Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

The UPX Packer Will Never Die!

Published: 2021-12-03
Last Updated: 2021-12-03 16:26:42 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. But why malware are often packed? Because packing slows down the malware analyst job and defeats many static analysis tools. The advantages of packed malware (from an attacker's point of view) are (amongst others):

  • A reduced amount of readable strings
  • A reduced imports table
  • Modified entry point (start of the real program)

They are many packers in the wild. Some are publicly available, others are self-developed by the attackers. Most of them do not provide an "unpacker". It means that you can't easily revert to the original code. The most known packer is probably "UPX"[1]. Available for years, on both Linux and Windows, it does a good job and... includes an unpacker! This means that it's very easy to revert back to the original file.

Yesterday, I spotted an interesting PowerShell script that drops a PE file on the file system. I'm always starting with quick static analysis and saw this:

remnux@remnux:/MalwareZoo/20211203$ peframe cohernece.exe 

--------------------------------------------------------------------------------
File Information (time: 0:00:20.671049)
--------------------------------------------------------------------------------
filename         cohernece.exe
filetype         PE32 executable (GUI) Intel 80386, for MS Windows, UPX compress
filesize         53027
hash sha256      f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31
virustotal       /
imagebase        0x400000
entrypoint       0x1d540
imphash          d64d0be2c077062bee61cde37db4cf3e
datetime         2019-11-22 12:55:39
dll              False
directories      import, tls, resources, relocations
sections         UPX0, .rsrc, UPX1 *
features         packer

--------------------------------------------------------------------------------
Yara Plugins
--------------------------------------------------------------------------------
UPXv20MarkusLaszloReiser
UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
IsPE32
IsWindowsGUI
IsPacked
HasOverlay
HasRichSignature

--------------------------------------------------------------------------------
Behavior
--------------------------------------------------------------------------------
Xor

--------------------------------------------------------------------------------
Packer
--------------------------------------------------------------------------------
PackerUPX CompresorGratuito wwwupxsourceforgenet
UPX wwwupxsourceforgenet additional
yodas Protector v1033 dllocx Ashkbiz Danehkar h
UPX v0896 v102 v105 v124 Markus Laszlo overlay
UPX v0896 v102 v105 v124 Markus Laszlo overlay additional
UPX wwwupxsourceforgenet

--------------------------------------------------------------------------------
Sections Suspicious
--------------------------------------------------------------------------------
UPX1             7.90

--------------------------------------------------------------------------------
Import function
--------------------------------------------------------------------------------
ADVAPI32.dll     1
KERNEL32.DLL     4
MSVCRT.dll       1
NETAPI32.dll     1
USER32.dll       1

--------------------------------------------------------------------------------
Possibile Breakpoint
--------------------------------------------------------------------------------
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect

--------------------------------------------------------------------------------
File
--------------------------------------------------------------------------------
ADVAPI32.dll     Library
KERNEL32.DLL     Library
MSVCRT.dll       Library
NETAPI32.dll     Library
USER32.dll       Library

--------------------------------------------------------------------------------
Fuzzing
--------------------------------------------------------------------------------
String too long

You can see plenty of indicators that conform we are dealing with a UPX-packed sample:

  • YARA rules hit
  • The name of sections ("UPX0", "UPX1")
  • A high entropy
  • A reduced imports table with function related to memory management ("VirtualProtect")

UPX being open source, they are many forks of the project, and attackers can easily fork the original project and introduce small changes. The result will be that the default (official) UPX tools won't be able to unpack the malware. Example:

remnux@remnux:/MalwareZoo/20211203$ upx -d test.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: test.exe: CantUnpackException: file is possibly modified/hacked/protected; take care!

Unpacked 0 files.

But, this time, the attacker used the official UPX version and I just unpacked it:

remnux@remnux:/MalwareZoo/20211203$ upx -d cohernece-packed.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    107299 <-     53027   49.42%    win32/pe     cohernece-packed.exe

Unpacked 1 file.
remnux@remnux:/MalwareZoo/20211203$ shasum -a 256 cohernece-packed.exe 
2b9aaa9c33b5b61f747d03e79a22706c79a58a5a838017ffa2452a1f1f8183bd  cohernece-packed.exe

The unpacked PE file is a good old Mimikatz.

