Octowave Loader - Malware Analysis Lab
26 minute read
Technical Analysis of Octowave Loader
Transcript (AI generated from video):
00:00:00 malware takes many forms from executable file formats to Dynamic link libraries scripting formats like batch scripts or Powershell scripts or even Visual Basic scripts these often work in perfect harmony with one another and sometimes it's even using file formats that you may not expect like this gnarly piece of malare that I'm going to show you today which uses a audio wave file and steganography in order to encode its payload so let's jump into it cuz this is going to be a lot of fun hello and welcome we are back with a new mare
00:00:36 analysis VM and a new piece of malware to analyze now this is a family of malware that I've given the name OCTA wave loader everybody out now mostly because of the wave file steganography and because during analysis I was listening to Wave Rider and Wave Rider is a song that is played in Hotel Transylvania and is used to summon a giant Kraken octopus monster and it's a play on words at the fact that this loader uses multiple different DS to load its payload on virus total it doesn't actually have a
00:01:12 lot of detections but this was actually first submitted almost 7 months ago which is quite a long time ago now you will notice that this is an Ino setup installer which means there's going to be a number of components that get delivered when this is installed on an endpoint so we can actually look at the relations and begin to see a bit more information and you might see something that's a little bit interesting already in that it reaches out to this net support software.com now net support is a remote monitoring and management tool
00:01:43 legitimately used but is also commonly used by thread actors so that's a bit interesting if we were to look at the files that are dropped as a result of this there's quite a lot including this dll which actually has a lot of Av detection on it another sample that we've got is an MSI so this is the Microsoft installer format and if we take a look at the relations of files associated with this we will see once again that there is a dll that has a lot of detections but at the time of submission for both of these neither of
00:02:19 them had a lot of detections on these dll files so let's actually dig into this because they're so large one of the things that we really want to be doing is extracting them from from the larger executable that they're going to run from so I've got my samples here now let's assume that I don't know what format these files are and that they've come just as they're seen we can kind of highlight over we could right click and go to properties and see if we get any kind of further information we can see
00:02:48 that this one has a description of CIS log Center Pro setup which is a bit interesting and it also has a digital signature which may be of interest the one over here if we look at the properties we don't see any more of that information but we do see that this is actually got a digital signature as well and these are going to be core bits of information that we'll drill into in just a second so let's actually go ahead and use detected easy to find out a bit more about this and we can see straight
00:03:18 away with detected easy that this is likely an installer for inos setup we look at the other file we see that this is a Microsoft compound it's saying hey it might be Microsoft Office some sort of archive or an MSI so in this particular case we know that it is a MSI file well there is a fantastic tool that can be used to extract Ino setup files this Ino extractor so if I was to choose an installer file in this particular case I'm going to go to the maare that we have and I'm going to have to rename
00:03:51 it otherwise I won't be able to select it so let's give this an executable extension we now have it with an executable extension and we can see it's got this icon that comes up that just seems to be I don't know an arrow pointing into a letter let's open this up and now we can actually see what is going to be deployed and where it's going to be deployed when Ino setup runs so this is super interesting because we can see in the temp directory that it's going to be deploying this blue iris executable but then there's also going
00:04:20 to be this uedit 32 executable that that gets deployed as well so let's go ahead and extract all of these files and then we can actually see we've got a a copy of it here with all the contents that have been extracted now this is really really quite useful so there is this ISS file and this actually gives us more metadata associated with the particular installation and what it's going to do on an endpoint so we can see these source files that are being mentioned and where they're being moved to in this
00:04:51 temp directory but then we also see this run so this is what's going to run when the executable gets installed now there is blue iris. EXE but then this uedit is going to be run as well the fact that two executables are running is a little bit suspicious here and something that we really want to drill in on you'll also notice that this has the land secure company's CIS log Center Pro as the name so we would expect everything self-contained in here to be related to CIS log Center Pro so we know exactly
