Preliminary Analysis
The sample has an md5 hash of b9bc3f1b2aace824482c10ffa422f78b and an embedded timestamp of 'Thu Aug 06 04:56:58 2015'. One of the first artifacts that jumps out during static analysis is a full file path:
c:\oil\feet\Seven\Send\Gather\Dividerail.pdb
The file extension indicates the artifact is a result of the compilation process for the binary. While this may not have any relevance to the behavior of the malware, it could serve as an indicator for detection via a mechanism such as Yara.Further analysis of the binary produces a few clues in regards to what I can expect during execution.
The following functions appear to be revealing as to the capabilities of the binary:
- GetActiveValue
- IsDebuggerPresent
- Sleep
- WriteFile
- GetStartupInfo
At this point it seems that more information will be derived by simply executing the binary.
Virtual Machine Analysis
Analysis Attempt OneThe first attempt at analysis of this file proves to be unsuccessful when ran in a VMWare Windows XP host as seen in this following SysInternals ProcMon output:
Time of Day Process Name Operation Path Result
40:11.9 shifu.exe QueryOpen C:\sample\pos.exe PATH NOT FOUND
40:11.9 shifu.exe Process Exit SUCCESS
40:11.9 shifu.exe Thread Exit SUCCESS
40:11.9 shifu.exe CloseFile C:\Documents and Settings\John\Desktop SUCCESS
It is worth noting that a number of queries for local files are attempted throughout the time in which the process runs. All of these queries result in the malware being unable to detect the files being queried. The last of these queries is for full path C:\sample\pos.exe which does not exist on the virtual machine. Directly afterwards, the process exits and closes the the original binary from which it originated. It is unclear why this file is once of such importance but it may be related to Virtual Machine or sandbox installations. Analysis Attempt Two
The decision is made to remove VMWare Tools from the virtual machine. It could be possible that this and not the lack of pos.exe have caused the previous failure. Hopefully the removal of this component will increase the chance of execution success. Running the malware on a host without VMWare tools however, does not have any effect on the result of the execution. Even though it has been removed, the process still exits after it is unable to find the c:\sample\pos.exe file.
Time of Day Process Name Operation Path Result
28:05.0 shifu.exe 1152 QueryOpen C:\sample\pos.exe PATH NOT FOUND
28:05.0 shifu.exe 1152 Thread Exit SUCCESS
28:05.0 shifu.exe 1152 Process Exit SUCCESS
28:05.0 shifu.exe 1152 CloseFile C:\Documents and Settings\John\My Documents\Downloads SUCCESS
Analysis Attempt Three
This time the decision is made to place a file named pos.exe in the c:\sample\ directory in the hopes that the malware will behave differently. While the associated process does find the file, it still behaves in the same fashion as the previous analysis attempts. This is not unexpected since the presence of this file likely should cause the termination of the shifu.exe process.
