blackenergy

In our first posting on BlackEnergy, Matt Larsen dissected the evolution of the malware and introduced the newest variant, “BlackEnergy3.” In this post, we’ll take a look at a specific BlackEnergy3 sample and analyze it with Carbon Black.

Sample:

https://www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444/analysis/

blackenergy1

High-level overview of execution chain of the malware:

blackenergy2

Breakdown of the malware sample’s behaviors:

blackenergy3

The sample is unsigned and has no legitimate metadata attached to it to verify its identity.

blackenergy4

When we expand the sample’s file information, we are able to verify that this file is a Windows binary, has no legitimate metadata to validate authenticity, was written by one parent (explorer.exe because I downloaded the sample and executed it manually), and has three related files to it.

Let’s drill into this sample by clicking on analyze.

blackenergy5

When we drill down we can see that when our sample was executed, that it preformed 71 actions.

  • regmod 3
  • filemod 6
  • modload 60
  • netconn 0
  • proc 2

Regmod:

blackenergy6

These are the registry values modified by the malware.

Filemod:

blackenergy7

These are the files modified by the malware.

Childproc:

blackenergy8

These are the child processes generated by the malware.

The child process Winword.exe executes two additional child processes.

The first command, “”c:\windows\system32\rundll32.exe” “c:\users\win7\appdata\local\fontcache.dat,” font” goes on to create a startup file artifact and the second opens an embedded fake document,

“c:\users\win7\appdata\local\temp\spisok_paroliv.doc.”

Despite being a binary, our sample also contained this embedded decoy document, which looks like a document full of common passwords.

blackenergy9

The other child process, “c:\users\win7\appdata\local\temp\qkf.exe” takes 95 actions before exiting:

  • filemod (5)
  • modload (81)
  • regmod (5)
  • childproc (3)
  • crossproc (1)

qkf.exe executes cmd.exe and then runs the command “C:\Windows\SysWOW64\cmd.exe /s /c “for /L %i in (1,1,100) do (del /F C:\Users\Johnson\AppData\Local\Temp\qkf.exe & ping localhost -n 2 & if not exist C:\Users\Johnson\AppData\Local\Temp\qkf.exe Exit 1)”

This command is a loop that runs 100 times trying to create itself over again. It will ping the local host two times and if the file qkf.exe does not exist, it will re-create itself.

Due to the virtual machine not having external network activity, I was unable to record the malware trying to phone home. But when I did detonate it inside a detonation engine I was able to capture the following PCAP information:

blackenergy10

Conclusion and Summary of Malicious Activity:

Type Description
Autostart Registering for autostart using the Windows start menu
Evasion Possibly stalling against analysis environment (sleep)
File Modifying executable in suspicious location of application data directory
Stealth Creating file with confusing type extensions (data ext)

 

In conclusion, our sample of BlackEnergy3 confirms the heavily dynamic nature of this malware. The endpoint detection capabilities of the Carbon Black platform contribute to a solid defense-in-depth strategy with its visibility extending beyond the network layer. The attributes seen by Carbon Black complement preexisting network-based detection mechanisms and offer more flexibility in detection than traditional signature based methods.

original Post: https://blog.bit9.com/2014/11/18/an-analysis-of-blackenergy3-malware-using-carbon-black/

Advertisements