Malware Analysis Report of SickoMode

Malware Analysis Report of SickoMode
Practical Malware Analysis & Triage - TCM & HuskyHacks

This is my course final for the Practical Malware Analysis & Triage course, where I learned how to perform static and dynamic analysis of malware samples. In this report, I go over my analysis of the SickoMode malware made by HuskyHacks specifically for this course.

Executive Summary

SHA256 hash

3aca2a08cf296f1845d6171958ef0ffd1c8bdfc3e48bdd34a605cb1f7468213e

SickMode is a data exfiltration malware sample. It is a nim-compiled malware that functions on the x64 Windows operating system. This malware begins exfiltration and removes itself from the host system once certain conditions are no longer met.

YARA signature rules are found at the end of this report.

High-Level Technical Summary

SickoMode functions as a data exfiltration malware that removes itself from the host if certain conditions are not met:

  • The malware cannot connect to its callback domain and the target file is not on the host system.
  • There is an internet disconnection (the inetsim is stopped in this case)
  • The target file is not on the host (cosmo.jpeg)
  • It first attempts to contact its callback URL (hxxps://cdn.altimiter.local/feed?post=) and begins exfiltration

Malware Composition

SickoMode consists of only the following component:

unknown.exe

The initial executable that begins data exfiltration with an RC4 encryption algorithm, deletes itself from the host system and creates a key on the host system.

Basic Static Analysis

First I used floss to pull the strings from unknown.exe to a txt file

  • Strings: floss.txt
@:houdini
@http://cdn.altimiter.local/feed?post=
@Desktop\cosmo.jpeg
@SikoMode
@C:\Users\Public\passwrd.txt

genKeystream__OOZOOZOOZOOZOOZOnimbleZpkgsZ8267524548O49O48Z826752_2
toRC4__OOZOOZOOZOOZOOZOnimbleZpkgsZ8267524548O49O48Z826752_51
@m..@s..@s..@s..@s..@s.nimble@spkgs@sRC4-0.1.0@sRC4.nim.c

NaturalToInt32__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_49
newWString__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_66
UTF8minusgtwstring___OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_120
winstrConverterStringToLPWSTR__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_713
winstrConverterWideCStringToLPWSTR__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_681
winim_winstrDatInit000

stdlib_streams.nim.c
stdlib_nativesockets.nim.c
stdlib_hashes.nim.c
stdlib_monotimes.nim.c

stdlib_randomInit000
stdlib_random.nim.c

stdlib_httpcore.nim.c
stdlib_asyncfutures.nim.c

checkKillSwitchURL__sikomode_25
unpackResources__sikomode_17
request__sikomode_208
get__sikomode_201
getContent__sikomode_194
houdini__sikomode_51
stealStuff__sikomode_130

NimMainModule
NimMainInner

homeDir__sikomode_13
res__sikomode_263
passwrd__sikomode_14

A lot of relevant strings were found and can be referenced at end of this report. I distilled the most interesting strings found above.

We also search the sha256sum on VirusTotal: We can operate under the assumption that virustotal is not aware of this malware and continue our analysis.

Within PEstudio, we see the following and see this is a 64-bit binary:

Basic Dynamic Analysis

On initial Detonation, with no network simulation and the absence of analysis tools, the portable executable(PE) deletes itself soon after execution.

On second Detonation, with a network simulation and the presence of analysis tools we can see the 1st callback domain. The binary then deletes itself again

  • This binary Reaches out to the 1st callback domain: hxxp://update.ec12-4-109-278-3-ubuntu20-04[.]local , gets a 502 error then deletes itself
wireshark running on our remnux vm with inetsim active

On the third detonation, with wireshark running we see a continuous stream of GET requests with a changing value being POSTED - once I stop inetsim(network simulation), the binary then deletes itself from the host machine

  • Here we see the exfiltration domain which is constantly sending GET requests to the following domain hxxp://cdn.altimiter[.]local/feed?post= followed by a changing value, which we can infer is the data being sent.

My last piece of dynamic analysis I can take from the an initial detonation of this malware is that there are no mechanisms of persistence found but there is a key which is written to disk.

We find this with procmon, a process monitoring tool which allows me to filter processes as they occur.

This filter allows us to see which files are created under the process name "unknown.exe"
Here we see that passwrd.txt was created right before a write in relation to cosmo.jpeg
  • the passwrd.txt contained the following key: "SickoMode"

The Callback URLs can be found at the end of this report.

Advanced Static Analysis

Next we enter the binary into cutter, a disassembler, which will allow me to see the roots of the program. This also shows me how the binary run step by step through assembly(the lowest form of human readable code).

Here we see the architecture of the program

We find the main program below:

the main function shown in the debugger

Upon further examination into the assembly, we see the NimMainModule which is where the data exfiltration and deletion of the malware from host occurs.

On the left hand side, you see the NimMain, NimMainInner and NimMainModule

Within cutter, we can also search for strings such as the callback URLs we found earlier.

