Solved Analysis on Unknown Malware - Assistance Requested

[Vir Gnarus]

Hi,

Currently snagged a bit of malware trying to run its course on my workstation. However, instead of cleaning it, I have pacified it and am now attempting to gut and analyze it out of personal interest and to further knowledge of security analysis. I've already done the initial data collection and a bit of sleuthing but ran into a couple snags that I'd like assistance on if possible. If anyone here is capable and curious I'd like to proceed on this thread, otherwise if they have any other forum or resource they'd like to recommend to direct my attention too that will better suit this kind of request then I'd gladly accept that too.

I'll post details I've garnered so far under condition that I receive notice that others are interested in it. I will say that Trend Micro detected only some of its activity (attempting to access certs on illegitimate sites) but not the actual offending items (I have, however). I have not ran it through other AV software yet to determine virus definitions, so for now it is considered an unknown strain.

Thank you for your consideration in the matter. I hope this ends up becoming a worthy adventure that people may profit from.

 

[Jacee]

Upload the file to Jotti's malware scan and have it scanned and analyzed by several anti-virus companies.

 

[Vir Gnarus]

Trend Micro does not like the javascript on that website. I will have to find an alternative.

 

[cottonball]

You can also upload the file to VirusTotal for a security check:
http://www.virustotal.com/

Select: Choose File, and a prompt opens for you to locate the file.

Then, click the Scan it! button.

If the file is listed as already analyzed, click on: Reanalyse file now.


When done, you can post the http:// link to the scan results, if you wish.


Additional resources:
http://www.sevenforums.com/tutorials/277740-online-scanners-scan-suspicious-files-your-pc.html

 

[Vir Gnarus]

https://www.virustotal.com/en/file/...ffc7e32c1d7f2dd6e36edffd/analysis/1360948659/

Also for another item of it, a file named '1.0' with no extension:

https://www.virustotal.com/en/file/...6da173df716231525fd408e0/analysis/1360948834/

Looks like a pretty new strain. Timelines for various virus databases said it was added either late January or early Feb this year. I've discovered no detailed analysis on the item yet. Guess I'm working with something fresh!

While it's unfortunate I have no further information on it to work with, I still wish to pick it apart and analyze it personally. Again, you all are welcome to assist in the endeavor, or perhaps direct me to a forum that has people doing this frequently?

 

[cottonball]

Vir Gnarus,

Malware Analysis needs a system of its own that you can infect without affecting your Operating System.

The following article may give you some insight.
5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser

Also, there are many other websites offering tutorials on the subject.

There may be some forums in the malware community that have a Malware Analysis subforum, but I cannot think of one with access for the general public. At a minimum, I believe you need to be a trained malware removal advisor which has worked at the malware removal forums, an expert in the field of Malware Analysis, or something in-between.

This forum does not have a Malware Analysis subforum (that I have seen). There may be someone in this forum that engages in malware analysis, but, that person will have to come forward.

Some of the members here may analyze certain reports to determine if malware is present on a computer, but, like for myself, providing assistance on malware removal is as far as it goes.

Analyzing the actual malware is a different ball game.

Good luck in your endeavour.

 

[Jacee]

Also for another item of it, a file named '1.0' with no extension:

You might look at these keys
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Random.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer
“EnableShellExecuteHooks”= 1 (0×1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Random.exe

 

[Vir Gnarus]

Jacee, thanks, I checked and came up clean on that. From looking at Procmon I can see WUDFHost.exe creating the 1.0 file and loading the image of it into memory then calling into the code on that file. I have not seen any file by the name of Random.exe showing up on Procmon, so I'm at least clean there.

Thanks for the tips, Cotton. I'll peruse further to see what I can do. I am also well aware of the need to have an isolated system in a non-production environment with a VM to look further into this without any repercussions. No need jeopardizing any of my work for a pursuit out of curiosity!

Thanks again fellas for at least kicking this off with me.

 

[UsernameIssues]

....I am also well aware of the need to have an isolated system in a non-production environment with a VM to look further into this without any repercussions.....

From a 2009 blog post:
Virtual machines are widely used by malcode researchers to analyse new malware or to see what it does without risking a real machine. However, virtual-machine-aware malware now exists, which makes using them more problematic.

Virus Bulletin : VB2009 - Virtual machines for real malware capture and analysis

That is not the article that I went hunting for, but it will do.

A VM is still where I play with things like this - knowing that they might not give up all of there secrets until they think that they are on a real computer.

 

[Vir Gnarus]

Yeah, that's why I figured it best to actually create an isolated rig with a VM on it if necessary (at least to see if it is VM-aware). I wouldn't put it past them to be able to go beyond VMs, sandboxing and other relevant forms of software-based isolation measures. Best way is always through hardware.

 

[UsernameIssues]

Doh! I meant to add that I think Jacee was saying to look for an exe file with some random name (e.g. twbos6h.exe)

...but I could be wrong - perhaps that was a literal reference to a file named Random.exe

 

[Vir Gnarus]

Either way nothing of the type was discovered. I would love to provide all the details I've garnered on it so far but I don't think this is the place for that. WUDFHost.exe was discovered in the Windows startup as a scheduled task which I quickly snuffed out, and the only other registry keys I've found are keys WUDFHost.exe used to store binary code to execute, again elements I have noted and wiped off. I am unfamiliar with anything else.

Btw, what I can say is this item isn't exactly that new, now that I realize it. I found the file timestamps show up at May 7 2012. That was the day when in desperation I foolishly sought out a Windows key finder to determine the cause of a Windows registration issue with a new installed system. The item wasn't to generate a Windows key or to use illegal keys but to merely extract the current existing key of a Windows installation so I could juxtapose it with the key it was supposed to have. Regardless, the application ended up being a trojan.

I disassembled it in IDA and found it uses anti-disassembly techniques so I couldn't go very far on it. It does look very suspect and I wouldn't doubt WUDFHost.exe is lurking within its seemingly random code.

Thanks again for the support. I'll try seeing what I can do about finding a community that is more accommodating for this kind of work, if it's even accessible.

 

[Jacee]

Doh! I meant to add that I think Jacee was saying to look for an exe file with some random name (e.g. twbos6h.exe)

...but I could be wrong - perhaps that was a literal reference to a file named Random.exe

Exactly right!