SYSTEMBC ROOT ACCESS TROJAN MALWARE ANALYSIS REPORT

EKRMA ELNOUR AHMED

JUNE 2022
SYSTEMBC ROOT ACCESS TROJAN MALWARE ANALYSIS REPORT

A PROJECT SUBMITTED TO THE

GRADUATE SCHOOL

OF

DEPARTMENT OF COMPUTER ENGINEERING

BAHÇEŞEHİR UNIVERSITY

BY

EKRMA ELNOUR AHMED

IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR

THE DEGREE OF MASTER OF CYBER SECURITY

JUNE 2022
I hereby declare that all information in this document has been obtained and presented
in accordance with academic rules and ethical conduct. I also declare that, as required
by these rules and conduct, I have fully cited and referenced all material and results
that are not original to this work.

Name, Surname : EKRMA

ELNOUR AHMED ELONOUR

Signature :EKRMA
 ABSTRACT

SYSTEMBC ROOT ACCESS TROJAN MALWARE ANALYSIS REPORT

ELNOUR, EKRMA

CYBER SECURITY MASTER PROGRAM

SUPERVISOR: NURETTIN ERGİNÖZ

JUNE 2022, 17 pages

The purpose of this project is to give an overview of some of the features that comes as result of
a malware running on the system. The malware analysis process is start with getting the static
features of the software as known as statistical analysis. This gives a basic overview about the
function, and the effect of the malware on the system. An isolated analysis environment had been
prepared as a virtual machine to assure that the process dose not harm the host system. First the
file hash has been calculated to see if there is any record of the file to be malicious for that “virus
total” was used. Then static analysis was applied, where the malware was tested as code without
and before running it in the system; it mainly pays attention to the malware structure, PEstudio,
PEid, and PE-bear were used. After collecting information in the statistical analysis, the dynamic
analysis was conducted using tools such as Wireshark, NetCat, RegShot, and proc_watch. These
tools were used to monitor the system and the network after running the malware some malicious
activities have been reported. In general, the malware under test showed artifacts related to RAT
category of malwares which confirmed with further research.

Keywords RAT, Virtual Machine, PEstudio, PEid, NetCat, Regshot, Proc_watch.

 TABLE OF CONTENTS
ABSTRACT.................................................................................................................................... 0

1. Introduction ............................................................................................................................. 1

2. Background .............................................................................................................................. 2

2.1 RATS................................................................................................................................ 2

2.2 FLARE VM ...................................................................................................................... 2

2.3 REMnux VM .................................................................................................................... 2

2.4 INetsim ............................................................................................................................. 2

2.5 Wireshark ......................................................................................................................... 2

3. Methodology ............................................................................................................................ 3

3.1 Setting up The Environment ............................................................................................ 3

3.2 Statistical Analysis ........................................................................................................... 4

3.3 Dynamic Analysis ............................................................................................................ 7

4. Conclusion ............................................................................................................................. 10

5. References ............................................................................................................................. 11

LIST OF TABLES

Table 1 ............................................................................................................................................ 3
Table 2 ............................................................................................................................................ 4
Table 3 .......................................................................................................................................... 10
 LIST OF FIGURES

Figure 1. Virus-total-Result ............................................................................................................ 4

Figure 2. FLOSS-Results................................................................................................................ 5
Figure 3. PEstudio-File-Header’s-Information .............................................................................. 5
Figure 4. PEstudio-Blacklist-Functions.......................................................................................... 6
Figure 5. Regshot-Result ................................................................................................................ 7
Figure 6. proc_watch- Showing the Start of The Process .............................................................. 8
Figure 7. Process Monitor Results.................................................................................................. 8
Figure 8. Wireshark-Results. .......................................................................................................... 9
 1. Introduction

Malicious Software as known as Malware is as it is name explain, such software can

affect computer system in order to harm system itself, steal data, or even monitor the
user of the system activity. Malware analysis is the process that aim to understand the
behavior of the Malware and its effect on a system in order to protect the system form
it is harm, or to recover from it. The process usually starts after discovering the
infection of a system; so starting point is the malware itself. Malware analysis mainly
divided into three types:

Static Analysis:

Is the process of analysis the malware without running it on the system, usually done
by debuggers and disassemblers; in order to understand the code function and
structure.

