Post

SillyPutty - Part 2

Basic dynamic analysis of the SillyPutty challenge.

Posted
By marx
2 min read
SillyPutty - Part 2

Objective

1
2
3
4
5
6
7

Hello Analyst,

The help desk has received a few calls from different IT admins regarding the attached program.
They say that they've been using this program with no problems until recently.
Now, it's crashing randomly and popping up blue windows when its run. I don't like the sound of that. Do your thing!

IR Team

Perform basic static and basic dynamic analysis on this malware sample and extract facts about the malware’s behavior. Answer the challenge questions below.

Basic dynamic analysis

Describe initial detonation. Are there any notable occurances at first detonation? Without internet simulation? With internet simulation?

Running with and without internet simulation shows the same thing, a regular putty but a weird blue window briefly appears.

From the host-based indicators perspective, what is the main payload that is initiated at detonation? What tool can you use to identify this?

From the host-based indicators perspective, the main payload that is iniatiated at detonation is a powershell script which was identified during the static analysis phase. We can confirm this further by using procmon and monitoring putty.exe. From here we can see that putty.exe spawns a powershell console as a child process with the parameters identified in the first part. child-process.png

What is the DNS record that is queried at detonation?

The DNS record that is queried at detonation is bonus2.corporatebonusapplication.local dns.png

What is the callback port number at detonation?

The callback port number at detonation is 8443 wireshark.png

What is the callback protocol at detonation?

The callback protocol at detonation is SSL/TLS

How can you use host-based telemetry to identify the DNS record, port, and protocol?

To identify the DNS record, port and protocol using host-based telemetry, we can simply filter the PID from putty.exe and look for “Operation contains TCP”

Attempt to get the binary to initiate a shell on the localhost. Does a shell spawn? What is needed for a shell to spawn?

To iniate a shell on the localhost using the binary we can remove the -sslcon true argument from the payload. We can also reroute the traffic to the localhost and use the –ssl argument on our ncat command –> ncat -nvlp 8443 –ssl

Reverse, Malware
reverse malware dynamic-analysis
This post is licensed under CC BY 4.0 by the author.