Malware Honeypot Analysis

Welcome back to another security tutorial my padawans! This tutorial will cover the shady malware we have caught in our unpatched Windows honeypot.

Tools we are using for this investigation will be, network miner, virus total up-loader, process monitor, tcp view, and PPEE. We will call this our Malware Kit. (https://ufile.io/ygu06) There is no end all be all “malware kit” on the market. Most people have personal preferences on what they like to use and which tools do what. So if you're like me, and don’t have time to dedicate 6 months of your life to the rabbit hole that is IDA, this kit will do just fine.

After opening the flood gates of our firewall by turning it off, in about 5 minutes we usually see a FLOOD of connections on the SMB port 445




We can see under the parameters in networkminer and our process monitor we have picked up a Wannacry Loader + Worm Component (mssecsvc.exe) more technical explanations at ( https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html)


While logging onto one of my honeypots I did notice something new. The honeypot was lagging like mad, when I looked in task manager I noticed an exe taking all the CPU resources. I uploaded it to virus total and it was a bitcoin miner! While looking at our network miner files tab, I noticed it keeps getting our honeypots ip address.



So then I decided to throw this little bastard into PPEE. (Sample here https://ufile.io/z86ih) We can see that it was created not long ago and has some URLs strings in it.



We can also look at the strings in our suspicious section showing deletions, pings cmd running and more.

Upon further analysis we see a Chinese DNS services being used and a .ru Url.


Well, there you have it! A basic dynamic analysis of malware we have caught in our honeypot. More article to come on this in the future.

Contact Information

Red_Team611@protonmail.com

Disclaimer

This site is used for information purposes and not intended for anything illegal. Do not test anything or use any tools on networks you do not have permission to. I give credit to anyone I have mentioned or linked their work in my tutorials.