Word Count
| Section | Word Count |
|---|---|
| Summary | 69 |
| Methodology | 12 |
| Malware Details | 10 |
| Static Analysis | 348 |
| Dynamic Analysis | 382 |
| Reverse Engineering | 355 |
| Origins and Removal | 45 |
| Conclusions and Recommendations | 91 |
| Total | 1374 |
Summary:
Previligelogin action breaking with the audit privilege bypassing & Delegate session user Imperonate Privilege.
User with Privileges Logon
Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
Sigma Integrated Rule Set (GitHub) - frack113
Context For The Matching Events
EventID:4672
PrivilegeList:SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege
SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege
SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SubjectUserName:SYSTEM
SubjectLogonId:999
SubjectUserSid:S-1-5-18
SubjectDomainName:NT AUTHORITY
Used Ida Pro, Virustotal, Hybrid-Analysis, HxD & such linux commands for analyze it.
MITRE ATTACK techniques detection with native API execution & CAE connections.
Here used Kernel based API for accessing and bypassing the Privilege logon. API preference all are kernel based.
| ● Suspicious Indicators4 |
|---|
| ● Unusual Characteristics |
Input file contains API references not part of its Import Address Table (IAT)
○ details
Found string "getsockname" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: WS2_32.DLL)
Found string "getsockopt" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: WS2_32.DLL)
Found string "GetFinalPathNameByHandleW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "getEncodingFromLangID" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: FAKEBANKLOGIN.EXE)Found string "getJavaIDFromLangID" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: FAKEBANKLOGIN.EXE)
Found string "initialize" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: FAKEBANKLOGIN.EXE)
Found string "GetFileVersionInfoSizeW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: VERSION.DLL)
Found string "GetFileVersionInfoW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: VERSION.DLL)
Found string "VerQueryValueW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: VERSION.DLL)
Found string "GetUserNameW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: ADVAPI32.DLL)
Found string "OpenProcessToken" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: ADVAPI32.DLL)
Found string "GetUserProfileDirectoryW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: USERENV.DLL)
Found string "CloseHandle" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "CreateEventA" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "CreateFileMappingW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "CreateFileW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "DuplicateHandle" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "FlushFileBuffers" (Source:582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "GetCurrentDirectoryW" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
Found string "GetCurrentProcess" (Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin,
API is part of module: KERNELBASE.DLL)
source
String
relevance
10/10
Using String analysis, Located can accessor about executable logon file. There is many sequences defect by malicious section.
& some local parameters setup detected from strings like remote connection Alogithm parameters & their connections in a thread.
The functions Overlapping-
Need to change the accessor mode & the privilege logon.
Dynamic Analysis:
Mode & Ability-
Environment Awareness
● Contains ability to read software policies
● details
"fakebanklogin.exe" (Path:
"HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFI
ERS"; Key: "TRANSPARENTENABLED")
source
Registry Access
relevance
1/10
ATT&CK ID
T1082
● Contains registry location strings
● details
"System\CurrentControlSet\Control\TimeZoneInformation"
"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Time Zones"
source
String
relevance
1/10
ATT&CK ID
T1012
Found API related strings
details
"IP Helper Library GetIfTable function failed" (Indicator: "GetIfTable")
"IP Helper Library GetIpAddrTable function failed" (Indicator: "GetIpAddrTable")
"Software caused connection abort" (Indicator: "connect")
"Socket is already connected" (Indicator: "connect")
"Too many open files" (Indicator: "open")
"Network dropped connection on reset" (Indicator: "connect")
"No buffer space available (maximum connections reached?)" (Indicator: "connect")
"Socket is not connected" (Indicator: "connect")
"Socket operation on nonsocket" (Indicator: "socket")
"Protocol wrong type for socket" (Indicator: "socket")
"Cannot send after socket shutdown" (Indicator: "send")
"Successful WSAStartup not yet performed" (Indicator: "WSAStartup")"IP Helper Library GetAdaptersAddresses function failed with
ERROR_INSUFFICIENT_BUFFER" (Indicator: "GetAdaptersAddresses")
"IP Helper Library GetAdaptersAddresses function failed with
ERROR_ADDRESS_NOT_ASSOCIATED" (Indicator: "GetAdaptersAddresses")
"IP Helper Library GetAdaptersAddresses function failed with error == %d"
(Indicator: "GetAdaptersAddresses")