The memory location for where the exfiltration domain is found

Within the NimMainModule we find the following:

After "checkKillSwitchURL__sickomode_25" is called the program goes to either "houdini__sickomode_51" or "setjmp". We also see "stealstuff__sickomode_130".

This portion of the NimMainModule appears to be where the encryption algorithm before data exfiltration and where the binary determines when to delete itself from the host system.

Within "stealstuff__sickomode_130", we see the encryption algorithm that this program uses:

After this portion, we see the NimMainModule use houdini to delete the binary and continue the program:

Rules & Signatures

Yara Rules

This rule is created to search for the key strings I found during my analysis of this malware. The condition will return true if the detection finds a file that contains "nim", one of the callback domains and one of the functions found in the NimMainModule.

rule Yara_SickoMode {

    meta:
    last_updated = "2024-04-22"
    author = "luis"
    description = "A yara rule for the sicko mode malware created by HuskyHacks"

    strings:
        //fill out identifying strings and other criteria
        $str1 = "nim"
        $str2 ="cdn.altimiter.local"
        $str3 = "houdini"
        $str4 = "toRC4"
        $str5 = "checkKillSwitchURL"
        $str6 = "stealstuff"
        $str7 = "update.ec12-4-109-278-3-ubuntu20-04.local"

    condition:
        //fill out the conditions that must be met to idenitfy the binary
        $str1 and ($str2 or $str7) and ($str3 or $str4 or $str5 or $str6)
}

Strings

InternetOpenW
InternetOpenUrlA
InternetCloseHandle

@iterators.nim(240, 11) `len(a) == L` the length of the seq changed while iterating over it
ticks

@net.nim(1438, 12) `avail <= size - read` 
@recv
@net.nim(1367, 14) `size - read >= chunk` 
@net.nim(1319, 9) `not socket.isClosed` Cannot `recv` on a closed socket
@readLine
@' timed out.
@Call to '
@net.nim(1403, 24) `false` 
@Could not send all data.
@No valid socket error code available
@net.nim(1669, 9) `not socket.isClosed` Cannot `send` on a closed socket
@Couldn't resolve address: 
@net.nim(233, 10) `fd != osInvalidSocket` 

@:houdini
@Authorization
@Host
@httpclient.nim(1144, 15) `false` 
@Transfer-Encoding
@Content-Type
@Content-Length
@httpclient.nim(1082, 13) `not url.contains({'\r', '\n'})` url shouldn't contain any newline characters
@http://cdn.altimiter.local/feed?post=
@Nim httpclient/1.6.2
@Desktop\cosmo.jpeg
@SikoMode
@iterators.nim(240, 11) `len(a) == L` the length of the seq changed while iterating over it
@ccc
@Mozilla/5.0
@C:\Users\Public\passwrd.txt

stdlib_strutils.nim.c
genKeystream__OOZOOZOOZOOZOOZOnimbleZpkgsZ8267524548O49O48Z826752_2
toRC4__OOZOOZOOZOOZOOZOnimbleZpkgsZ8267524548O49O48Z826752_51
@m..@s..@s..@s..@s..@s.nimble@spkgs@sRC4-0.1.0@sRC4.nim.c
encode__pureZbase5452_42
stdlib_base64.nim.c

stdlib_winlean.nim.c

stdlib_win_setenv.nim.c

NaturalToInt32__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_49
newWString__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_66
UTF8minusgtwstring___OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_120
winstrConverterStringToLPWSTR__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_713
winstrConverterWideCStringToLPWSTR__OOZOOZOOZOOZOOZOnimbleZpkgsZwinim4551O54O49ZwinimZwinstr_681
winim_winstrDatInit000

@m..@s..@s..@s..@s..@s.nimble@spkgs@swinim-3.6.1@swinim@swinstr.nim.c
winim_winbaseDatInit000

@m..@s..@s..@s..@s..@s.nimble@spkgs@swinim-3.6.1@swinim@sinc@swinbase.nim.c
winim_wininetDatInit000

@m..@s..@s..@s..@s..@s.nimble@spkgs@swinim-3.6.1@swinim@sinc@swininet.nim.c
Marker_tyRef__y4kGpp4Cn6oTOCWBJMIxAg

stdlib_streams.nim.c
stdlib_nativesockets.nim.c
stdlib_hashes.nim.c
stdlib_monotimes.nim.c

stdlib_randomInit000
stdlib_random.nim.c

stdlib_httpcore.nim.c
stdlib_asyncfutures.nim.c

stdlib_asyncdispatch.nim.c

@m..@s..@s..@s..@s..@s.nimble@spkgs@swinim-3.6.1@swinim@sinc@sshellapi.nim.c

checkKillSwitchURL__sikomode_25
unpackResources__sikomode_17
request__sikomode_208
get__sikomode_201
getContent__sikomode_194
houdini__sikomode_51
stealStuff__sikomode_130

NimMainModule
NimMainInner

homeDir__sikomode_13
res__sikomode_263
passwrd__sikomode_14