PowerLoaderV2 Full Basic Malware Static Analysis by Mahmoud NourEldin[Part 1]
Hello there, This is my first writeup for malware that I analyzed before, and I would Like to share my notes about it then I’ll publish the full report about that malware in Sha’ Allah.
سبحان الله وبحمده سبحان الله العظيم
As a student in the Malware Analysis field, we should first need to know what is that. Is it Malicious or not [ I suppose I don’t know it ] ? name of the malware and its type? EXE or DLL? Its PE headers, strings, hidden strings, Packed or not, and all info extracted statically.
[*] How to Static Analysis?
- Searching for the malware in the online sandbox by its hash and don’t upload any file you got in your work in those sandboxing unless the manager allows you to it. [ as a Threat Researcher or a Malware Analyst you need to build your own behavioral analysis VM, so searching by file hash is a good point ].
How to get your file hash?
I prefer the PE Studio tool for my static analysis so its the main screen after dragging and dropping the malware on it.
so its sha256 hash is: 5E56A3C4D4C304EE6278DF0B32AFB62BD0DD01E2A9894AD007F4CC5F873AB5CF
its sha1 hash is: 7F7017621C13065EBE687F46EA149CD8C582176D
its md5 hash is: 7DE3350CAFBE8FE843AEA9E8564E6AF5
We can search in VirusTotal by any of these hashes:
Wow, 60/71 vendors marked it as malicious, and let’s see what they called that file.
Trojan, Downloader, Hijacker, Backdoor, PowerLoader ..etc
So keep in mind we need to know the whole information about this malware and in my list, I will not search about this malware or read any writeup before I analyzed it so I’ll not see its behavior unless ending my static analysis.
So here we can see it’s a 32-bit Exe file compiled at 0x5141C969 (Thu Mar 14 05:58:17 2013 — UTC) and has 6.200 Entropy which means it has so Encrypted data[Maybe].
We can see by Detect It Easy Tool its written language, packer name, and also a full picture of its Entropy.
So as you can see here, it was written in C++ Language and Linked with Microsoft linker. Let’s choose the Entropy:
So as you can see here All sections have high Entropy and are not packed as the program said so if it is packed we will see only one section has high entropy and others do not so let’s continue.
As you can see here .cfg section and it’s not a usual section for any Executable file so it’s good info for our Yara signature.
Also, the PE Studio indicators window referred to the name: sdropper32.exe which is the original name posted before.
Here in Subsystem of Optional Header: GUI so after running this file we will get the GUI interface of the Malware.
so here are the libraries of the malware used, PE Studio marked wininet.dll psapi.dll urlmon.dll as a black list because if the file is malicious, it’s not good for using internet APIs and Processes status.
So from imports, do we know what exactly the malware does?
So Malware creates files, deletes files, does process injection, privilege escalation, Enum the access of the user, creates mutex, and creates threats.
Enum System info, enum temp file, allocating space in memory, enum The security identifier (SID), Send HTTP Request, Download File from a URL, and also Sending/Reading Data to C2C server.
Here are a lot of black-listing APIs:
Allocating space in memory, locking and mapping a file in memory, and also privilege escalation, as you can see working with Root APIs.
Reading data from Processes, Enum registers, and set values, Working with files and executing commands, and also Downloading files from a URL and getting data.
Allocating Spaces in memory and changing memory protection then writing data to another place in memory [ maybe process injection or code injection ], resuming threats after injecting it, and some string manipulation.
Wow, it’s huge info from imports APIs only and that’s so good for our report about what malware can do.
But about our question How Malware can do it?
it’s in part 2 in Sha’ Allah.
Woooow, these are very interesting APIs from the export table, that’s exactly the place where we will analyze to answer How ? and Why?
DownloadRunExeId
DownloadRunExeUrl
DownloadUpdateMain
void * __stdcall GetProcAddress64(void *,char *)
Inject32End
Inject32Normal
Inject32Start
InjectNormRoutine
SendLogs
WriteConfigString
I’m very interested to analyze all of those APIs, You can know from their name Download something from C2C and run the malware or run 2nd stage of it may be, Update the previous stage of the malware [ that’s crazy ], Get API addresses that it won’t you to know about it, Process injection or code injection into process maybe, send logs to C2C server, and writing configuration into a file.