Time of Day Process Name Operation Path Result
32:37.9 shifu.exe QueryOpen C:\sample\pos.exe SUCCESS
32:37.9 shifu.exe Thread Exit SUCCESS
32:37.9 shifu.exe Process Exit SUCCESS
32:37.9 shifu.exe CloseFile C:\Documents and Settings\John\Desktop SUCCESS
Obviously the use of a virtual machine for analysis is ineffective without some type of additional modifications. Instead of continuing to analyze the malware within a standalone virtual machine, I will attempt to see if any progress can be made with a sandbox/emulator instead. Sandbox Analysis
Executing Shifu in a sandboxed environment finally allows the process to run successfully. Upon execution the malware writes the following files to disk:c:\Documents and Settings\All Users\Application Data\dbd2hff6h8.exe
(793bb01102349f366b37da58ddca26ee)
c:\Documents and Settings\<user>\Local Settings\temp\safari.exe
(953754424360b90e7dcedd74e448c44d)
c:\DOCUME~1\<user>\LOCALS~1\Temp\nss3.dll
(7c87033533235868eccc54c392fa147c)
c:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\BMKNKJ8O\shifu.exe
The last file is executed after it has been written to the Internet Explorer cache folder. This could be a persistence mechanism but is likely an attempt to hide the file from a user who might stumble across the original shifu.exe file. Additionally the following file is written to disk:
C:\Documents and Settings<user>\Application Data\dli644A.tmp.bat
The malware appears to perform some other interesting activity which are reminiscent of the previous analysis attempts. Shifu appears to be scanning the host for certain files and directories, all of which are not found. These appear to be more inline with virtual machine detection attempts and even include the c:\sample\pos.exe file that were observed during the virtual machine attempts.c:\analysis
c:\analysis\sandboxstarter.exe
c:\Documents and Settings\All Users\Application Data\dbd2hff6h8.exe
c:\windows\system32\drivers\vboxmouse.sys
c:\windows\system32\drivers\vmhgfs.sys
c:\windows\system32\drivers\vmmouse.sys
c:\insidetm
c:\sample\pos.exe
Another interesting aspect of the Shifu execution is the interaction with the Windows process Explorer.exe, which is a commonly targeted process for injection by malicious software. The interactions with Explorer.exe include the suspension, reading, writing and resuming of the Explorer process. These are typical actions taken when attempting to inject malicious code in to a process. Once injection has successfully occurred the following files are written to the user's 'Application Data' under a subdirectory:c:\Documents and Settings\<user>\Application Data\7a62af1e\keylog.txt
c:\Documents and Settings\<user>\Application Data\7a62af1e\sysinfo.txt
c:\Documents and Settings\<user>\Application Data\7a62af1e\cmdline.txt
c:\Documents and Settings\<user>\Application Data\7a62af1e\1_cert.pfx
c:\Documents and Settings\<user>\Application Data\7a62af1e\1_info.txt
Another interesting action is observed which appears to be related to Bitcoin: c:\Documents and Settings\<user>bitcoin\wallet.dat
The final noteworthy action that I notice is an attempt to hide the shifu.exe file which was originally written to the Internet Explorer cache directory. This is done using the Windows executable 'attrib.exe':c:\WINDOWS\system32\attrib.exe attrib -r -s -h "C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\BMKNKJ8O\shifu.exe"
Network Analysis Analyzing the network traffic appears to be a bit more difficult. At first glance it appears that the C2 domain has either been taken down or is being blocked. A DNS request is made for an A record belonging to 'eboduftazce-ru.com' which returns a number of malicious results on VirusTotal.
eboduftazce-ru.com
In order to be thorough, a bit of recon is performed on the host.
eboduftazce-ru.com. 5 IN SOA dns.bizcn.com. dnsconct.bizcn.com. (
1443758308 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
14400 ; expire (4 hours)
600 ; minimum (10 minutes)
)
eboduftazce-ru.com. 5 IN NS ns3.cnmsn.com.
eboduftazce-ru.com. 5 IN NS ns4.cnmsn.com.
eboduftazce-ru.com. 5 IN A 188.42.254.65
The lack of valid DNS response records could indicate the domain is no longer available. This could be a result of a number of factors such as fast flux domain changing or dynamically generated domain names being utilized. At first glance the network traffic does not indicate this is the case considering DGA malware typically generates a great deal of DNS traffic. Even after running the binary a second time the same traffic is observed.Conclusion
The advanced techniques employed by Shifu makes this malware a bit tough to analyze but not impossible. The primary roadblock is the VM detection mechanism which prevented manual dynamic analysis. As a result, sandboxing technologies are employed with great success. While this technique makes analysis difficult, it limits the ability to compromise thin app clients, other virtualized workstations and virtualized servers. This is not a huge loss since there are few client computers which are virtualized but is worth noting.References
Virus TotalDark Reading: New Shifu Banking Trojan An ‘Uber Patchwork’ Of Malware Tools
Security Weekly: "Shifu" Trojan Targets Japanese Banks
No comments:
Post a Comment