00:05:22 what it's going to be deploying let's dig into this a little bit further now what's really interesting about this is we would expect them all to be associated with one another this has a file description and a company of perspective software and the blue irs5 installer but the uedit 32 is ultra edit professional text and hex editor so why would this be running a text editor at the same time that it runs the blue iris installer hm interesting we also have this archives directory with an application. wve file this is a little
00:05:54 bit unique and this other gnu directory with lib XML 2 as a dll that's going to be used when I highlight over this CES title to.dl for example it actually says that it is from cyberlink's Corporation but CyberLink is not the company that runs Blue Iris and it's not the company that runs Ultra edit so why would it have that we also see data eraser has a company of wondershare we also have cyberlink's module for photo director as this help 15.dll so we know that all of these files are going to be installed once the
00:06:35 executable or the inos setup installer runs on an endpoint but we don't know anything about any of these files so if we want to understand where the signed executables and DLS differ from the unsigned executables and DLS we can actually drill into this using Powershell and recursively look at all files in this directory so if I click on the top here and I run Powershell we'll zoom in a we'll make this full screen and I want to just look at all the files in the directory let's do a recurse what I need
00:07:07 to do is PPE this to get authentic code signature and let's format this in a table if I want to look for just the files let's do a star. star so we know that they have to be files so we can see straight away files that wouldn't be signed have come up as not being signed signed makes sense application. wve is a wave file so this would be some sort of audio that we want uh the lib XML is a bit interesting because we have a hash mismatch Blue Iris looks to be legitimately signed and valid executable
00:07:47 so we will need to look into this lib XML 2 and there are a lot of other ones that have come up here as well so we have a hash mismatch on the CES title 2 we have non-signed for data eraser we have a hash mismatch on help 15 the unknown errors down here we would not expect to see an icon a help or a pack file to be signed so we don't worry too much about them but definitely there is something strange going on with this help 15.dll data eraser CES title and the libxml 2.dll if we wanted to extend
00:08:25 our previous command to get a bit more information what we can do is we can use get authentic signature and then we can do a bit of a filter so if we use a question mark that will just denote a filter condition we're going to use a variable in this case and the variable will be what we pipe into it and the characteristic we're looking at is the status so we can do status and we want to say that it has to be equal to the hash mismatch and what we're going to do is we're going to then format that in
00:09:00 a list rather than a table and we want all the attributes to be displayed not just the sign a certificate status and path so we we have this filter condition we need to close that off and it will take just a little bit of time but it should give us a lot more information to go off of to understand these dlls and these signing certificates which are causing a hash mismatch to occur so for example it says the contents of this file so this help1 15.dll Might Have Been Changed by an unauthorized user or
00:09:36 process because the hash of the file does not match the hash stored in the digital signature what we see in all of these is that there seems to be an alteration with the file and the signing certificate and what the signing certificate was meant for so for example we've got Ultra edit Inc and that is associated with the XML then we also have a case of CyberLink Corp once again this is not associated with CyberLink software so this is a bit strange CyberLink cor once again we know that these files have likely been tampered
00:10:14 with in some way shape or form with their signing certificate now if you've watched my video before on idat loader you will probably begin to see a trend where there is signing certificate information that's just been ripped out of one executable or dll and pumped into another one so these files to me scream extremely suspicious that should be investigated further so we really want to focus our efforts on the dll files because there's every opportunity here for a legitimate executable to be sideloading a malicious D how can we go
00:10:45 about doing this well we can look at the Imports for both of these to see if any of them are anomalous if I move this to the side and use something like detected easy on the blue iris installer and I was to look at the Imports here by clicking on this what we will actually see is that this only Imports two dlls kernel 32 and image help. dll now kernel 32.dll May then be loading something like load Library which is what we can see here so it may then be loading the DLS of Interest after it runs and we'd have to