I don't know why the attacker still used the default UPX in this case. Except to defeat automatic triage and basic controls, it does not slow down the Malware Analyst... 

[1] https://github.com/upx/upx

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: UPX Packer Malware
0 comment(s)

TA551 (Shathak) pushes IcedID (Bokbot)

Published: 2021-12-02
Last Updated: 2021-12-03 09:24:35 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

TA551 (also known as Shathak) represents a threat actor behind malspam that has pushed different families of malware over the past few years.  So far this week, TA551 is pushing IcedID (Bokbot).


Shown above:  Flow chart for this infection.

Images from an infection


Shown above:  Screenshot from a TA551 email with sensitive information removed.

Indicators of Compromise (IOCs)

The infection process was similar to my previous diary about TA551 from August 2021, but this time it delivered IcedID instead of BazarLoader.

Associated malware:

SHA256 hash: d68fb04c96e925efcdb3484669365bed0cda22a272e486e99a43f9626019d31c

  • File size: 38,958 bytes
  • File name: request.zip
  • File description: Password-protected zip archive attached to email
  • Password: 55egs

SHA256 hash: 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5

  • File size: 34,322 bytes
  • File name: charge_12.01.2021.doc
  • File description: Word doc with macros for IcedID

SHA256 hash: c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2

  • File size: 3,342 bytes
  • File location: C:\Users\[username]\Documents\youTube.hta
  • File description: HTA file dropped after enabling Word macros

SHA256 hash: d54a870ba5656c5d3ddfab5f7f325c2fb8ee256b25e2872847c5ff244bc6ee6e

  • File size: 257,672 bytes
  • File location: hxxp://winrentals2017b[.]com/tegz/[long string of characters]/cab3?ref=[long string of characters]
  • File location: C:\Users\Public\dowNext.jpg
  • File description: Installer DLL for IcedID
  • Run method: regsvr32.exe [filename]

SHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705

  • File size: 341,898 bytes
  • File location: C:\Users\[username]\AppData\Roaming\ReliefEight\license.dat
  • File description: license.dat data binary used to run persistent IcedID DLL

SHA256 hash: c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510

  • File size: 116,224 bytes
  • File location: C:\Users\[username]\AppData\Roaming\{24DB904E-86F7-2F2C-B7C1-85D8BBCE1181}\Miap\Giowcosi64.dll
  • File description: persistent IcedID DLL
  • Run method: rundll32.exe [filename],DllMain --giqied="[path to license.dat]"

IcedID traffic:

  • 143.204.155[.]37 port 443 - aws.amazon[.]com - HTTPS traffic
  • 87.120.254[.]190 port 80 - normyils[.]com - GET / HTTP/1.1
  • 87.120.8[.]98 port 443 - baeswea[.]com - HTTPS traffic
  • 91.92.109[.]95 port 443 - bersaww[.]com - HTTPS traffic

Final words

IcedID can be followed by Cobalt Strike when an infected host is part of an Active Directory (AD) environment.  These types of infections can deliver ransomware as a final payload in real-world environments.

But decent spam filters and best security practices can help you avoid IcedID. Default security settings in Windows 10 and Microsoft Office 2019 should prevent these types of infections from happening.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

TA551 (Shathak) pushes IcedID (Bokbot)
Dec 3rd 2021
1 day ago by Brad (0 comments)

Info-Stealer Using webhook.site to Exfiltrate Data
Dec 1st 2021
3 days ago by Xme (0 comments)

Hunting for PHPUnit Installed via Composer
Nov 30th 2021
4 days ago by Johannes (0 comments)

Wireshark 3.6.0 Released
Nov 29th 2021
5 days ago by DidierStevens (0 comments)

Video: YARA Rules for Office Maldocs
Nov 28th 2021
6 days ago by DidierStevens (0 comments)

Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
Nov 27th 2021
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
5 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
7 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
7 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
9 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
9 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Shadow IT Makes People More Vulnerable to Phishing
Nov 10th 2021
3 weeks ago by Xme (0 comments)

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
4 months ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
4 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
5 months ago by DidierStevens (0 comments)

TA551 (Shathak) pushes IcedID (Bokbot)
Dec 3rd 2021
1 day ago by Brad (0 comments)