Over the past week, whilst studying for my eCMAP exam (eLearnSecurity Certified Malware Analysis Professional), I have tried to complete some reversing challenges and also source some real world samples to try and analyse on my own.
This lead me to find one attributed to IcedID on MalwareBazaar. This caught my eye for a few reasons, but one was because it was attributed to a piece of malware I helped analyse a few months ago. You can find the blog I co-authored with SOSIntelligence here.
This sample used some of the same techniques I had seen before, using zip files, lnk files and techniques to self unpack itself to write further malicious files to disk.
Initial infection is delivered through a phishing email where the victim is presented with an HTML attachment.
Looking at the contents of this file, there are some obfuscated functions and some base64 encoded blobs. Looking at the functions, it will take the base64 encoded blob and will decode it and append the result to the document as an element ("embed") that is the last child of an element.
Below is a snippet of the reversed base64 encoded blob that will be reversed and then decoded by the above functions.
I also noticed, that in this file there is a password that could be used later. It is important that we remember this for later.
I believe the below snippet is tasked with deobfuscating and decoding the base64 encoded blob.
The below snippet will take the decoded base64 data and will construct a .zip file.
The below function was used to create a zip file attachment named attachment.zip and will make it look like it has been downloaded from the internet by using the window.location.assign function. This will cause the window to load and display a document at a specified URL, in this case the document was the decoded zip file.
Having run the sample at this point, I can confirm that the hash is the same for the downloaded zip if I were to simply base64 decode the data and save it as a zip file manually.
When running the sample, I can see the password that was identified in stage 1. This leads me to believe that the zip file may be password protected. The theme of this malware is that someone has shared a password protected PDF that the victim must download and open with a password.
Opening the resulting zip file, I noticed that there was an iso file personal_data_6671.iso.
The iso file contains a file named personal_data.lnk, looking at this the target path is set to a command. The below command indicates that when the iso file is run, it will execute pigeons.cmd from within the cattle directory.
C:\Windows\System32\cmd.exe /c cattle\pigeons.cmd
Within this directory, there is an empty folder enriches, 2 cmd files, a dat file, a routings.txt file and a jpeg. The routings.txt is a file full of garbage text and is most likely used to evade signature detection but containing a benign data.
Taking a look at the pigeons.cmd as this would be the first file to be called, I noticed that there is some obfuscation of commands to hide what is going on. After editing some of the commands to echo the variables out, I noticed that it would call the next cmd file celcius.cmd and would pass system32 and rundll to it as arguments.
The second windows command script celcius.cmd will take both arguments by referring to them with %1 and %2. It will also copy rundll32 and create a new executable named mischiefWrecks.exe which is a technique known as masquerading.
I then noticed that the dat file backplate.dat was executed by mischiefWrecks.exe (rundll32.exe) with the ordinal #1, we will understand later what the ordinal is referring to.
So, what is backplate.dat?
It looks like this dat file is actually a DLL.
This is a 64-bit DLL and was compiled Tuesday November 1st 2022.
It's original filename was actually B.dll and I noticed references to this when analysing it in IDA.
The dll shows to be using no libraries or functions and as I explain below exports only one function.
Interestingly, there is an abnormal section header I had not seen in a PE or a DLL before (.vfs) which has a file ratio of about 50% meaning this section is big.
PEstudio displays this section has being black listed meaning that it has been seen as suspicious.
Looking at the export directory, there is only one exported function Njkhsud.
I observed that MischiefWrecks.exe is masquerading as rundll32.exe so I set a filter on this process in procmon. I noticed that this DLL (dat file) was loaded by MischiefWrecks.exe.
MischiefWrecks.exe was seen to create a new drive on the system (E:\) and re-created all of the files found in the personal_data_6671.iso.
Shortly after I observed the sample making TCP connection requests, either to download another piece of malware, cobalt strike or to connect back to a C&C server.
Looking in my Wireshark capture, I can see that the malware called out to a domain hxxps[://]hardenpasedaken[.]com which we now know to be the C&C server for this malware.
In addition to this and inline to what I saw in procmon, the sample at regular intervals tried to connect to an endpoint at port 443.
This sample was pretty simple and had a victim open an html attachment which then downloaded a password protected zip file. When this was opened using the password provided, a .lnk file would execute some windows command scripts which would then call a copied version of rundll32.exe to execute a .dat file (dll) which would then call out to a C&C server.
Some pretty cool stuff! I hope from here to analyse more malware and learn much much more! Please let me know if youy think I missed anything or explained anything incorrectly as im still learning. I eventually want to write about some malware I have developed in C and analyse that also, stay tuned!
Downloaded html attachment fileb4046a6848ea2380e32ddf5aa6de79e4c16d0e2e16ecf942ff97287e725f32c7
New drive created