Professional Documents
Culture Documents
Systembc Root Access Trojan Malware Analysis Report
Systembc Root Access Trojan Malware Analysis Report
Systembc Root Access Trojan Malware Analysis Report
JUNE 2022
SYSTEMBC ROOT ACCESS TROJAN MALWARE ANALYSIS REPORT
GRADUATE SCHOOL
OF
BAHÇEŞEHİR UNIVERSITY
BY
JUNE 2022
I hereby declare that all information in this document has been obtained and presented
in accordance with academic rules and ethical conduct. I also declare that, as required
by these rules and conduct, I have fully cited and referenced all material and results
that are not original to this work.
Signature :EKRMA
ABSTRACT
ELNOUR, EKRMA
The purpose of this project is to give an overview of some of the features that comes as result of
a malware running on the system. The malware analysis process is start with getting the static
features of the software as known as statistical analysis. This gives a basic overview about the
function, and the effect of the malware on the system. An isolated analysis environment had been
prepared as a virtual machine to assure that the process dose not harm the host system. First the
file hash has been calculated to see if there is any record of the file to be malicious for that “virus
total” was used. Then static analysis was applied, where the malware was tested as code without
and before running it in the system; it mainly pays attention to the malware structure, PEstudio,
PEid, and PE-bear were used. After collecting information in the statistical analysis, the dynamic
analysis was conducted using tools such as Wireshark, NetCat, RegShot, and proc_watch. These
tools were used to monitor the system and the network after running the malware some malicious
activities have been reported. In general, the malware under test showed artifacts related to RAT
category of malwares which confirmed with further research.
1. Introduction ............................................................................................................................. 1
2. Background .............................................................................................................................. 2
2.1 RATS................................................................................................................................ 2
3. Methodology ............................................................................................................................ 3
4. Conclusion ............................................................................................................................. 10
5. References ............................................................................................................................. 11
LIST OF TABLES
Table 1 ............................................................................................................................................ 3
Table 2 ............................................................................................................................................ 4
Table 3 .......................................................................................................................................... 10
LIST OF FIGURES
Static Analysis:
Is the process of analysis the malware without running it on the system, usually done
by debuggers and disassemblers; in order to understand the code function and
structure.
Dynamic Analysis:
The analysis process that done on the malware while running it on a system to notice
the way it behaves and the artifacts that it generates.
Both static and dynamic analysis are depending on a punch of tools and techniques
that can be the main identifier on the process so same malware can be analyzed by
different entity giving different results. Depending on the tools used and the level of
skills of the analyst. But the thing that all malware analyst do is the first step before
starting the analysis process is setting the environment, this stage is the most important
step since we are dealing with a malicious software, we have to make sure that our
environment is set that the analysis process does not influence the host system or
systems connected to it through the network or any other involved. After that we start
with static analysis which its main purpose is to give an understanding on the malware,
and its function, sometimes the author. Next, we do the dynamic analysis we try to see
how the malware act and behave inside a preset environment.
1
2. Background
2.1 RATS
Root Access Trojans are malicious software used to infect computer systems to gain
high privilege access as know as “Root” or Administrator privilege which allows the
threat actor to change in the system and the information it contains. It is used often
before downloading other malicious tools to the system for other purposes such as
encrypting the system using Bit locker, or other scripts for data exfiltration.
2.2 FLARE VM
FLARE is windows based Virtual Machine for security purposes and malware
analysis. The machine provided with a collection of most common free tools for
malware analysis mainly and other security tools; so, it provide a perfect environment
for malware testing and analysis.
2.3 REMnux VM
Linux toolkit for malicious software analysis and reversed engineering . it provides a
collection of free tools for malware analysis and reverse engineering along with other
utility tools.
2.4 INetsim
A software tool for simulating internet service in a lab environment. The software used
to analyze network behavior of malicious software, here we will be connected to the
FLARE machine to receive the requests coming through the network .
2.5 Wireshark
The de-facto tool used for network traffic analyzer, used world in different operation
system for monitoring and analyzing network protocols. here we used it to monitor the
traffic from the interface that we connected the FLARE machine.
2
3. Methodology
The environment of the analysis was on virtual machine running FLARE VM malware
analysis distribution had been installed on Windows 10 x64 base system. Along with
REMnux Linux distribution. VMware Workstation 16 Pro 16.2.2 build-19200509 was
the virtualization software. The host system is Windows 10 x64 21H2 19044.1706. the
virtual environment was fresh installed for the purpose of this project so all data and
artifacts related to other work would not affect the process. VMware network setting
was set with a new virtual network card with NAT and IP’s of 10.0.0.0 subnet for
isolating the two machines from the host system and facilitate their connection.
