Exploring the Latest Malware Samples

Key Takeaways

let's take a look at some of the latest malware samples being analyzed on the internet oh look at that right on the top of the list kind of an interesting one looks like it's going to this URL kyleowen.top and vpn.exe which is a Windows executable and it's got a couple tags here for steel c like one of the well-known Steelers and loader oski I'm not sure what those are but it has a lot of these tidbits here action similar to stealing personal data so certainly an infostealer downloads an executable file and there's a whole lot going on so let's take a look so the process is outlined here vpn.exe certainly malicious hey start cmd.exe for self-deleting loads dropped or Rewritten executables and steals credentials from web browsers etc etc actually it has the CFG icon so it might have been able to pull out the config and this is still c one of those information sealers you can see the command and control servers that it try to reach out to like this IP address 171-228 and some PHP file to be able to communicate back and forth some rc4 keys for encryption and then other strings that might be present look at the cmd.exe it like sages a timeout and then deletes the file itself and all of the dlls included interesting you can see the connections down below this is VPN trying to communicate with that uh command and control service look at the connection back and forth we might be able to go see what's going on where here's the text here so it is posting oh Hardware identifier interesting another one given a token and then a whole file this thing is base64 encoded so I'm curious what that might be but we can take a look at the server responses they do always acknowledge with some base64 encoded string so can we see what that is or is that going to be encoded or encrypted with rc4 let's just hop into remnucks real quick to get onto the command line and let me Echo that in base640 code it oh was that trying to upload that file octaver.docx it might have been stealing all the stuff that's present on the desktop and by the way I'm taking a look at all this within any run which is this awesome super cool online Cloud Dynamic analysis sandbox where you can throw up malware and hey have it rip through what processes happen what is some of the behavior what really goes on when that malware is executed and you don't need to be hey sitting through Ida or ghidra and try to statically analyze it you can actually see it in action under the microscope I've been taking a look inside of their public submissions section where you can see where everyone is already uploading these really cool malware samples and not everything is going to be detected being suspicious or as a threat but we can actually filter on look I want to look at the stuff that is known proven to be malicious here's another stealer Redline code.bin and that one is kind of interesting pretty easily hey detected as Redline with the memory but you can see it connecting to unusual ports and in the connection section take a look it's going to Russia right at that command and control 194113 blah blah blah on that non-standard Port if we wanted to we could actually go look for other Redline samples or any other tag that anyone is tracking and then we might be able to actually go see other samples doing similar stuff it's really neat though when it can actually track down the configuration just like we saw for steel c oh this one is using autoit and that one might be interesting can we take a look Redline Steeler here looks like an executable that also spawns a couple of other things like command prompt cnbw exe one more time here here take a look this executable actually spawns a couple other command prompt instances looks like it runs task list and probably is piping this to try to find a vast AV GUI some other hey antivirus solutions to see look should I be under the microscope and should I try and evade and hey not do anything but otherwise let's go ahead and make a directory and then copy something here oh and if at any point there's something that just isn't quite clear or doesn't make a whole lot of sense like this weird crazy command line any run does have these chat gbt icons that you can click on to have it explain what's going on you can tell hey this is using the copy command with Slash B but it's using a whole lot of files that include deceptive names or just try to disguise malicious ones as harmless ones maybe to evade detection or trick users into executing them so they have some odd names in here maybe uh exploiting the user's curiosity or shock value ultimately running exceed.piff which is another executable and does similar stuff probably the same exact process previously ultimately it runs jsc.exe which is something hey pull down in the temporary directory maybe that was just kind of dropped but it is of course Redline at that point it steals credentials it looks for other information that might be able to pull back and tries to connect to a command and control server here you can actually pull out the configuration file look at this botnet is Uber the C2 and its IP address here and then a couple interesting strings things Redline Steeler is a malicious program that collects users confidential data from browsers systems installed software it also infects operating systems with other malware you can actually dig into it take a look at the more info and you could see what it tries to steal like let's go see Reed's browser cookies right trying to hit Firefox that's it what else do we have let's remove our red line Steeler and let's go back to filter