00:11:27 really dig into this a bit more to understand and what it's doing let's take a look at Ultra edit to see if there's anything suspicious there as well and with ultra edit we can see there's a lot more imported DLS however none of these really jump out except for web view 2 loader which we know is in the same directory the only problem is that web view 2 loader isn't one of those DLS that look suspicious to us it's not one of the ones that had an invalid signature it all seemed to be normal so how can we dig into this a bit
00:11:58 more well we we could take the cheats way out here and actually just use procmon in order to monitor what librar is are loaded when it actually executes so let's give that a shot let's open up procmon or process monitor what I'm going to do is I'm going to change the filter so we have the filter section here and I'm going to instead say that if a process name is and in this case we're going to do blue iris .exe then we want to include it into our results I also want to include anything that's the ultra edit binary so that we
00:12:39 can narrow it down to just those so let's change this to include and change this one to edit 32.exe and add that in perfect so now I can hit okay and you can see okay there's nothing captured there because we haven't run the executable yet so let's run Blue Iris and now it has executed we haven't really got any kind of prompts yet so that's a little bit suspicious usually we would expect some sort of installer to prompt up and then try to install software okay so this actually has now prompted us with the
00:13:20 blue iris setup wizard now if this was going to load a dll ideally it would do it before this setup finishes because this is going to be running run by the user and the thread actor would want that to be running their malware even if they were to cancel this so let's just see if there is any kind of dlls that were being loaded here so if I go find and I want to look for dll we can see the load image so I want to right click this load image here and what we can do is just include load images and that will tell us what DLS we
00:13:58 actually loaded by Blue Iris when it ran so we can see a number of DLS have been loaded but we really want to focus in on the ones that are in this same directory looking down at the Ino extracted there is only one that was loaded which was the blue iris executable so this tells us that maybe this isn't loading those DLS that are of interest to us let's see what happens if we run Ultra edit instead I'm just going to go ahead and clear the display and run Ultra edit o okay so we can see more that are
00:14:31 being run the web view load hey something's just changed in this directory as well H this is suddenly getting a bit more interesting there seems to be a templates directory with this texture. DB is this normal is this not normal let's go down we can see it loads that web view dll then we can see it's loading those other DLS of Interest so we can see it's loading libxml 2.dll and from there this is then loading help 15 ICu68 uh and then data eraser and then this CES title ooh so this is all suddenly very interesting in that it's
00:15:11 actually loading those DLS all of the ones that we identified that were suspicious oh we can actually see more things that are occurring now this REM CMD stub has run on the system as well so there's a good chance that we've actually got something malicious happening here there's also this client 32 file so let's take a look at this oh H net support that is very interesting with a gateway address specified so this is actually a configuration for net support rat like we saw on the virus total hits that it was going to be
00:15:44 reaching out to that URL now this is not something that we would expect to be happening at all when Ultra edit runs the other thing is ultra edit hasn't actually run it's meant to be a graphical program that is allows us to edit text but instead it's made an outbound connection and we see all this other stuff that has occurred very interesting indeed now that we know that Ultra edit is loading those other DL files the first one we saw it loading was this lib XML dll so I'm going to dive into this a bit further let's take
00:16:16 this and open it up in something like binary ninja so if I take a look at this straight away we can see that the libraries that it used is includes the help 15.dll so we're going to need to understand what exported function from that dll is actually being leveraged here so if I run a search for help1 15. dll we can see that it is mentioned in the import address table here and it is actually running the card UI log exported function so we actually have to dig into card UI log to figure out what's happening in that help 15.dll so
00:16:54 let's jump into that one now so looking to help 15.dll we know based on the activity that we saw that it's going to be loading a couple of other DLS but the ones that were of interest to us are those unsigned or invalid and the hash mismatch type DLS so there is this data eraser that gets loaded and then this CES title too so if we actually look for the card UI because we know that's what it was using in this particular dll we straight away can see a function that is being called cardui log so let's take a
00:17:27 look into that now this is performing a number of operations but we want to find out where it's actually loading that dll that is of interest to us and we can see around here that it is loading data eraser. DL so this is exactly what we saw in that behavior but what exactly is it doing well slightly on from there we see that it is then loading a wave file by the looks of it in that app archives directory but we didn't actually hear any wave file playing so this is of particular interest and then we see the