After installing the windows 10 OS in the virtual machine a snapshot has been taken
in order to save the progress if any unexpected events occurred, another one was taken
after installation of the FLARE completed. One last snapshot was taken after
downloading the malware to the environment and right before staring the analysis and
running the malware.
The next system was REMnux Linux distribution running on Ubuntu base system the
system basic purpose was to emulate a network environment since it was configured
as a gateway for the main analysis machine (FLARE VM) and then INETsim software
was used for that purpose.
Table 1
FLARE VM Settings
3
Table 2:
REMNux VM Settings
The first step was to calculate the hash of the file and upload it to virus-total to check
if any previous record of the file been reported as malicious or suspicious. So HashCalc
tool had been used for calculating the hash value and when uploaded to virus-total the
result showed in figure 1.
Figure 1. Virus-total-Result
4
The report shows that the software had been reported as network trojan before which
give us an idea of what to look for and perhaps where. So as a result, network related
string where searched and FLOSS tool was used for this purpose the figure 2 shows
the FLOSS result, the highlighted part is the most interesting to be found. It shows
that the software is getting system’s time, run a sleep command, using kernel32.dll
along with user32.dll, and the most important part is setting the TLS protocol which is
used in remote access to system.
Figure 2. FLOSS-Results
The next step was to try to collect other information about the file rather than the
ones confirmed with FLOSS; for that purpose, PEstudio was used and general
information about the file shown in figure 3.
Figure 3. PEstudio-File-Header’s-Information
The time stamp is an important attribute to look at generally it gives an idea when this
file or software we can say now was first made, also it shows that the file is executable.
5
Going further, the PEstudio show that there are 36 indicators of malicious use in this
file some of them already found in the FLOSS search but here they are confirmed, not
only that but more showing that there is 19 string that indicate malicious activity along
with 6 functions included in their blacklist as shown in figure 4.
Figure 4. PEstudio-Blacklist-Functions
After this step information collected was good enough to confirm that:
All these information has been found enough to start dynamic analysis to have more
understanding.
6
3.3 Dynamic Analysis
The environment was already containing the malware so to make sure we are working
on a fresh system the VM was returned to the “fresh-FLARE” snapshot that has been
taken right after installing FLARE. So from that more preparing before running the
malware is needed to monitor the system so the analysis machine has been set with a
“fake network” configurations connecting it to the REMNUX machine and only it,
isolating it from any other connections.
In the REMnux side the machine was prepared to with INetSim tool that configured to
receive connection form the analysis machine.
In the analysis machine a registry shot has been taken before running the malware to
be compared with another one taken after, also Wireshark network capturing tool was
lunch to start monitoring the interface for traffic. Furthermore, process monitoring
software proc_watch was lunched right before running the malware to capture new
lunched process.
After running the malware, the results where clear starting from the malware creating
an executable file named “kexvi.exe” and then starting it, which appeared to be the
main part responsible of the connection to the remote site from which the attack would
be lunched since the connection is encountered by our INetSim running on the
REMnux machine those steps did not take place. Going through our tools checking
them for what changes the malware done to the system we can clearly see registry key
value added to schedule a task named “kexvi” as shown in figure 5.
Figure 5. Regshot-Result
7
The process of running the “kexvi” appear in proc_watch right after running the
malware as shown in figure 6.
When the process starts the malware tries to connect the specific IPs through different
ports and the traffic has been confirmed appearing in Process Monitor to be repeated
action as shown in figure 7.
Also, Wireshark results shows the multiple packets send attempts to different
malicious IP’s shown below .
8
• 128.31.0.34 - 131.188.40.189 - 154.35.175.225- 171.25.193.9 -
193.23.244.244 194.109.206.212 - 199.58.81.140 - 204.13.164.118 -
86.59.21.38.
Figure 8. Wireshark-Results.
These steps for the dynamic analysis found to be enough to give a full understanding
about the function of the software and its danger no more tools were used and by the
end of the analysis the Wireshark and Regshot provides the option of saving the result
so all of registry shots and the traffic captured file were saved and tools where closed.
9
4. Conclusion
The software tested during the writing of this report found to have malicious activity
and categorized as RAT type Malware. The malware has been first compiled on Fri
Sep 13 20:22:07 2019 UTC, with the following information :
Table 3
After the malware is inside the system and it starts running it creates an executable in
the path C:\ProgramData\trcn\ kexvi.exe this file is the launcher for the connection
through the network to the nine IP’s that trying to open a port to control the system
through RDP protocols. The later part of the behavior had not been tested due to the
environment restrictions, in more sophisticated environment the connection can be
tracked and the later action can be monitored.
10
5. References
• https://github.com/mandiant/flare-vm
• https://www.sans.org/tools/remnux/
• https://www.wireshark.org
• https://www.tutorialjinni.com/systembc-rat-malware-sample-download.html
• https://www.virustotal.com/gui/ip-address/86.59.21.38
•
11