Abstract
This was a group project where students were tasked with investigating a real malware sample of their choosing using the ANY.RUN malware sandbox. Results are delivered in the form of a blog post.
Our professor gave us permission to submit our project for consideration to be published in the guest category of the official ANY.RUN blog, but it was unfortunately not selected. If you’re interested, their Q&A with my professor (Dr. Jim Furstenburg) about cybersecurity education is a good read. He has a lot of great experience and wisdom to share, and the post offers some insights into how the ISIN program at Ferris approaches teaching.
Analysis of Stealer Malware
Authored by: Garrett Blaylock and Will Kittredge - student analysts
In this post, we analyze stealer malware using ANY.RUN to try to understand its capabilities. Based on our findings, we discuss the potential impact of the malware and suggest some mitigation strategies.
If you want to follow along, you can find more details about the malware and download a sample from the MalwareBazaar database entry linked at the end. Be forewarned, though. Understand the potential dangers and remember to take proper precautions with real malware samples!
Behavior During Execution (Will)
During execution, the malware seems to keep out of the way. The average user who just opened their laptop for some web browsing would probably be unaware of its presence unless they went looking for it. This would be expected for stealer malware - the less attention it draws to itself, the better. By remaining hidden, it can persist on the system for longer and steal more data.
We do get some indication that something might be amiss when the malware first installs and executes, though.
In the background, information-gathering child processes are being created. We will examine these later in the child processes section.
Network Activity (Will)
We can see that the stub.exe process made a request to ip-api.com to perform an IP lookup. Based on the User-Agent field of the request, we infer that the malware is probably using Python. This is consistent with information listed on MalwareBazaar.
stub.exe request information.
stub.exe response information.
We can download the PCAP containing all of the network traffic and use Wireshark to confirm that a connection was established. The site responded with JSON data.
The malware also attempted to access raw user content on GitHub. The request gets a 404: Not Found response back, but the URL was suspicious. Based on the URL value, we assumed that this was JavaScript to perform some type of malicious injection.
injection.js file could not be accessed on GitHub. We believe it was probably reported or automatically flagged.
Child Processes (Will)
The malware spawns child processes that gather information about the system, among other things. In this case cmd.exe is being invoked with the /c option, which tells the command prompt to exit after the specified command is executed.
cmd.exe processes spawned by stub.exe are visible
Some of these processes establish persistence methods for the malware. For example, we can see that process 2600 ran a command that creates a scheduled task to automatically run the malware. Process 396 adds a key to the registry to make the malware a startup program. Other processes could reveal potentially sensitive information. Process 2356, for example, executes the Get-Clipboard PowerShell cmdlet to get the contents of the clipboard. Passwords and personal information might be stored here depending on the victim user’s prior activity that day.
A de-obfuscated PowerShell command leads us to believe that this malware is also able to take screenshots of the infected system.
MITRE ATT&CK (Will)
The malware’s tactics align with several MITRE ATT&CK techniques, including command-line execution (T1059.001), registry key modifications for persistence (T1547.001), and standard application layer protocols for command and control communication (T1071.001). The MITRE ATT&CK chart generated by ANY.RUN helps us get a more complete picture of what the malware is doing.
Command and scripting interpreters such as Python, PowerShell, and the Windows command prompt are leveraged by the malware in execution. Using persistence methods like autostart and scheduled tasks, the malware ensures that it will be executed when the victim uses their machine. Once running, it attempts to gather information from the system and access credentials while simultaneously hiding itself. The stealer malware also appears to be virtualization-aware, as ANY.RUN detected time-based virtualization/sandbox evasion.
Indicators of Compromise (Garrett & Will)
As part of the information-gathering processes started by the malware, it created network requests that ANY.RUN detected as potential indicators of compromise. These consist of a network connection that the stub.exe process made to the restores.name domain (IP 135.181.65.219) and the failed attempt to access the injection.js file stored on GitHub. The network communication with ip-api.com was likely for geolocation and reconnaissance purposes.
Obfuscation techniques were also identified, with Base64-encoded PowerShell commands used to execute scripts, possibly for capturing screenshots of the victim’s system. These indicators of compromise (IoCs) provide critical insights for defenders to recognize and respond to the malware’s activity effectively.
Key Observations (Garrett & Will)
The analyzed malware exhibits stealthy behavior typical of stealer malware, designed to operate quietly in the background to avoid drawing attention. While it generally remains unobtrusive, initial execution reveals some activity through visible popups and cmd windows. This behavior might hint at an issue to attentive users but would likely go unnoticed by most. The malware engages in extensive information gathering by creating child process that collect system data, and its capabilities include executing PowerShell commands, potentially for capturing screenshots.
Persistence mechanisms are a notable aspect of this malware’s functionality, with evidence of registry modifications and scheduled tasks ensuring automatic execution upon system startup. This allows it to maintain access and carry out operations without requiring user intervention. Additionally, the malware communicates with external servers, including ip-api.com, to gather reconnaissance data, leveraging HTTP requests to interact with these endpoints. The User-Agent field in the requests suggest that it operates using Python, aligning with information from the MalwareBazaar database. Collectively, these observations indicate that the malware could be used for credential theft, espionage, or data exfiltration, making it a significant threat to affected systems.
Recommendations (Garrett)
To mitigate the risks posed by this malware, organizations should implement a multi-layered approach to cybersecurity. Robust endpoint protection solutions, such as Endpoint Detection and Response (EDR) tools, should be deployed to monitor and block unauthorized activities, including child process creation, registry modifications, and suspicious network communications. Complementing this, user awareness training is essential to reduce the likelihood of infection, particularly by educating users on the dangers of interacting with unknown attachments, links, or files.
Network monitoring should also be a priority, using firewalls and intrusion detection/prevention systems (IDS/IPS) to block communication with known malicious domains or IP addresses, such as ip-api.com. An incident response plan should be in place to address infections swiftly, encompassing steps for isolating affected systems, removing malware, and recovering data. Finally, keeping operating systems and software regularly updated is vital to minimize vulnerabilities that the malware could exploit. By combining these strategies, organizations can effectively reduce the risks and impact of malware attacks.
Discussion (Garrett)
This malware demonstrates the sophisticated yet stealthy behavior typical of modern stealer malware. By blending in with legitimate processes and establishing persistence through registry and scheduled task modifications, the malware maximizes its chances of success. The observed communication with external servers underscores its reconnaissance capabilities, likely aimed at tailoring its operations to the infected system’s environment.
The use of PowerShell commands for potential screenshot capturing further highlights the flexibility of this malware. Combined with its persistence techniques, it poses a significant threat to individual users and organizations, especially those lacking advanced security measures. While its exact payload and objectives remain unclear, the potential for credential theft or sensitive data exfiltration is evident.
Conclusion (Garrett)
Analyzing this stealer malware provides critical insights into its techniques and impact. From initial infection to establishing persistence, its methods highlight the importance of proactive cybersecurity measures. Advanced tools like ANY.RUN make it easier to dissect such threats and understand their implications.
Organizations must prioritize defense-in-depth strategies to mitigate the risks posed by malware of this nature. A combination of user education, advanced monitoring tools, and effective response protocols can reduce exposure and improve resilience against similar threats.
For further details on this malware, including its behavior and characteristics, refer to the provided ANY.RUN task links. Understanding and preparing for these threats is essential in an ever-evolving cybersecurity landscape.
More Links
Public (not ours) ANY.RUN task
This report also contains some useful information about the malware sample