Dynamic Analysis:

The analysis process that done on the malware while running it on a system to notice
the way it behaves and the artifacts that it generates.

Both static and dynamic analysis are depending on a punch of tools and techniques
that can be the main identifier on the process so same malware can be analyzed by
different entity giving different results. Depending on the tools used and the level of
skills of the analyst. But the thing that all malware analyst do is the first step before
starting the analysis process is setting the environment, this stage is the most important
step since we are dealing with a malicious software, we have to make sure that our
environment is set that the analysis process does not influence the host system or
systems connected to it through the network or any other involved. After that we start
with static analysis which its main purpose is to give an understanding on the malware,
and its function, sometimes the author. Next, we do the dynamic analysis we try to see
how the malware act and behave inside a preset environment.

1
 2. Background

2.1 RATS

Root Access Trojans are malicious software used to infect computer systems to gain
high privilege access as know as “Root” or Administrator privilege which allows the
threat actor to change in the system and the information it contains. It is used often
before downloading other malicious tools to the system for other purposes such as
encrypting the system using Bit locker, or other scripts for data exfiltration.

2.2 FLARE VM

FLARE is windows based Virtual Machine for security purposes and malware
analysis. The machine provided with a collection of most common free tools for
malware analysis mainly and other security tools; so, it provide a perfect environment
for malware testing and analysis.

2.3 REMnux VM

Linux toolkit for malicious software analysis and reversed engineering . it provides a
collection of free tools for malware analysis and reverse engineering along with other
utility tools.

2.4 INetsim

A software tool for simulating internet service in a lab environment. The software used
to analyze network behavior of malicious software, here we will be connected to the
FLARE machine to receive the requests coming through the network .

2.5 Wireshark

The de-facto tool used for network traffic analyzer, used world in different operation
system for monitoring and analyzing network protocols. here we used it to monitor the
traffic from the interface that we connected the FLARE machine.

2
 3. Methodology

3.1 Setting up The Environment

The environment of the analysis was on virtual machine running FLARE VM malware
analysis distribution had been installed on Windows 10 x64 base system. Along with
REMnux Linux distribution. VMware Workstation 16 Pro 16.2.2 build-19200509 was
the virtualization software. The host system is Windows 10 x64 21H2 19044.1706. the
virtual environment was fresh installed for the purpose of this project so all data and
artifacts related to other work would not affect the process. VMware network setting
was set with a new virtual network card with NAT and IP’s of 10.0.0.0 subnet for
isolating the two machines from the host system and facilitate their connection.

After installing the windows 10 OS in the virtual machine a snapshot has been taken
in order to save the progress if any unexpected events occurred, another one was taken
after installation of the FLARE completed. One last snapshot was taken after
downloading the malware to the environment and right before staring the analysis and
running the malware.

The next system was REMnux Linux distribution running on Ubuntu base system the
system basic purpose was to emulate a network environment since it was configured
as a gateway for the main analysis machine (FLARE VM) and then INETsim software
was used for that purpose.

Table 1

FLARE VM Settings

The Attribute Value/ Description

Memory 4 GB
Disk 60 GB
Processors 2 cores (from Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 2.81
GHz)
Network NAT (IP address 10.0.0.3- Default Gateway 10.0.0.2 )

3
Table 2:

REMNux VM Settings

The Attribute Value/ Description

Memory 2 GB
Disk 60 GB
Processors 2 cores (from Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 2.81
GHz)
Network NAT (IP 10.0.0.2

3.2 Statistical Analysis

The first step was to calculate the hash of the file and upload it to virus-total to check
if any previous record of the file been reported as malicious or suspicious. So HashCalc
tool had been used for calculating the hash value and when uploaded to virus-total the
result showed in figure 1.

Figure 1. Virus-total-Result

4
The report shows that the software had been reported as network trojan before which
give us an idea of what to look for and perhaps where. So as a result, network related
string where searched and FLOSS tool was used for this purpose the figure 2 shows
the FLOSS result, the highlighted part is the most interesting to be found. It shows
that the software is getting system’s time, run a sleep command, using kernel32.dll
along with user32.dll, and the most important part is setting the TLS protocol which is
used in remote access to system.

