looks like a command to delete files. The strings also show a reference to a batch file (_melt.bat), which indicates that upon execution, the malware probably creates a batch (.bat) file and executes those batch commands. The strings also have references to the RUN registry key; this is interesting because most malware adds an entry in the RUN registry key to persist on the system after reboot:
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
[....REMOVED....]
:over2
If not exist "
" GoTo over1
del "
GoTo over2
:over1
del "
_melt.bat
[....REMOVED....]
Software\Microsoft\Windows\CurrentVersion\Run
Examining the imports shows references to file system-and registry-related API calls, indicating the malware's ability to perform file system and registry operations, as highlighted in the following output. The presence of API calls WinExec and ShellExecuteA, suggest the malware's capability to invoke other programs (create a new process):
kernel32.dll
[.....REMOVED......]
SetFilePointer
SizeofResource
WinExec
WriteFile
lstrcatA
lstrcmpiA
lstrlenA
CreateFileA
CopyFileA
LockResource
CloseHandle
shell32.dll
SHGetSpecialFolderLocation
SHGetPathFromIDListA
ShellExecuteA
advapi32.dll
RegCreateKeyA
RegSetValueExA
RegCloseKey
Querying the hash value from the VirusTotal database shows 58 antivirus detections, and signature names suggest that we are probably dealing with a malware sample called PoisonIvy. To perform the hash search from VirusTotal, you need internet access, and if you want to use the VirusTotal public API, then you need an API key, which can be obtained by signing up for a VirusTotal account:
$ python vt_hash_query.py 51d9e2993d203bd43a502a2b1e1193da
Detections: 58/64
VirusTotal Results:
Bkav ==> None
MicroWorld-eScan ==> Backdoor.Generic.474970
nProtect ==> Backdoor/W32.Poison.11776.CM
CMC ==> Backdoor.Win32.Generic!O
CAT-QuickHeal ==> Backdoor.Poisonivy.EX4
ALYac ==> Backdoor.Generic.474970
Malwarebytes ==> None
Zillya ==> Dropper.Agent.Win32.242906
AegisLab ==> Backdoor.W32.Poison.deut!c
TheHacker ==> Backdoor/Poison.ddpk
K7GW ==> Backdoor ( 04c53c5b1 )
K7AntiVirus ==> Backdoor ( 04c53c5b1 )
Invincea ==> heuristic
Baidu ==> Win32.Trojan.WisdomEyes.16070401.9500.9998
Symantec ==> Trojan.Gen
TotalDefense ==> Win32/Poison.ZR!genus
TrendMicro-HouseCall ==> TROJ_GEN.R047C0PG617
Paloalto ==> generic.ml
ClamAV ==> Win.Trojan.Poison-1487
Kaspersky ==> Trojan.Win32.Agentb.jan
NANO-Antivirus ==> Trojan.Win32.Poison.dstuj
ViRobot ==> Backdoor.Win32.A.Poison.11776
[..................REMOVED...........................]