SillyPutty Malware Analysis

Stacey Landrum
7 min readFeb 24, 2023

--

Briefing & Objective

I received a message from the IT team that was concerned about a potential malware that could be affecting a critical business program. It reads:

Hello Analyst,The help desk has received a few calls from different IT admins regarding the attached program. They say that they've been using this program with no problems until recently. Now, it's crashing randomly and popping up blue windows when its run. I don't like the sound of that. Do your thing!IT Team

Now I need to perform basic static and basic dynamic analysis on this sample to determine if the behavior is indicative of malware. Let’s begin:

Basic static analysis

First I will place the sample on my Desktop and launch Cmder. I will call the Powershell function.

What is the SHA256 hash of the sample?

0C82E654C09C8FD9FDF4899718EFA37670974C9EEC5A8FC18A167F93CEA6EE830C82E654C09C8FD9FDF4899718EFA37670974C9EEC5A8FC18A167F93CEA6EE83

We can also see the hash in PEStudio.

Hash

What architecture is this binary?

PEStudio also shows the binary is 32-bit architecture.

PuTTY Architecture

Are there any results from submitting the SHA256 hash to VirusTotal?

As of 2/21/23 there are 58 security vendors and 1 sandbox that has flagged this program as malicious.

VirusTotal Results

Describe the results of pulling the strings from this binary. Record and describe any strings that are potentially interesting. Can any interesting information be extracted from the strings?

Let’s exit out of Powershell and run Floss. I’ll check for interesting strings of 8 characters or more and save it to puttyfloss.txt.

While I’m waiting on that to finish I look at the binary in PEstudio.

The largest string appears to be a Powershell script. Now that Floss is complete let’s search for this string. This looks interesting….

There appears to be a base64 encoded gzip compressed stream inside of the Powershell script. From these commands we can try to understand what it is trying to do.

  • -nop is no profile means do not load Powershell profile.
  • -noni is to run non-interactive session.
  • -w means windowstyle hidden, tells PowerShell to hide it’s window
  • -ep bypass means it is bypassing the execution policy

Let’s see if we can decode the payload.

We get gibberish. Running the file command tells us it is a gzip compressed data file.

We have our putty file saved for future inspection.

Opening it we see a script is called Powerfun. It appears to be a Powershell one-liner running a base64 encoded/compressed payload that could be used to form a reverse shell from a target.

Is it likely that this binary is packed?

It’s likely not packed since the size of raw data and virtual size are about the same,

Describe the results of inspecting the IAT for this binary. Are there any imports worth noting?

Nothing really jumps out because most of the imports are required for PuTTY’s normal functions.

Dynamic Analysis

Describe initial detonation. Are there any notable occurrences at first detonation?

Let’s fire up the binary and we see a brief blue window flash and the PuTTY Gui loads. So -w is why we saw the blue window flash briefly.

We get a brief process running in TCPView showing it is trying to connect via TCP over port 8443.

Let’s open Procmon to see what processes are running. I will filter for processes containing ‘putty’.

There’s a lot of output so we can filter by PID and remove the ‘putty’ filter.

From the host-based indicators perspective, what is the main payload that is initiated at detonation? What tool can you use to identify this?

Now we see the Powershell processes that are running.

The top event shows the Powershell script we were examining earlier.

We see this process in Process Tree. It creates powershell.exe as a child process.

What is the DNS record that is queried at detonation?

Let’s start Wireshark on Remnux and see what we can find. A DNS request is sent for bonus2.corporatebonusapplication.local but there is no internet available to fulfil the request.

What is the callback port number at detonation? What is the callback protocol at detonation? How can you use host-based telemetry to identify the DNS record, port, and protocol?

Let’s try to set up our fake internet environment with inetsim and run Wireshark. We see the program try to connect over TCP over port 8443 using SSL/TLS. We can filter for TCP in Procmon and the name of the binary.

Since we don’t have a proper internet connection we can’t connect. Let’s try a work around by editing our hosts file to connect to the domain.

Let’s flush our DNS and give it another go.

Attempt to get the binary to initiate a shell on the localhost. Does a shell spawn? What is needed for a shell to spawn?

Restart Wireshark and run putty.exe. We can set up a listener but we are getting gibberish.

Because we can’t get the TLS certificate exchange to complete we are unable to communicate.

Going back to the PowerFun script I noticed the last line:

I tried editing this line to use a bind shell without SSL.

I saved the file and created a Gzip, then got my hash.

I ran the Powershell script with the new hash and set up my listener on Remnux.

We have a shell!!!

I found that I could also get a shell using Metasploit. First I’ll fire up my Kali to get my IP address. I will change the DNS record to my Kali IP in /etc/hosts.

Now I will load exploit/multi/handler and use the powershell_reverse_tcp_ssl payload. I set LHOST to my Kali IP and LPORT to 8443.

I run putty.exe on Windows and we have a shell!

I looks like the handshake completed to allow the shell.

|

--

--

Stacey Landrum

Cybersecurity analyst with a CySA+ certification and a background in accounting. Passionate about protecting digital assets & staying ahead of emerging threats.