In our first posting on BlackEnergy, Matt Larsen dissected the evolution of the malware and introduced the newest variant, “BlackEnergy3.” In this post, we’ll take a look at a specific BlackEnergy3 sample and analyze it with Carbon Black.
High-level overview of execution chain of the malware:
Breakdown of the malware sample’s behaviors:
The sample is unsigned and has no legitimate metadata attached to it to verify its identity.
When we expand the sample’s file information, we are able to verify that this file is a Windows binary, has no legitimate metadata to validate authenticity, was written by one parent (explorer.exe because I downloaded the sample and executed it manually), and has three related files to it.
Let’s drill into this sample by clicking on analyze.
When we drill down we can see that when our sample was executed, that it preformed 71 actions.
- regmod 3
- filemod 6
- modload 60
- netconn 0
- proc 2
These are the registry values modified by the malware.
These are the files modified by the malware.
These are the child processes generated by the malware.
The child process Winword.exe executes two additional child processes.
The first command, “”c:\windows\system32\rundll32.exe” “c:\users\win7\appdata\local\fontcache.dat,” font” goes on to create a startup file artifact and the second opens an embedded fake document,
Despite being a binary, our sample also contained this embedded decoy document, which looks like a document full of common passwords.
The other child process, “c:\users\win7\appdata\local\temp\qkf.exe” takes 95 actions before exiting:
- filemod (5)
- modload (81)
- regmod (5)
- childproc (3)
- crossproc (1)
qkf.exe executes cmd.exe and then runs the command “C:\Windows\SysWOW64\cmd.exe /s /c “for /L %i in (1,1,100) do (del /F C:\Users\Johnson\AppData\Local\Temp\qkf.exe & ping localhost -n 2 & if not exist C:\Users\Johnson\AppData\Local\Temp\qkf.exe Exit 1)”
This command is a loop that runs 100 times trying to create itself over again. It will ping the local host two times and if the file qkf.exe does not exist, it will re-create itself.
Due to the virtual machine not having external network activity, I was unable to record the malware trying to phone home. But when I did detonate it inside a detonation engine I was able to capture the following PCAP information:
Conclusion and Summary of Malicious Activity:
|Autostart||Registering for autostart using the Windows start menu|
|Evasion||Possibly stalling against analysis environment (sleep)|
|File||Modifying executable in suspicious location of application data directory|
|Stealth||Creating file with confusing type extensions (data ext)|
In conclusion, our sample of BlackEnergy3 confirms the heavily dynamic nature of this malware. The endpoint detection capabilities of the Carbon Black platform contribute to a solid defense-in-depth strategy with its visibility extending beyond the network layer. The attributes seen by Carbon Black complement preexisting network-based detection mechanisms and offer more flexibility in detection than traditional signature based methods.
Until next time, remember my motto. Flag it, Tag it and Bag it.