MSIL Agent Sample - Malware Analysis

MSIL Agent Malware Analysis

In malware sample cluster, we found “MSIL agent -detection” as found in the top of the clusters. Clustering process is collecting or grouping similar set of samples under one set. We fired up our VM with all malware analysis tools and for the analysis purpose, we taken 2 samples by picking it random from that MSIL agent cluster.

We got the following two files:

Sample1 –

MD5:                     6c11ccfc559946574f4d2401ba040515

SHA-1                    f7a891ad465f3587ecc387f74d0c2095f214c108

SHA-256               6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0

Sample2 –

MD5:                     f5371ef52e97bc46b5e73ca6ece14e65

SHA-1:                  3ee5801d76345a0a77cc2bca5a76599ff4708722

SHA-256:              2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f

These two samples are comes under same set, we checked one important factor. Import hashing is that important factor in tracking malware samples. So we checked the import hashing of the two files and it is actually same.

imphash

f34d5f2d4577ed6d9ceec516c1f5a744

And size is 7.0 KB (7168 bytes) for both the files. Even trid is same for the both files.

               

Generic CIL Executable (.NET, Mono, etc.) (82.9%) Win32 Dynamic Link Library (generic) (7.4%) TrID                      Win32 Executable (generic) (5.1%) Generic Win/DOS Executable (2.2%) DOS Executable Generic (2.2%)

TrID is same for both the file.

Sample 1

Sample 2

Analysis of the samples:

We looked in to the sample and started dissecting the file using IDA pro. The samples function names are:

Function Names

Traversing to the main function code, it shows code of adding auto start entry (run entry) and physical location of file. Usually, malware samples use run entry to keep persistence. The same thing used here, refer the below snapshots.

Run entry points to physical location

Run entry with MozillaFirefox as value, chrome as value and both these entries points to .lnk files inside the folder called Googlechrome. From the above the code, we found two .lnk files, windowsupdate.lnk and googleupdate.lnk.

When we further look in to the code, we found some other values in the run entry. Please refer the below snapshot:

Run entry points to physical location

In this part, we seen run entry with values such as Calculator and MediaPlayer. In both values, pointing to the same files under googlechrome folder. For comparison reason, we did quick analysis with the second file and we find the same value code, registry entries and file locations in the strings.

Interesting strings:

·         00000000110B   000000402F0B      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

·         00000000118B   000000402F8B      0   MozillaFirefox

·         0000000011AB   000000402FAB      0   C:\GoogleChrome\WindowsUpdate.lnk

·         0000000011EF   000000402FEF      0   Chrome

·         0000000011FD   000000402FFD      0   C:\GoogleChrome\GoogleUpdate.lnk

·         000000001247   000000403047      0   Microsoft

·         00000000125B   00000040305B      0   MediaPlayer

·         000000001273   000000403073      0   Calculator

These interesting strings clearly matches with the first sample set.

Indicator                                                                                                                                 Severity
The time stamp (Year:2017)of the File Header reached the maximum (Year:2015) threshold	1
The size (7168 bytes) of the file reached the minimum (10240 bytes) threshold	2
The file opts for Address Space Layout Randomization (ASLR) as mitigation technique	2
The file checksum (0x00000000) is invalid	2
The original filename (Mozilla.exe) is different than the file name (2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f)	2
The file is not signed with a Digital Certificate	2

This table is the indicator for one of the file from a malware analysis tool. We checked the other file with the same tool for indicator and it is as follows:

Indicator                                                                                                                                 Severity
The time stamp (Year:2017)of the File Header reached the maximum (Year:2015) threshold	1
The size (7168 bytes) of the file reached the minimum (10240 bytes) threshold	2
The file opts for Address Space Layout Randomization (ASLR) as mitigation technique	2
The file checksum (0x00000000) is invalid	2
The original filename (Mozilla.exe) is different than the file name (6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0)	2
The file is not signed with a Digital Certificate	2

Dynamic Analysis:

Till this point, we ran all the static malware analysis tools and checked the behaviour of the file based on the codes inside of the file. Let’s try dynamic analysis by executing any one of the sample and use diffing tools (ie differentiating tool or comparison tool). Comparing clean state of the OS with infected OS state, this is the purpose of the diffing tools in dynamic analysis.

At first stage,

                Executed the file and observed its behaviour, also collected the memory strings of the executed files. Once the file execution done, we ran the comparison tool (inctrl) and find the created registry traces, file created, folder created and even modified traces (like modification, deletion).

Observed registry trace,

                The same registry traces we seen in the code were found in the inctrl logs.

o                 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run             "Calculator"

§  Type: REG_SZ

§  Data: C:\GoogleChrome\GoogleUpdate.lnk

o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Chrome"

§  Type: REG_SZ

§  Data: C:\GoogleChrome\GoogleUpdate.lnk

o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"IDM"

§  Type: REG_SZ

§  Data: C:\GoogleChrome\WindowsUpdate.lnk

o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MediaPlayer"

§  Type: REG_SZ

§  Data: C:\GoogleChrome\WindowsUpdate.lnk

o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft"

§  Type: REG_SZ

§  Data: C:\GoogleChrome\GoogleUpdate.lnk

o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MozillaFirefox"

§  Type: REG_SZ

§  Data: C:\GoogleChrome\WindowsUpdate.lnk

We observed the same entry in regedit (checked manually):

Run Entries

We ran the autorun tool (from sysinternals) and found the logon entries.

Autorun tool showing Run entries

Both the inctrl logs and autoun shows that file not found in the folder googlechrome. And even the folder is not created. We unable to find the folder and file creation routines in these samples.

We wrote yara rules for detecting these files. So, just need to run the following yara rule in your system and check whether the system is infected with this variants or not.

YARA rules:

rule MSIL_AGENT_Chrome_Mozilla

{

strings:

                $string0= {43003A005C0047006F006F0067006C0065004300680072006F006D0065005C00570069006E0064006F00770073005500700064006100740065002E006C006E006B}

                $string1= {43003A005C0047006F006F0067006C0065004300680072006F006D0065005C0047006F006F0067006C0065005500700064006100740065002E006C006E006B}

condition:

                2 of them

}

Conclusion

This yara rule is more than enough for detecting this whole cluster samples. We scanned with the whole set of samples, this rule pick all the files without fail.

Post made by

newWorld