Malware reverse engineering (Carberp Trojan)
Executive Summary
The malware sample that was provided seems to be some form of trojan belonging to the Carberp family of trojans. The malware repeatedly sends requests over the network to three different Command and Control(C&C) servers. The malware does not appear to perform any malicious activity without first successfully connecting to one of the C&C servers.
After running the malware, it will copy itself to a windows startup directory to achieve persistence and delete the original executable. It will then spawn a process that imitates svchost.exe which creates some temp files and a directory in C:\ containing a .dat and .inf file. Indicators of compromise are the existence of the copied executable in a windows startup directory, some specific files and directories being created, and the network requests to the C&C server.
Static Analysis
Basic Static Analysis
Initial analysis of the program was done using PEStudio, which provides a detailed breakdown of portable executable (PE) files. The compiler stamp shows the malware was compiled on November 19th, 2008, though this may have been modified by the malware creator.
PEStudio was also able to identify that this program as a Windows GUI program rather than a Command-line program.
Regarding packing, PEStudio does not recognize a signature for a packer and there is a high number of imports and strings that are being found though which typically indicates that the malware is less likely to be packed. However, the entropy of the text section is substantially over high entropy values, between 7 and 8, indicate that an executable is most likely packed. Based on just this information it is likely that the program is packed.
The imports section of PEStudio finds many functions which are imported from various libraries. Some interesting functions are LoadLibraryA, and various functions from wininet.dll, ws2_32.dll, and wldap32.dll. From these libraries being included it seems likely that the program will probably try to perform network activity. It is strange that there are so many libraries found in malware that is likely packed.
Looking through the strings section of PEStudio does not provide any relevant information, the only readable string that are found are function names and the names of the imported dlls.
The program sections also do not provide much information useful to analysis aside from the entropy indicating it likely being packed.
Virus Total
After performing analysis in PEStudio, the malware sample was hashed and uploaded to VirusTotal, a site which checks the hash against many malware detection engines. A very high number of these engines detected the program as malware. Of the engines that recognized the program as malware there were many that recognized it as a Trojan, and a few recognized as belonging to the Carberp family of trojans.
Virus Total also provides a list of hashes and other properties of the program, which identifies the program as a Windows 32-bit executable file.
Dynamic Analysis
Process Behaviors
When the malware is run the executable Practical1.exe is visible in process explorer for a short amount of time. In that time, it spawns an instance of svchost.exe and after a few seconds the Practical1.exe process is stopped while the svchost.exe process continues to execute.
Once this happens the executable that was used to start the malware will be missing. Killing the svchost.exe process will stop it for a few seconds, but the process is started again after. The svchost.exe process has Non-existent Process listed as its parent and is not shown under any other processes in process explorer unlike the other instances of svchost.exe.
The task list shows a list of currently running processes, using the option /svc shows all the services for each process. Using a pipe to filter for svchost.exe shows the services being hosted by each instance of svchost.exe, the instance that was started by the malware has an N/A for the tasks meaning it is not actually hosting any services as it would be expected of an instance of svchost.exe to be doing.
Network Activity
Using FakeDNS to spoof DNS responses showed the domains that the malware was attempting to reach. There are three separate domains that are looped through until it can make a connection to one of them. These are likely the C&C servers which the malware contacts to send information to or receive instructions from.
Running INetSim and using Wireshark to capture packets showed some interesting requests being made. When a successful connection to one of the C&C servers was simulated with INetSim, the malware stopped sending TCP requests trying to find the other C&C server and began sending HTTP requests to the one it connected to. The requests are made to a .phtml page and have a form item attached that looks like base64 but trying to decode it using Burp Suite’s Decoder tool was not successful.
Registry Keys
There does not seem to be too much interesting registry activity. Using RegShot before and after running the malware and comparing the two shot showed a lot of registry changes but not any that seemed very compromising on inspection.
Filesystem Activity
The most obvious filesystem activity is that the executable of the malware is deleted. Using ProcMon to monitor changes to files also provided a log of this deletion happening.
ProcMon showed a lot of activity in the C:\Users\{user}\AppData\Microsoft\Start Menu\ Programs\Startup folder, including the creation of a .exe file. This startup folder will run whatever programs are in it when Windows startups.
Looking at the executable that was dropped in PEStudio shows that the hash is the same as the original executable. This means that this executable is the malware copying itself to the startup directory to achieve persistence, it may be necessary to uncheck “Hide protected operating system files” in Folder Options for this executable to be visible.
Deleting this dropped executable will stop the malware from running again when the computer is restarted. If the computer is restarted after the malware has been run this executable attempting to delete the executable will give a notice the file is open but killing the malicious svchost.exe process gives a short window of time to delete the executable which will stop the malware once the computer has restarted.
There are a few files that get created within a folder in C:\ which seem to be created and deleted often by the malware. Neither of the files contain anything that can be easily interpreted, though klpcst.dat seems to be a static file, has the same hash on multiple runs.
There are a lot of files that the malware attempts to open but fails because they do not exist, mostly various temp files in AppData\Local\Temp as well as a “hnt.dat” in AppData\Roaming.
Indicators of Compromise
Host based:
Copy of the malware stored in C:\Users\{user}\AppData\Microsoft\Start Menu\Programs\Startup MD53ea4b7a32fd84202938e79616a223832
SHA-159a72240bba9233a1d37b96d86b432d678380e38
SHA-256a67a1ca66f666eabef466bd6beba25867fd67ba697c1c7c02cde2c51e4e8289d
Existence of C:\uN7VnXGy6vErSWw\klpclst.dat (unreliable, only exists for a short time)
MD5 : E8A9EEC432EF3FCD30AEA8523A9C347F
SHA1 : 04A0636BCC59A7620C88B446EC13227EADADC92
SHA266 : 43188AB56155CB3DBE2AB667E591F6ADC23858E714A90C0EFB39371475D3B3DC
Network based:
Attempted TCP connection or DNS query to:
- fromamericawhichlov.com
- hillaryklinton.com
- malborofrientro.com
HTTP posts containing a single form item with a short key and a long string of characters numbers and symbols
