Post

Unknown.exe Analysis

Posted Updated
By Akshit Singh 2 min read

THE UNKNOWN

Now we have a file named ‘unknown’ and we will check if it is malicious or not .

First of all we will check it at VirusTotal.com database using the Hashes of the malware exe file.

Hashes

image

VirusTotal.com

image

Strings

Nothing much could be found in the strings of the exe file.

image

Dynamic Analysis

Activity

image

In the Procmon , the unknown.exe appears that it is starting a thread in the background and appear to have donw nothing really.

  • When we are detonating the file then it is deleting itself automatically
  • The exe file deletes itself thus it will not be effective as soon as the device restarts or powers off.
  • The exe is dumping a file named ‘passwrd.txt’ at the path:
    1

    C:\\Users\Public\passwrd.txt

    image

  • The exe is opening an image ‘cosmo.jpeg’

image

  • The exe is calculating the base64 of the contents of the image file and then encrypting using RC4 algorithm.

  • The exe uses the method ‘houdini’ as a function that deletes the exe file on the fulfillment of the above coinsitions.

image

  • The exe uses ‘Sikomode’ stored in the file ‘passwrd.txt’ as the key for RC4 encryption.

image

  • This can be said that if there is an image named cosmo.jpeg inside the specified path then the exe file will open it and encrypt it using base64 and RC4 encryption algorithm with the key Sikomode

  • Then the exe will give a reverse shell to the domain mentioned to execute commands on the victim’s system.

URLs

The exe file is acessing the url:

1

 http://update.ec12-4-109-278-3-ubuntu20-04.local

  • If this URL could not be accessed by the exe then the exe deletes itself

  • It also will delete itself when it has done establishing the shell execution process on the victim system.

  • A URL is used to provide the reverse shell of the system

1

http://cdn.altimiter.local/feed?post=[data]

KillSwitch

The exe will check for the kill_switch first before detonation and thus it will try to connect to a URL , if that exists then the exe will delete itself then and there only and will not function anymore.

  • The URL is checked by a buffer located at :

image

in the binary .

  • It appears empty as it is being written into the memory at runtime.
Malware_Analysis
Malware_Analysis
This post is licensed under CC BY 4.0 by the author.