our malicious here oh here's wannacry look at this uh ransomware wannacry wanna crypter oh yeah that one looks pretty bad that one looks like wannacry looks like the executable ultimately probably runs a trib I think plus h is hidden marking the current directory the period hidden granting everyone to have full control over it and then staging a couple batch scripts and Visual Basic scripts uh we can actually take a look at those and then actually see what it might do but it's probably gonna stage that wanted to crypto.exe which is like the usual pop-up for wannacry if we actually go take a look at the files here and there's going to be a lot because it's ransomware and it's just tried to encrypt manipulate every single file on the file system but hey we could search for that dot bat script and here's one let's go take a look contents here we can pull this thing up looks like it is just going to Stage the m.vbs file that it runs next ultimately hey just setting up some of the the shell object so that we could fire up the shortcut for wanted a crypter save it and then run it and then remove it this is a wsh rat sample one that's ran with that dot JS or jscript extension uh invoked by W script.exe or cscript and there are a lot of these that use like hey Windows living off the Lan binaries for scripting languages that it could invoke and this does a whole lot of stuff but one of the really cool things you can do with any run is be in an interactive sandbox so if I wanted to I could actually restart and run this sample and customize it to do whatever I want hey because of the Pro Edition some of the features and functionality that I have I can kick this into Windows 10 Windows 11 Windows 8 whatever and set some of the applications that I might want to have installed and accessible in that environment I can choose where I want this to actually start from and even if I don't want to run that sample itself I could specify hey just fire up cmd.exe don't kick start the sample yet because I want to be able to play with the environment and Tinker with it we'll give a little bit it more time for me to use this and then I could fire this up because what I want to showcase is when you're using this interactive sandbox you can kind of manipulate or modify the environment change some of the configuration settings so that maybe the malware behaves differently like say hey we actually don't want to run this wscript.exe that will fire and invoke the payload here but what if I configured this maybe it was doing some defensive Asian or anything else in this case specifically I could probably modify something in the registry because this has kind of an old but gold technique but obviously a lot of those scripting language payloads like again W script or cscript.exe well by default they will naturally execute with those interpreters but they're just plain text they're just script files so we could actually just toggle them to be ran with notepad so if the user a poor innocent victim were to double click on or execute that file it'll just open it in notepad and not actually execute it uh the comments here get into some other really cool stuff whether you're gonna modify this with group policy or just change a couple of these settings in the registry one of the like Surefire way to actually just toggle these off is to straight up disable the windows script host uh set enabled to zero but maybe that's a little bit too much nuke and pave look if you want to be a little bit more I don't know trusting you could uh actually just change the trust policy to say look only scripts signed by a trusted publisher are allowed to run others are not for our showcase look we'll just disable it we'll turn this off again hkey local machine or hkey current user current user will take priority so we can at least hey maybe manipulate this so rather than the payload firing we won't actually see that in action so I can go back over to the interactive sandbox and I'll actually go into that hkey local machine Hive we'll go into that software section and if I drill down into Microsoft we should have some entries for the windows script to host I see it there now I can go ahead and actually explore this in the settings here let's create a new string value so that Reg SZ type and we'll set that enabled entry toggle that and make that sure that is zero I'll hit OK to enter that and now if I try to double click or run our little W script payload for this wsh rat jscript file now I'll just get the error hey the windows script host is not available it is currently disabled on this system and it won't fire the malicious payload that is some of the benefits of hey being able to Tinker and explore inside of the any run sandbox because look if there's any defensive Asian techniques maybe some files or configurations or settings you could tweak hey you have an interactive environment to be able to play with that this one looks like just a Powershell script MP as desk so Powershell will go and execute this and let's go see oh it tries to downgrade itself to like probably version two avoid like CLM constrain language mode if we did dig into more info we could see what it does or we could just probably read the script here this is being added into uh jump lists for Windows history custom destinations you can see it kind of staged us here can we see this specific file though I want to check out what that Powershell script was we could very easily just get the sample right that's one of the beauty and benefit of any run hey we can pull these down we can fire this up in remnucks if we wanted to let me open up the terminal