Basic Dynamic Analysis Pteranodon.bin – Gamaredon Group

Posted on by Marcus Edmondson

So today I wanted to do a blog post on an executable SHA-256: 408e38b4d81de63e5762dcb8024f81360b426429821f9934b087aa0a6b44c56f that has been tied back to the Gamaredon Group, in my research. I pulled it down from @0xffff0800 .onion website http://iec56w4ibovnb4wc.onion/Library/GamaredonGroup/. Thank you @0xffff0800 with sharing these samples with the community!

A little background on who the Gamaredon Group is. According to https://attack.mitre.org/groups/G0047/  and https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/ the Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. In the past they relied on more off-the-shelf tools and have made a shift to custom developed malware. Now that we have a little background on the Gamaredon Group let’s begin…

So I will jump straight into the behavioral analysis portion. Some interesting things I was able pull out were, is that it drops a couple of files to disk named ie_cash.cmd and ie_cash.exe that are in a self extracting 7 zip archive.

screen shot 2019-01-06 at 7.13.42 am

Now I want to dig into that .cmd file and see what I can determine from it. screen shot 2019-01-06 at 7.16.09 am

Right away I can see it setting variables for my computername at “EciYJop”,  http at “FICvuEG”, bitsadmin at “wtyCwMz”, ddns.net at “per_16” and then it builds the URL in “JhtQFgc”. The next part of the script is setting variables to the dropped and dowloaded executable setup.exe and ie_cash.exe, as well as setting variables to the %APPDATA%\Microsoft \IE directory. It will then copy over ie_cash.exe to that directory. In my behavioral analysis I did not observe this as ie_cash.exe remained in %APPDATA\local\Temp\7ZipSfx directory. The last part of the script is creating two scheduled tasks. So this script was fairly straight forward.

screen shot 2019-01-06 at 7.32.43 am

In my debugging of the file it appeared the CreateFileW API was used to create ie_cash.cmd and ie_cash.exe.

screen shot 2019-01-06 at 8.03.22 am

screen shot 2019-01-06 at 8.03.35 am

Then ShellExecute was used to run ie_cash.cmd which in turn set the scheduled tasks and ran ie_cash.exe. I believe ie_cash.exe to be the downloader for  http[://]bitsadmin.ddns[.]net/%COMPUTERNAME%/setup.exe.

screen shot 2019-01-06 at 8.23.42 am

Screen Shot 2019-01-06 at 8.03.57 AM.png

I also noticed that the cmd.exe that it starts was started suspended and later NtResumeThread was used to restart it. The handle of the first argument pointed to cmd.exe. This could indicate some sort of injection.

screen shot 2019-01-06 at 8.07.15 am

Well thank you for taking time to read my post and until next time…

 

Happy hunting,

Marcus

 

 

 

Leave a comment

Published by Marcus Edmondson

With over fifteen years of experience in cyber security and information technology, I am an expert in digital forensics, threat hunting, and incident response. I currently work as a Cyber Network Operator at the US Department of Defense, where I use various tools and techniques in an offensive capacity on critical networks. I have a passion for hunting, forensics, and detection, and I leverage my background in offensive cyber operations to improve defenses and gain visibility into attacks. I am skilled in collecting, parsing, and analyzing security data at scale using PowerShell, Velociraptor, Elasticsearch, SQL, Python, and spreadsheet tools. I am always eager to learn and apply new techniques to find adversaries on networks. I hold eleven GIAC certifications: GCFA, GCWN, GCFE, GPEN, GCPN, GREM, GCIH, GDAT, GCTI, GWAPT and GCIA.