I will divide this analysis in two parts
- Basic Static Analysis
- Basic Behavioral Analysis
Basic Static Analysis:
- Firstly, lets check whether the Malware is packed or not Using PEiD(we can use CFF explorer as well)
- We can see, it’s not packed. Now, lets check for Strings. The strings of any malware gonna give a very good understanding for the feature/functions it can execute. We can fetch strings in different way. I’m going to use
Strings Malware > FileName 
Now I’ll try an analyse the Strings. I’ve copied all the strings, i found intresting.
- From Fig 1, I’m able to deduce it is an exe file. At some point , it’s gonna use logs123.txt for performing something. In addition, there are Regkeys/ Directory paths seems its gonna utilize them.
- There is an exe in the strings op_mon.exe, seems to be intresting, when googled about it found to be a part some security anti-malware program.
- Rest of them seems to function calls, one of them says AddKeyTORun and a registry path, we can understand it’s a sort of persistance mechanisam.
- There are some format specifiers here and there in the figure.
- The first line in the Fig2 is very phishy, it seems to be a function calling thread creation and injecting something from %s specifier. In addition, all the function call’s in the figure seems to shows it capabilities like Exploit Failed and system already infected. I think it’s checking whethere the system is already been compromised or not.
- In addition, we can function to download, srvurls(might be server urls). There is also regex which might be the format of the url. POST request can signify that there is a connection going to happen and all the function, Http api’s also strengthens the probability of connection creation.
- From this figure, we can see there srvurl with a value. Yeppi!!, guess was correct, They are server urls. That’s said, CreateToolHelp32Snapshot is used to for taking snapshot’s. It has a shell32.dll, and a POST request. Therefore, it can modifiy memory, sleep, create snapshots and request for a file to download.
- Finally, we can see sdropper64.exe which is a 64bit dropper exe with some downlaoad functions. Apart from this, there are many more strings suggesting it can run on both 32 and 64 bit architecture by utilizing some specfic dll’s
We can now say, These file has capabilities of changing memory, injection of files, downloading exe files, checking whether the system is already compromised or not.
Lets now check PE headers of malware using CFF explorer
- From the following figures, we can say it is an P.E file.
- From the export directory, we can see many functions which can be exported for other dll’s to use or can be used by the malware itself.
- Here we can see, the majority of dll’s imported are utitlized to establish http socker connections and one for shell commands.
- There are no resources in the file.
From this analysis we can conclude that
- It can create , delete files
- It has a file logs123.txt which seems to be a log file
- Majority of the features, points to http connection for downloading dropper64/dropper32.exe
- It can perform shell commands using shell32.dll
- It can check whether the system is compromised or not and take some snapshots.
Finally, we can say it seems to be a dropper file which dropes the malware.
IOC’s:
Urls:
Files:
- logs123.txt
Executables:
- sdropper32/64.exe
- op_mon.exe
Behavioral Analysis in next story .
