Malware Analysis of Olympic Destroyer.
PEStudio:
First initial file for this malware is a .exe file disguised as a .bin file. (First bytes are 4D 5A). Analyzing this file with pestudio we can get a sense of what we’re working with. Already we can see pestudio can provide us with some initial indicators. Checking the sections of this file we can see the files hidden within the .rsrc section:
Library section shows us a sense of what this file is doing, we can see that it is utilizing blacklisted libraries which use the internet and a credential manager.
Functions are consistent with the blacklisted libraries:
We can see with GetIPNetTable its retrieving the IPv4 to physical address mapping table.
With GetAddrInfoW, it provides protocol-independent translation from a Unicode host name to an address and then subsequently frees it with FreeAddrInfoW.
WSAStartup and WSACleanup (That 3rd column means ordinal) works with sockets and handling connections with Winsock DLL.
The most interesting function called has to be the NetGetDCName where it returns the name of the primary domain controller. Definitely something to keep an eye on.
The last blacklisted function not listed is the CredUIParseUserName function, which extracts the domain and user account name from a fully qualified user name.
Strings section provides with a lot of useful information:
- “S-1–5–18” (System) , “S-1–5–19" (NT Authority) , “S-1–5–20” (Network Service)
- “Select * From Win32_ProcessStopTrace”
- “SELECT ds_cn FROM ds_computer”
- “%d.%d.%d.%d”
- “%s\root\directory\LDAP”
- Multiple websites with “Pyeongchang2018.com\*username*” and then what looks to be a password followed after
Initial analysis of these 4 files show that they have a high level of entropy which means they are probably packed or obfuscated which makes it more difficult to analyze.
IDA
Our main goal here isn’t to analyze every section of this malware, so when analyzing in IDA we’re just gonna focus on the things that truly stand out.
Here we can see the LogonUserA and the parameters being passed to it.
Here we can see in .text that a string is being allocated that seems to be calling cmd.exe and passing parameters
A closer look into the command being passed. This is a VBS script the malware uses to find more victims by copying the initial stage to the remote system in %ProgramData%\%COMPUTERNAME%.exe.
Another command line being passed where its pinging a nulladdress and then deleting a file
We can see the file uses LDAP in some capacity
Here we can see it is running this command. By WQL (SQL for WMI) which attempts to list all the systems within the current environment/directory.
This is about as far as we can get in static analysis, next we will go into some behavioral/dynamic analysis of the sample.
Dynamic Analysis of Olympic Destroyer
In order to run the sample, we first configure our VM to have zero connections to internet or host as well as disabling a majority of the security measures. The tools used for this section include x32 Debugger, IDA Free, Procmon, and Process Hacker and PEStudio. This is a quick analysis to figure out what the malware is executing and how it works on the system.
Procmon:
Configuring procmon to monitor all processes we begin to run the sample. The tree view gives us a good overview of the process the malware uses:
Two of the dropped files are executed with 123 and a named pipe. The named pipe is used as a communication channel between the initial stage and the dropped executable. Some takeaways here show that the main malware is a parent process to 2 processes which execute (2 shown, 1 missing)
- fxrbh.exe
- _exw.exe
We’re gonna go more into detail about what these exe actually do, but lets continue our analysis.
Along with spawning other processes we can find where the malware is hiding these .exes based on File operations.
Once the malware spawns the 4 executables it will delete itself. We now pivot to analyzing some the 4 executables. We can easily find them thanks to ProcMon.
FXRBH.exe
PEStudio provides us a basic analysis of this first file, we can see instantly that it is hiding another file within its .rsrc section. This file also has a high level of entropy so its probably packed/obfuscated or the file within it is.
This file FXRBH is a browser credential stealer. The final payload is the embedded obfuscated file in the resource.
_exw.exe
This is the destructor/destroyer, we can validate that by some of the previous images above which show the actions this .exe executes. The steps the malware takes firstly is to:
- Deletes all possible shadow copies on the system using vssadmin
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
- Deletes all files, folders, directories, drives from the file recovery used in backups (wbadmin.exe)
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
- Next it calls bcdedit, which it uses for boot config data info, to make it harder for the victim to recover and even boot the system
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
- Lastly to cover it’s tracks, it also deletes System and Security Windows log events to make it difficult to analyze.
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Verifying this in IDA and x32 Debugger we can also see that it also makes sure to change the config and sets a timer to shutdown.
The malware uses enumerates through every service config and then uses the ChangeServiceConfigW API to change the start type for every service to 4 which means to disable the service.
We can see it also calls to shutdown the system after sleeping for 36EE80 Milliseconds = 1 Hour
_stt.exe
Analyzing this file we find out this is the exact same file as the intial file. The malware uses this extra file to update credentials and move on to the next victim. We can verify this with the hashes which are identical to the first initial file.
_gur.exe
_gur.exe is actually not malicious, it simply installs psexec which the malware uses to connect to the next victim, we can check and see the version and the file in resources.
System Stealer
For some reason I couldn’t get this file in my analysis. Simply this file is similar to the browser credential file, where it will attempt to steal any credentials on the system. We can see it has been previously successful for the multiude of passwords and Pyeongchang emails we found on the initial file. The image below is a screengrab from Cisco Talos showing how the passwords are outputted:
In Colin Hardy’s YouTube video you can see where the credentials are stored in a SQLite file and how you can view the stolen credentials.
So thats pretty much it for this malware, pretty cool tools and techniques. Make sure to check the resources to learn more about it. This is it for my very beginner basic dynamic analysis. If you’ve made this far, I appreciate you for reading this.
Thanks.
_________________________________________________________________
My Resources for this project:
Olympic Destroyer — Quick behavioural Analysis of this Wiper Malware
The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History
Legal Disclaimer: This malware sample is ran only for research purposes. Sample is ran in controlled isolated environment and research is done beforehand to protect host computer and network to prevent breakout.