MSIL Agent Malware Analysis
In malware sample cluster, we found “MSIL agent -detection”
as found in the top of the clusters. Clustering process is collecting or
grouping similar set of samples under one set. We fired up our VM with all
malware analysis tools and for the analysis purpose, we taken 2 samples by
picking it random from that MSIL agent cluster.
We got the following two files:
Sample1 –
|
MD5:
6c11ccfc559946574f4d2401ba040515
|
SHA-1 f7a891ad465f3587ecc387f74d0c2095f214c108
|
SHA-256 6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0
|
Sample2 –
|
MD5: f5371ef52e97bc46b5e73ca6ece14e65
|
SHA-1: 3ee5801d76345a0a77cc2bca5a76599ff4708722
|
SHA-256: 2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f
|
These two samples are comes under same set, we checked one
important factor. Import hashing is that important factor in tracking malware
samples. So we checked the import hashing of the two files and it is actually
same.
imphash
|
f34d5f2d4577ed6d9ceec516c1f5a744
|
And size is 7.0 KB (7168 bytes) for both the files. Even
trid is same for the both files.
Generic CIL
Executable (.NET, Mono, etc.) (82.9%)
Win32
Dynamic Link Library (generic) (7.4%)
TrID Win32 Executable (generic) (5.1%)
Generic Win/DOS Executable
(2.2%)
DOS
Executable Generic (2.2%)
|
TrID is same for both the file.
|
Sample 1 |
|
Sample 2 |
Analysis of the
samples:
We looked in to the sample and started
dissecting the file using IDA pro. The samples function names are:
|
Function Names |
Traversing
to the main function code, it shows code of adding auto start entry (run entry)
and physical location of file. Usually, malware samples use run entry to keep
persistence. The same thing used here, refer the below snapshots.
|
Run entry points to physical location |
Run entry with MozillaFirefox as value, chrome as value and
both these entries points to .lnk files inside the folder called Googlechrome.
From the above the code, we found two .lnk files, windowsupdate.lnk and
googleupdate.lnk.
When we further look in to the code, we found some other
values in the run entry. Please refer the below snapshot:
|
Run entry points to physical location |
In this part, we seen run entry with values such as
Calculator and MediaPlayer. In both values, pointing to the same files under
googlechrome folder. For comparison reason, we did quick analysis with the
second file and we find the same value code, registry entries and file
locations in the strings.
Interesting strings:
·
00000000110B
000000402F0B 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
·
00000000118B
000000402F8B 0 MozillaFirefox
·
0000000011AB
000000402FAB 0 C:\GoogleChrome\WindowsUpdate.lnk
·
0000000011EF
000000402FEF 0 Chrome
·
0000000011FD
000000402FFD 0 C:\GoogleChrome\GoogleUpdate.lnk
·
000000001247
000000403047 0 Microsoft
·
00000000125B
00000040305B 0 MediaPlayer
·
000000001273
000000403073 0 Calculator
These interesting strings clearly matches with the first
sample set.
Indicator Severity
|
The time stamp (Year:2017)of the File Header reached the maximum
(Year:2015) threshold
|
1
|
The size (7168 bytes) of the file reached the minimum (10240 bytes)
threshold
|
2
|
The file opts for Address Space Layout Randomization (ASLR) as
mitigation technique
|
2
|
The file checksum (0x00000000) is invalid
|
2
|
The original filename (Mozilla.exe) is different than the file name (2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f)
|
2
|
The file is not signed with a Digital Certificate
|
2
|
This table is the indicator for one of the file from a
malware analysis tool. We checked the other file with the same tool for indicator
and it is as follows:
Indicator
Severity
|
The time stamp (Year:2017)of the File Header reached the maximum
(Year:2015) threshold
|
1
|
The size (7168 bytes) of the file reached the minimum (10240 bytes)
threshold
|
2
|
The file opts for Address Space Layout Randomization (ASLR) as
mitigation technique
|
2
|
The file checksum (0x00000000) is invalid
|
2
|
The original filename (Mozilla.exe) is different than the file name (6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0)
|
2
|
The file is not signed with a Digital Certificate
|
2
|
Dynamic Analysis:
Till this point, we ran all the static malware analysis
tools and checked the behaviour of the file based on the codes inside of the
file. Let’s try dynamic analysis by executing any one of the sample and use
diffing tools (ie differentiating tool or comparison tool). Comparing clean
state of the OS with infected OS state, this is the purpose of the diffing
tools in dynamic analysis.
At first stage,
Executed
the file and observed its behaviour, also collected the memory strings of the
executed files. Once the file execution done, we ran the comparison tool
(inctrl) and find the created registry traces, file created, folder created and
even modified traces (like modification, deletion).
Observed registry trace,
The
same registry traces we seen in the code were found in the inctrl logs.
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Calculator"
§
Type: REG_SZ
§
Data: C:\GoogleChrome\GoogleUpdate.lnk
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Chrome"
§
Type: REG_SZ
§
Data: C:\GoogleChrome\GoogleUpdate.lnk
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"IDM"
§
Type: REG_SZ
§
Data: C:\GoogleChrome\WindowsUpdate.lnk
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"MediaPlayer"
§
Type: REG_SZ
§
Data: C:\GoogleChrome\WindowsUpdate.lnk
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft"
§
Type: REG_SZ
§
Data: C:\GoogleChrome\GoogleUpdate.lnk
o
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"MozillaFirefox"
§
Type: REG_SZ
§
Data: C:\GoogleChrome\WindowsUpdate.lnk
We observed the same entry in regedit (checked
manually):
|
Run Entries |
We ran the autorun tool (from sysinternals) and found the
logon entries.
|
Autorun tool showing Run entries |
Both the inctrl logs and autoun shows that file not found in
the folder googlechrome. And even the folder is not created. We unable to find
the folder and file creation routines in these samples.
We wrote yara rules for detecting these files. So, just need
to run the following yara rule in your system and check whether the system is
infected with this variants or not.
YARA rules:
rule MSIL_AGENT_Chrome_Mozilla
{
strings:
$string0=
{43003A005C0047006F006F0067006C0065004300680072006F006D0065005C00570069006E0064006F00770073005500700064006100740065002E006C006E006B}
$string1=
{43003A005C0047006F006F0067006C0065004300680072006F006D0065005C0047006F006F0067006C0065005500700064006100740065002E006C006E006B}
condition:
2 of
them
}
Conclusion
This yara rule is more than enough for detecting
this whole cluster samples. We scanned with the whole set of samples, this rule
pick all the files without fail.
Post made by