Malware Report: withme.exe
Malware Report
withme.exe
Summary
This Withme.exe will drop a executable file ‘A-1980682553.exe’ to the location %AppData%. Also It will add itself to runonce registry. This is the exact malware. It’s able to communicate with C2 server, which domain is ‘sexwithme.info’ wia port 6667.
Static Analysis
Basic Information
The MD5 hash and Sha-1 hash of withme.exe:
MD5: Message-Digest algorithm 5: 97E17AD0883F8B44CF4869C4E0ED4E3C
SHA-1: US Secure Hash Algorithm 1: B51A237BB4F682473C772C7FFD6C6A890CDF6AB1
Put this hash into virustotal and it shows that: 43/65 engines detected this as a malware. There is high chance it to be a malware.
DLL import
Open it with PEiD to see what dll functions it called:
Since we can see all dlls it imported, it indicated that this malware is not packed.
It import functions by ordinal in WS2_32.dll. Translate part of them from ordinal to name:
closesocket, connect, htons, ioctlsocket…
It shows the evidence of internet socket connection.
From another dll: ADVAPI32.dll, this malware called functions to modify registry values. This is also a suspicious part.
String Anasysis
Check strings inside this PE file:
Pestudio shows it contains 162 string in blacklist. Here it shows strings: Sandbox, Wireshark, VBoxService. According to these strings, I suspect it contains some anti-debug mechanisms.
Dynamic Anasysis
Autoruns check
Use Autoruns to detect what changed after running withme.exe.
Persistence Mechanism
We can see that it modified 2 values in registry. This is the persistence mechanism of this malware. Everytime restart the machine, this A-1980682553.exe will start up automatically.
Hash for A-1980682553.exe
MD5: Message-Digest algorithm 5: 97E17AD0883F8B44CF4869C4E0ED4E3C
SHA-1: US Secure Hash Algorithm 1: B51A237BB4F682473C772C7FFD6C6A890CDF6AB1
After running withme.exe and then I reboot my machine.
It will prevent windows from starting up normally. My computer starts up and then becomes black screen without the menu bar under.
I press ctrl + alt + del to call Windows Task Manager. It shows that A-1980682553.exe is running. After killing it, then my computer can start up normally.
If user directly run the malware in windows. There’ll be 2 processes start up.
When you kill one process of these two, the another will fork one more. Only killing the processes tree can terminate this malware.
IDA Pro Analysis
Anti Debug Mechanisms
This malware contains some anti debug mechanisms.
Under function sub_408C47 (env_check), this malware contains several anti debug check.
At location : 408B31(joeboxCheck), It checks whether the malware is under joebox sandbox.
At location: 408B1D(wireshark_check), It checks whether wireshark is running.
At location: 408ABF(sandbox_check), It check whether it’s under a sandbox environment
At location: 408BA2(ollyDBG_crush) it will output a string which is “%s” for 50 times. This is a known bug for OllyDBG. It will crash OllyDBg
At location: 408B60(ollyDBG_detect) it will traverse all the window name to check whether OllyDBG is running.
593c4c4fh here means ‘YLLO’ in ascii ; 474244h here means ‘GBD’ in ascii.
If reverse these, it spells ‘OLLYDBG’
At location: 408C95(debugger_check), it performs another debugger check.
At location: 408C16(time_check), it check the stop time to prevent being debugged.
When this malware detects something wrong, it will move bl as 1.
Finally it will move bl to al.
Let’s jump to the place where invokes this env_check:
It will test al, al, which means when detect something wrong, the malware will terminate itself.
Patch the anti-debug check
There is only one place invoking the env_check function. The only thing I need to do is just change code from ‘env_check’ to ‘mov eax,0’, because it runs ‘test al,al’ after that. AL is the lower part of EAX. If eax is set to be 0, then the anti-debug mechanism will never be triggered.
Command & Control Server Analysis
Using FakeNet, It will show the server domain and port this malware’s tring to connect.
We got the domain name is sexwithme.info. The port is 6667.
I ran the malware in second time. I got something similar:
Comparing with first result. The malware uses different real name and nick name. But the head part of the nicknames are the same: n[USA|A|L|WIN7|x32|1c]. There’s no way to track the attacker’s real name via IRC real user name.
I changed my local host file, resolving the domain ‘sexwithme.info’ to my localhost. Then I start up local IRC server. In the XChat, I saw there’re 2 clients and 1 channel existing.
However, from the left part, it shows no channels. It means the channel is private.
Decryption IRC Commands
There’s no direct IRC commands can be found in the string of this malware. It means these are encrypted.
At location: 40923A, there’s a xor command. It’s used to decrypt the IRC commands.
Here I found these IRC Commands: PRIVMSG, JOIN, PART, USER, NICK, PASS, PONG.
At location: 4064E9, I found the secret channel is #210
In X-Chat, I join the channel #210, and found the malware listener bot:
The attacker is able to communicate all bot in this channel. Also the attacker is able to send private message to the certain bot.
Modus Operandi Assumption
DDOS
In IDA pro, I found strings ‘ddos’, ‘browser’, ‘http’. There’s high chance that the attacker will perform DDOS attack.
Access to File System
The attacker is able to access to the file system of the infected machines. The attacker may upload files from victims to his computer. And the attacker can execute malicious code scripts in the infected machines.
Conclusion
Withme.exe is a backdoor malware. It’s persistence mechanism is dropping A-1980682553.exe file and add it to the startup registry.
The malware tried to connect to its C2 server, whose domain is ‘sexwithme.info’. The attacker can control all infected machines to perform DDOS. He can also get access to the file system of every infected machine.
Comments
Post a Comment