let me make a directory for Powershell there we go I'll get it inside the virtual machine and let me go ahead and extract that I'll unzip that with the password infected let's take a look at what that script is oh little cutesy hey actually like abstractly getting the c-sharp compiler adding some referenced assemblies so it doesn't need to be present in like some of the C sharp code it might try to run or execute and then some other compiler parameters that's kind of cool let me turn word wrap on so we can see that a little bit better there's the giant dump of all the uh maybe inline C sharp it wants to run here and yeah it passes it to the asp.net compiler uh invokes and runs it with reflection that one's neat oh this looks like a macro enabled Word document or Office document this is a macros on open as a tag here can any run track this down oh yeah hey firing up macro settings trying to let this thing fire looks like powershell.exe capital L's gets spawned and then reaches out to some shady places maybe a compromised WordPress website you can see the wp includes in here the content gets pulled down it is a 404 though but is it lying to us no it doesn't look like there's anything there then it goes out to another location and actually maybe pulls something down another 404. we can see this power show though this base64 encoded command this one might be kind of neat to see some of like the miter attack techniques because it probably is going to Showcase look for some of these specific techniques or tactics that it gets into you can read and learn a little bit more about what it did there and how miter categorizes this and then if you wanted to look that's super duper helpful for your report and you could go see some other resources and references to learn a little bit more about that even to miter itself look here's there's another uh Excel file this is another Microsoft Office document and this one looks kind of wild hey they use excel.exe and then some macros are included here they will end up using a lot of shady stuff on the command line you can see it's using ping to try to add some delay and actually hey sleep for a little bit before moving on to maybe the next operations I wonder what the text report will talk about for that if you haven't seen these before I think these are pretty neat because it will just sort of hey bundle up everything that it saw and the behavior of the binary or the malicious sample that you're working with and it can pull out the malware configuration like you saw with Redline or steel c or some of the others pulling out some of the exit data you can see some sketchy stuff in there there you can see the screenshots and the behavior graph of what fired where and when that's awesome any run also has this new chat GPT functionality so I kind of want to see hey what is this showcase task involved the execution of malicious script that was launched by Microsoft Excel given hey it's a macro enabled document it ends up creating other scripts other JavaScript files and working with them through the command line even downloading other executables from remote locations script also makes modifications to the Windows registry probably the internet settings and office configuration so that it actually could continue to run run other macro enabled documents by disabling those security features and removes evidence of the malicious activity by trying to delete its own file kind of neat that's cool obviously we have only scratched the surface right look I'm on page 3 out of 45 000 and it's so cool to see all of the public submissions and weird stuff that could be going on look look at this emotec there's 44 caliber DC rat and of course you could search for whatever you really wanted to with the filter here whether it's specific hash maybe you're working with these indicators to compromise or what's a URL or a file and hey I don't know if you've got a chance to dig into some of the other super cool stuff that anyroad offers obviously other than the dynamic interactive sandbox you can play with it you can do whatever the heck you want but they're always sharing some super cool research and it's literally free hey you can jump in you can join the party you can use any Run for free they even have an API like you could just hey submit stuff from the command line or any applications you might use with your sock or your seam whatever just like how we've been doing with all the public submissions like we could click around you could even see oh what are the trends in the new submissions or the new found malware samples out and about like wannacry Redline NJ rat DC rat all the stuff we were just kicking around and if you want to get a little bit more detail you can always click into any of these and learn about that specific family or variant of malware like x-worm or steel c or any of the others that we saw that maybe we just weren't always familiar with from there you can see a whole lot of the other blog posts that get into one specific family or you can see some of the other opportunities like the configurations that it could pull out automatically extract for you or see their process tree anyway obviously there's a whole lot of malware samples out there and oftentimes they're getting analyzed by anyone you can take a look at it if you haven't used it before Link in the video description and I actually just started up a new Discord server so if you're part of the community always conduct malware samples go take a look I'll have a link for that in the video description as well thanks so much for hanging out I hope you see you in the next video