So All the information which I write is not exactly malware behavioral, it’s maybe can do it but we will know that from the behavioral analysis in sha’ Allah.
here from the strings which include:
Files created: B.cfg, logs123.txt, sdropper32.exe,
POST request to C2C server with UserAgent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Working with those registers ( autorun included ):
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Cryptography
Maybe explorer.exe is the targeted process that it injected.
File created for 64bit: sdropper64.exe
Also targeting the op_mon.exe process, and we know those APIs.
Here APIs are not included in the import table so the malware hides it, and also not documented [ ZwWriteVirtualMemory, ZwReadVirtualMemory, ] ZwAllocateVirtualMemory (documented), ZwQueryVirtualMemory (documented).
Those APIs work with Kernel so that’s dangerous for running that malware in your system, be careful.
Here are some interesting strings:
NewNtResumeThread(): Work thread created
kernelbase.dll
Protect::UpdateMain(): EXE UPDATED !!!
Protect::UpdateMain(): eee3
CurrentPath111
Protect::StartProtect(): Old: ‘%s’
Protect::StartProtect(): New: ‘%s’
Protect::StartProtect(): AddKeyToRun error
Protect::WriteFileToNewPath(): FileWrite error %x
Protect::WriteFileToNewPath(): FileRead ‘%s’ error %x
MachineGuid
abcxvcxvx
sacfsfdsf
Drop::InjectStartThread(): inject ‘%s’ (x%s) !!!
aRestartModuleShellExec(): ShellExecuteEx error: %x
Entry(): integrity: %x, current: ‘%s’, win: ‘%s’, admin: ‘%d’, uac: ‘%d’, wow64: ‘%d’
Entry(): Exploit failed
Entry(): Normal injected failed
Entry(): System already infected
DownloadRunExeUrl(): WinExec: %x
DownloadRunExeUrl(): URLDownloadToFile: %x
mainver
main
DownloadUpdateMain(): e2
DownloadUpdateMain(): e1
srvurls
srvretry
Server::ProcessServerAnswer(): Command ‘%s’ = %x
buildid
Server::SendReport(): Buffer ‘%s’
Server::ServerLoopThread(): SendReport ‘%s’ ok
Server::ServerLoopThread(): SendReport ‘%s’ no answer
srvdelay
Server::ServerLoopThread(): Sleep: ‘%d’ min
Those strings are unique and the .cfg section for that malware and I think that’s enough for the Yara rule [ we will discourse later ].
Maybe those strings are commands.
And Finally, Here is the C2C server, which also has Exe file [maybe] that’s from .text .rdata .data .pdata:
[main]\r\nsrvurls=http://ripnhuipn[.]ru/power/c1.php;http://fikuskalus[.]ru/power/c1.php;\r\nsrvdelay=15\r\nsrvretry=2\r\nbuildid=test\r\n
hhhhh, it’s clean for virustotal those URLs so it’s only for scanning not for real info from it.
Here, we see the same strings again and that means the malware dropped itself again [ maybe another variant ].
That’s all info we got from PE Studio only.
And here are stack strings by the FLOSS tool:
\BaseNamedObjects\ShimSharedMemory
\BaseNamedObjects\windows_shell_global_counters
\BaseNamedObjects\MSCTF.Shared.SFM.MIH
\BaseNamedObjects\MSCTF.Shared.SFM.AMF
\BaseNamedObjects\UrlZonesSM_Administrator
\BaseNamedObjects\UrlZonesSM_SYSTEM
So those strings are important for Malware Signature.
We extracted a lot of info that can help for part 2 In Sha’ Allah.
لا إله إلا الله وحده لا شريك له ، له الملك وله الحمد وهو على كل شيء قدير
See you later,
Mahmoud NourEldin