Figure 2. FLOSS-Results

The next step was to try to collect other information about the file rather than the
ones confirmed with FLOSS; for that purpose, PEstudio was used and general
information about the file shown in figure 3.

Figure 3. PEstudio-File-Header’s-Information

The time stamp is an important attribute to look at generally it gives an idea when this
file or software we can say now was first made, also it shows that the file is executable.

5
Going further, the PEstudio show that there are 36 indicators of malicious use in this
file some of them already found in the FLOSS search but here they are confirmed, not
only that but more showing that there is 19 string that indicate malicious activity along
with 6 functions included in their blacklist as shown in figure 4.

Figure 4. PEstudio-Blacklist-Functions

After this step information collected was good enough to confirm that:

• There is something malicious running behind that file.

• The file is executable.
• This software is related to malicious network activities.
• The software tries to get access to TLS protocol.

All these information has been found enough to start dynamic analysis to have more
understanding.

6
 3.3 Dynamic Analysis

The environment was already containing the malware so to make sure we are working
on a fresh system the VM was returned to the “fresh-FLARE” snapshot that has been
taken right after installing FLARE. So from that more preparing before running the
malware is needed to monitor the system so the analysis machine has been set with a
“fake network” configurations connecting it to the REMNUX machine and only it,
isolating it from any other connections.

In the REMnux side the machine was prepared to with INetSim tool that configured to
receive connection form the analysis machine.

In the analysis machine a registry shot has been taken before running the malware to
be compared with another one taken after, also Wireshark network capturing tool was
lunch to start monitoring the interface for traffic. Furthermore, process monitoring
software proc_watch was lunched right before running the malware to capture new
lunched process.

After running the malware, the results where clear starting from the malware creating
an executable file named “kexvi.exe” and then starting it, which appeared to be the
main part responsible of the connection to the remote site from which the attack would
be lunched since the connection is encountered by our INetSim running on the
REMnux machine those steps did not take place. Going through our tools checking
them for what changes the malware done to the system we can clearly see registry key
value added to schedule a task named “kexvi” as shown in figure 5.

Figure 5. Regshot-Result

7
The process of running the “kexvi” appear in proc_watch right after running the
malware as shown in figure 6.

Figure 6. proc_watch- Showing the Start of The Process

When the process starts the malware tries to connect the specific IPs through different
ports and the traffic has been confirmed appearing in Process Monitor to be repeated
action as shown in figure 7.

Figure 7. Process Monitor Results

Also, Wireshark results shows the multiple packets send attempts to different
malicious IP’s shown below .

8
 • 128.31.0.34 - 131.188.40.189 - 154.35.175.225- 171.25.193.9 -
193.23.244.244 194.109.206.212 - 199.58.81.140 - 204.13.164.118 -
86.59.21.38.

Figure 8. Wireshark-Results.

These steps for the dynamic analysis found to be enough to give a full understanding
about the function of the software and its danger no more tools were used and by the
end of the analysis the Wireshark and Regshot provides the option of saving the result
so all of registry shots and the traffic captured file were saved and tools where closed.

9
 4. Conclusion

The software tested during the writing of this report found to have malicious activity
and categorized as RAT type Malware. The malware has been first compiled on Fri
Sep 13 20:22:07 2019 UTC, with the following information :

Table 3

Malware file header Information

Property Value Detail

Hash SHA1 9D38A1D7FE705F45A1D459AFC7E346803E3A098
E
compiler 0x5D7BFA6 Fri Sep 13 20:22:07 2019 UTC
-stamp F
size-of- 0x00E0 224 bytes
optional-
header
signature 0x00004550 PE00
machine 0x014C Intel-386

After the malware is inside the system and it starts running it creates an executable in
the path C:\ProgramData\trcn\ kexvi.exe this file is the launcher for the connection
through the network to the nine IP’s that trying to open a port to control the system
through RDP protocols. The later part of the behavior had not been tested due to the
environment restrictions, in more sophisticated environment the connection can be
tracked and the later action can be monitored.

10
 5. References

• https://github.com/mandiant/flare-vm
• https://www.sans.org/tools/remnux/
• https://www.wireshark.org
• https://www.tutorialjinni.com/systembc-rat-malware-sample-download.html
• https://www.virustotal.com/gui/ip-address/86.59.21.38
•

11