00:18:05 reference to it loading the CES title to.dl so now we're in a bit of a situation where we can see some execution flow that is a bit interesting we can also see that it is reading a number of bytes from the file that it is retrieved which is this application. wve file so let's actually see if we can figure out what application. wave is and whether it is actually a wave file or Not So within the archives directory we do have the application. wave file so let's give it a listen oh yeah it's a bit of a groovy
00:18:41 beat seems like there's nothing really out of the that was a bit okay so what starts out as seemingly normal audio quickly transposes into something else so I'm going to open this up in audacity just to take a look at the actual waveform which is occurring here and you can see it's starts out playing this kind of groovy song here then there's this static and over here it seems to return to normal back into this kind of groovy s right interesting so we might actually be dealing with some level of Stan ography
00:19:30 where the malware that's being retrieved here is hidden inside of this waveform now if we look at this carefully we can actually see that it is grabbing that static type audio and it's reading particular byes within it so this is where the stenography comes into play we can actually see that it is using the API set file pointer in order to move 78,2 in heximal so that amount of bytes on from the base of the file and then it's reading 2,619 in hexad decimal as the number of byes what we then wind up seeing is that
00:20:13 the CES title 2.do has a defined function that's being stored here called LP enum function and it's being used in this sub routine now if we examine this sub routine we begin to see things that are using testore bitd now this tells us that it's looking at the particular bits associated with this so This is likely using uh the most significant or least significant bit steganography within the wave file in order to store the particular malicious code so short of manually analyzing every single operation statically we can
00:20:56 do some Dynamic analysis in order to understand the payload that's going to be deployed into memory after the stenography routine turns so to do that I've opened up Ultra edit in X32 debug because this is a 32-bit binary now what I'm going to do is add a number of break points so in this case I've created one on create file W and set file pointer that we know are occurring but I'm also going to create one on load library and instances of virtual protect because quite often these API calls are going to
00:21:32 come up and are going to allow us to easily dump what is going to wind up in memory so let's create a break point with BP on Virtual protect and now let's run the malware and so we can see we hit load Library this is user 32 uh. dll that it's using it on so let's just continue still not it still not it still not it still not it still not it still not it and there'll be quite a few of these that are the default ones before we see uh something like this which is actually specifying the dlls in our directory so
00:22:14 we don't actually have a z lib one or icon V but we do have the lib XML 2.dll so we might actually see other occurrences that happen after this call so there is user 32 two and now we see that create file now in this case the file that's been created is one in the temporary directory called 126b yada yada y create file again this time it's actually pointing at application. wve now application. wve is obviously the file that's got the stego going onto it so this is really what we're interested and you can see set file pointer is
00:22:51 occurring so that's what we like to see we can see the 78200 that we mentioned previously do you see mention of it calling CES title 2D here have load Library we have CES being mentioned here we do have this push of uh 2619 occurring and the CES title now we know that 2619 is the number of bytes that we saw previously in our analysis we do have a loop that occurs here now where it begins to look at the individual bits that are involved let's step over all of that and get to the end result and the
00:23:36 end result is going to be what gets pushed yeah so on the stack pointer we can see this 558b this is potentially some level of Shell Code that's going to be run as the 558b generally is setting up the instructions that Shell Code might use so I've gone ahead and and dumped all of this uh potential Shell Code I've just highlighted it g binary saved to a file then I've opened it up in gidra let the analysis finish and you can begin to see that it uncovers that a number of functions are going to be called so we
00:24:15 can see uh like I mentioned the 55 operation onwards is pretty standard here in how it sets up the return values that are going to be required but at the function it does look like it's calling uh a lot of other functions and if we look at probably graphing it it may get a bit noisy uh of interest is that we do see this push 0 x40 occurring down here um and 0x 2000 now the zx40 being cool could be related to process injection now if we look at the function directly pring that c that gets stored under this
