Wednesday, September 13, 2017

Malware Analysis: ThunderExternal

So recently I set up a dionaea honeypot and I've been catching an insane amount of stuff. I just randomly picked this one to poke at and see what it's up to. I am running Windows 7 x64 in VMware for this analysis.

First off I opened it up in CFF Explorer:

So it seems we have a PE32 file! It is packed with UPX so most likely it wont be too hard to unpack. The original filename is ThunderExternal and appears to be out of China. It says it was created by a company named "ShenZhen Xunlei Networking Technologies,LTD." Which seems to be a legit company:

It looks like they have a streaming service of sorts called "Thunder". But since this was dumped on my honeypot with no action on my part, I highly doubt this was created by them. This seems to be some sort of adware/fake browser according to some brief googling I did. Now for PEid!

Using PEid, I was able to unpack it with the builtin UPX plugin. However as I found out later, there is further obfuscation. Here are the PEid results after unpacking:

After unpacking I checked the strings output. Here are some strings that I found odd or interesting:

baiduSafeTray.exe   *(Baidu AV process)
vsserv.exe               *(Bitdefender process)
set cdaudio door open
set cdaudio door closed wait
Game Over QQ : 4648150
QUHLPSVC.EXE       *(Quick Heal process)

It seems this binary can do all sorts of stuff by the looks of it. There are a ton of different anti-malware process names in this. To me it looks like this might check to see if there is any anti-malware software running. Apparently it can also open and close your cd tray? Maybe at some point it will ask for a disc or something. A lot of the imports are for networking, which makes sense. Looks like it may alter or add a registry entry as well: "SYSTEM\CurrentControlSet\Services\%s"

I used to scan the URL I found:

Looks like an ad for a phone? My first thought was this might be the default landing page for this browser. There is a QR code there as well. I'll dive deeper into this later on.

One thing I found in its resources that I thought was funny was this crappy IE icon ripoff that it uses:

The next thing I want to do is some basic static analysis in IDA. IDA was able to locate the WinMain function, so that was the first thing I looked at.

Looks like this is setting some folder variables:

%ALLUSERSPROFILE%\Application Data\Storm\update\

After following some of these call instructions I noticed a lot of these calls are pointers to hard-coded out of range memory addresses.

This function was interesting to me.

From some brief research I found that winse.exe is not an actual Windows service. The name is very similar to winsec.exe, which is another known malicious executable. Notice the gibberish as well. Has a bit of a repetitive pattern to it. The string "Meumeu Nevne" is referenced many times throughout the code.

There is more obfuscated code in this binary. De-obfuscating is something I need to practice so hopefully this will teach me a lot in the end. The more I think about this, I'm starting to wonder if this targets a specific piece of software or service. Maybe the "Thunder" streaming service?

Wish I could get this to run to do some dynamic analysis on it. As I expected, this raises an exception when I execute it because of the hard-coded out of range memory addresses. I will update this as I continue...

No comments:

Post a Comment