TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Snakes on a Domain: An Analysis of a Python Malware Loader | Huntress

2021-08-17 · Read original ↗

ATT&CK techniques detected

21 predictions
T1055.012Process Hollowing
99%
“##ild. exe. this became important later, as it turned out to be the second argument passed to the mandark. load method. next, we browsed to the mandark. load method to find out what else was happening — and to determine the significance of that msbuild. exe argument. this led us …”
T1055.001Dynamic-link Library Injection
99%
“a ” - base64 decoding the results this didn ’ t seem too complicated, so we moved back to cyberchef and recreated the decoding logic. this resulted in the appearance of an mz header, indicating that we had successfully decoded the data and retrieved an executable file. we saved t…”
T1055.001Dynamic-link Library Injection
99%
“net file, we moved over to dnspy where we could view the source code of the file. this can be seen below. just looking at the function names alone, we got a strong indication of what the file was going to do. we can see functions indicative of injection ( virtualalloc, writeproce…”
T1055.001Dynamic-link Library Injection
98%
“to decode the injected payload. we already noted that base64 encoding and compression was used. we quickly inspected the decompress method to confirm the compression type — in this case, it was gzip. combining the above information together, we were able to decode the next payloa…”
T1055.001Dynamic-link Library Injection
97%
“. browsing further, we noticed this reference in the debug section of the file. this contained another pdb path, and a very git - like folder structure. some googling of keywords in the pdb path led us to believe that the file was likely an execute - assembly loader, which is an …”
T1053.005Scheduled Task
95%
“download and load a remote dll - unload : send a kill command over a named pipe - restart : kill the current process and force a restart via a scheduled task - self - delete : remove all persistence and kill the current process some short snippets of this functionality are in the…”
T1059.006Python
94%
“snakes on a domain : an analysis of a python malware loader | huntress hackers and snakes — oh my! what do they have in common? both are shady characters that can hide in plain sight, just waiting for the right moment to strike. but how do you know if you have any unwanted pests …”
T1497.001System Checks
92%
“below, we can see the aes256 encrypted and base64 - encoded values being loaded. after playing around with the decryption code, we were able to decrypt the config and pull out the following values — including a port number, mutex name, version and grouping numbers, as well as thr…”
T1059.001PowerShell
91%
“amsi ) patching script. implemented by microsoft, amsi provides a framework for security tooling to monitor powershell script activity. the goal of an amsi patch is to bypass this framework and reduce the chances of an antivirus or edr detecting any malicious powershell activity.…”
T1547.001Registry Run Keys / Startup Folder
83%
“##s, without the need for uac prompts each time. if only standard user privileges were available, a. bat script would be placed into the current user ’ s run key, which would provide persistence with standard user privileges. using these indicators, we were able to find other art…”
T1053.005Scheduled Task
75%
“descriptions - detectdebugger : checks “ debugger. isattached ” flag, also checks for the presence of a dnspy. xml file in the % appdata % directory - detectsandboxie : looks for sandboxie drivers ( sbiedll. dll ) - issmalldisk : checks if disk size is less than 61gb - isxp : che…”
T1547.009Shortcut Modification
72%
“its simplicity and stealth, it ’ s a common place that attackers will place malware and malicious files that they want to stick around. want to learn more about persistence? download our ebook persistence : the key to cybercriminal stealth, strategy and success. here ’ s a snippe…”
T1059.006Python
69%
“the file description, indicating that it was a renamed ironpython interpreter. alternatively, we could have also discovered this information using pestudio or a similar tool. this was enough information to determine the purpose of the ctfmon. exe file, so we moved on to the updat…”
T1055.001Dynamic-link Library Injection
63%
“download and load a remote dll - unload : send a kill command over a named pipe - restart : kill the current process and force a restart via a scheduled task - self - delete : remove all persistence and kill the current process some short snippets of this functionality are in the…”
T1059.006Python
46%
“c : \ users \ < username > \ appdata \ roaming \ ppvcbbqh \ update. py so, we retrieved the files and did some analysis. file analysis first, we noticed that the hash of ctfmon. exe had 0 detections on virustotal, which we found interesting at first but were able to understand af…”
T1055.001Dynamic-link Library Injection
44%
“note : the payload is going to be in gzip compressed and base64 encoded format. ) this was super interesting because there was a very large string within the file, which matched that exact description ( and was 64983 bytes in size — more than enough room for another payload ). we…”
T1053.005Scheduled Task
40%
“##s, without the need for uac prompts each time. if only standard user privileges were available, a. bat script would be placed into the current user ’ s run key, which would provide persistence with standard user privileges. using these indicators, we were able to find other art…”
T1071Application Layer Protocol
39%
“we didn ’ t find anything of particular use within pestudio, so we moved on to dnspy. we were able to determine that the file was a remote access trojan ( rat ), likely from the ursu family of malware. this malware had all the typical functionality of a rat, which included the ab…”
T1219Remote Access Tools
37%
“we didn ’ t find anything of particular use within pestudio, so we moved on to dnspy. we were able to determine that the file was a remote access trojan ( rat ), likely from the ursu family of malware. this malware had all the typical functionality of a rat, which included the ab…”
T1059.001PowerShell
33%
“note : the payload is going to be in gzip compressed and base64 encoded format. ) this was super interesting because there was a very large string within the file, which matched that exact description ( and was 64983 bytes in size — more than enough room for another payload ). we…”
T1547.009Shortcut Modification
31%
“was used to inject a remote access trojan ( rat ) onto the system. along the way, we encountered a total of six consecutive payloads and some new offensive tooling which we found pretty interesting. towards the end, we also experimented with some custom scripts for de - obfuscati…”

Summary

Join us on a threat analysis journey as we discover a very shady Python—and a very friendly RAT.