Malware analysis - A little help will be needed

Automated Malware Analysis Report for inspection.exe - Generated by Joe Sandbox Analysis

Objectives

Find out if the file is malicious.
Find the CNC destination.

Flag:
Dropper:
Flag:
CNC Flag:
CNC IP:

I’ve probably found

Flag: Fl3gg4d
CNC Flag: Mind4licoius
CNC IP: 212.143.39.245 or 62.219.24.65

But I can’t find a ■■■■ Dropper, please help me

It feels a little bit like a homework assignment, however have you looked at the behaviour graph? It implies inspection.exe is the dropper because it dropped a massive load of python files.

If that isn’t it, have a look in the Joe Sandbox View / Context bit - there are a lot of files there.

Alternatively, you might need to look at the HTTP data to see what the hex decodes to. For example, the traffic at May 7, 2020 14:52:29.105643034 CEST is clearly GZipped data and may be worth checking out.

Really it boils down to what the expectations are.

@TazWake

Thanks for the answer I can always count on you.

But unfortunately, I need a little more guidance or explanation for this problem. I’ve been sitting on it for a few days and have no idea how to solve it.

@Kongus said:

Thanks for the answer I can always count on you.

I try.

But unfortunately, I need a little more guidance or explanation for this problem. I’ve been sitting on it for a few days and have no idea how to solve it.

Ok, but in turn, I’ll need a bit more background. Is this a standard CTF? Is it something set for a specific course?

The reason this matters is that there can be lots of different answers.

Starting with the first idea - a dropper is a bit of malware that contains additional malware which it “drops” when it runs. This is one of the two most common ways malware works - the other is a downloader/download cradle which calls out to a C2 to get second stage malware. Both are strategies for bypassing defences - droppers often appear legitimate because they don’t do anything malicious (just create files), downloaders appear legitimate because they contain no malcode.

If you have evil.exe it can be challenging to determine what dropped it just by examining the file. However, the stuff in Joes Sandbox seems to point to the file being analysed as the dropper.

For example: Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Next, it is worth looking at the behaviour graph - for example: Example from Joes Sandbox - Album on Imgur

Here we can see inspection.exe is dropping multiple files but is viewed as clean itself. This is a pretty strong characteristic of a dropper.

I am open to other interpretations but, realistically if someone asked me what the dropper was here, I’d say inspection.exe

If that is not the right answer, I’d next look at the hex and find a way to unzip and work out what that is (when I tried a quick Gunzip, it was just an error)