"IP Helper Library GetAdaptersAddresses function failure" (Indicator:
"GetAdaptersAddresses")
"SetFilePointerEx failed" (Indicator: "SetFilePointer")
"getsockname" (Indicator: "getsockname")
"GetFullPathNameW failed" (Indicator: "GetFullPathNameW")
"Could not open file" (Indicator: "open")
Source String
Relevance 1/10
Spyware/Information Retrieval
● Contains ability to determine disk drive type (API string)
● details
Observed api string:"GetDriveTypeW" [Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin]
source
String
relevance
1/10
ATT&CK ID
T1082
Contains ability to retrieve the name of the user associated with the current thread (API string)
details
Observed api string:"GetUserNameW" [Source:
582a5a8f175b49dffb9a0d63a6c334ac914d4b3e0320a4c6ee33f7fbef7267bb.bin]
Source String
Relevance 1/10
ATT&CK ID : T1106
**Unusual Characteristics
● Possibly uses a Windows Server utility
● details
"JVM_GetMethodIxExceptionIndexes called: Unimplemented" (Indicator: "exes")
"JVM_GetMethodIxExceptionIndexes" (Indicator: "exes")
source
String
relevance
10/10
IP Traffic
192.168.0.1:137 (UDP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
23.216.147.76:443 (TCP)
**Process And Service Actions
Processes Tree**
2240 - %windir%\System32\svchost.exe -k WerSvcGroup
2700 - %SAMPLEPATH%
2740 - %WINDIR%\explorer.exe
2956 - wmiadap.exe /F /T /R3000 - %windir%\system32\wbem\wmiprvse.exe
3388 - %SAMPLEPATH%\fakebanklogin.exe
3972 - C:\Windows\System32\wuapihost.exe
616 - C:\Windows\System32\svchost.exe
7464 - "C:\Users\user\Desktop\fakebanklogin.exe"
User with Privileges Logon
Reverse Engineering:
There are two kinds of disassembly syntax. They are Intel and ATT Intel, respectively. Both of them do not change the code, only the way it is displayed. The images below depict source code and equivalent assembly instructions.
Assembly syntax is divided into two parts. The opcode is a part of the instruction that instructs the processor on what to do (MOV, PUSH). The operand is a component of the instruction that contains the data to be acted on, or the data's memory location in a register (eax 0, esp 10h).
In this algorithm, machine code in executable PE sections is disassembled sequentially. It begins with the first byte in the.text section and decodes each byte until it encounters an illegal instruction. It does not support control flow features such as branches. The main issue with the algorithm is that it does not take control of the program flow and is vulnerable to errors intentionally left in the instruction stream to derail the algorithm from its path. Another issue is that this algorithm cannot distinguish between code and data in a binary file because it decodes each byte as code as long as it appears to be a legitimate code byte. Many unnecessary data bytes are interpreted as assembly instructions as a result.
Linear Sweep is a much more complex and effective approach. This algorithm does not disassemble code in a linear fashion. It is based on the control flow concept. When a branch instruction is identified by the dissembler, the addresses at which the branch instruction blocks begin are determined, and the branch instruction blocks are disassembled.
Jumping to Branch Block. Noted by green arrow in IDA:-
The binary file is executed during the disassembly process, and its execution is monitored to identify the instruction actions and behavior; the execution is made for some input sets, and as a result, some binary file instruction streams can be avoided. An external tool is keeping track of this execution (debugger). The size of the executable file has no effect on the speed of disassembly because it only disassembles parts related to the real-time execution process.
Origins and Removal:
Possibly IP Traffic:
192.168.0.1:137 (UDP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
23.216.147.76:443 (TCP)
Manage the memory map & the accessor map for the Privilege logon & their remote connection setup assemble from here-
Conclusions and Recommendations:
Reverse engineering methods have some limitations. The article primarily focused on the disassembly process as a reverse engineering method. During the disassembly process,
It is impossible to completely disassemble an application before it is compiled. The disassembler tool would not generate disassembly comments or textual identifiers such as variable and label names if run on machine code.
Because many disassemblers sequentially disassemble machine code, a single disassembly error can result in many subsequent bytes being incorrectly interpreted, and it can also be very difficult to disassemble an application due to obfuscation.
References:
1. Hoglund, G. & McGraw, G. (2004) Decompiling And Disassembling Software | Reverse Engineering And Program Understanding | Informit [Online] Available from: [20 February 2020].
2. Sikorski, M. & Honig, A. (2012) Practical Malware Analysis. 2nd edn. India:MGHills.
2. Veracode Inc. (2020) Static Testing Vs. Dynamic Testing [Online] Available from: [20 February 2020].
2. Yan, K. (n.d) System — C++ Reference from GeekfromGeek [Online] Available from: [2 May 2020]