00:25:01 uh local variable you will notice that this contains another of other sub functions and within this 1473 there is what looks to be a check for 45a which as we know it is the MZ header for a PE file so this tells me that this is likely going to be performing a number of operations that then unveil an MZ header that is then going to be a PE file injected into memory so let's actually continue with our analysis and see what else we can find out if we go back to our debugger here we can see that the call
00:25:45 occurs then we see uh create file gets called again once again with the application. wave file so this is going to be getting a handle on that file now we hit a point where we actually see an MZ header start to come up shortly after the getting a handle on application. wave and if we take a look at where this is in our memory map it does look like it's in a section of memory that is private sitting on a stack this is of interest because we know that there was some Dynamic building of potentially PE
00:26:24 files sitting on the stack that are going to be of interest to us so let's say take all of this and dump it out to a file and see if anything comes up that uh Shin some light into what we expect this malware to be doing so opening this up in gadra we can look at our defined strings and maybe Run a search net support manager that's interesting because that's what we saw being deployed on the endpoint so now we are beginning to see signs of what is being deployed on the endpoint after this malware executes but that's not all
00:27:00 that's being deployed through OCTA wave loader let's take a look at that other sample that we had the MSI file so with the MSI file we can actually use a inbuilt MSI exact tool to do an administrative install of this and that's going to actually just dump out what is going to be installed once again when MSI exact runs so to do that we use MSI exec we are going to give it a parameter of a we are going to specify the particular file so in this case that one and we are going to do a quiet install and let's do Target
00:27:40 directory equals and let's be very specific about this cre a new directory called dump and make the target directory dump hey assist log Center free interesting another case where we saw CIS log Center being used so we can see that it has preserved the original installation here and we then we get this programs and this is what it would be installing on an endpoint now once again we have a lot of stuff to go through here let's actually take a look at the presentation. wave file here because we have another instance where we see a
00:28:17 wave file it's the same song it's it's the same song with static and then continuing it's the same steganography being used here so we should be able to run through a similar analysis process run Powershell I want to get all the files I want to recurse the directory like there's an images file as well be interesting to know whether that is something that is being used or not uh sorry we need to specify uh star. star we're going to do a get authentic code signature and let's do a format table again okay so number of errors on the
00:29:10 PNG files maybe I actually added too much here looks like everything under images there's quite a lot so instead of recursing let's actually just do in the current directory okay so now it looks like we have a case where there are a lot of valid DLS uh there are a couple that are not signed so the mfcm 90 and 990u are of interest and we have a few more over here that are not signed as well Cairo base UI CX image U and it's just finished and it looks like there is a hash mismatch on the RWC pro.
00:29:57 dll so immediately something that I want to be looking into we know the hash mismatches have proved dividends as always though just simply running the executable is going to be our most easy way to figure out the execution flow so let's run process monitor we want to capture if the process name is Smart Switch PC on the executable and now we can see a lot of operations that occur let us narrow it down to load images and so we can see that it Imports mobex d uh then we have the CYO common wi edit. dll now win edit. DL
00:30:42 is actually the one that was flagged by a lot of Av vendors on virus total so I'm actually going to dig into win edit. DL what's interesting is that through our analysis here we haven't yet seen any instances where net support rat has been deployed there's quite a good chance that this is actually deploying something different into memory than the previous sample if I actually look at the strings that are within that dll we can see that presentation wve dll menion now this is actually used in a method
00:31:15 add Network 2 you can see it's also loading this vid preview. DL in much the same way as we saw in the previous malware execution and then we also see the RWC ro. dealer which was another suspicious dealer and it has the zx400 mentioned here the exact same as what we saw with the previous ma execution as well which means there's a good chance that we will see a similar aspect where it is grabbing particular bites that are then going to be used in the steganography routine but thanks so much uh let me know your thoughts feelings
00:31:53 comments anything else in the comment section below and I will catch you next time [Music]
