The 2019–20 coronavirus pandemic is an ongoing pandemic of coronavirus disease 2019 (COVID–19), it has forced many countries to impose strict and total lockdown forcing people to study and work from home. This has become a hot target for hackers to spread malware via email and fake websites pretending to provide information regarding the Corona Virus.
I decided to analyze some of this known malware that had been spotted by people in the wild. I found many interesting things in this analysis which I will be discussing later on. For now, it’s just static analysis but I am planning to write on dynamic analysis as well!
Before you proceed you should know that this article has been created for educational purposes only, any use of the samples or technologies used in this article for any harmful activity is prohibited. SECARMY doesn’t promote unethical activities and will not be liable for the same.
First of all, here is a list of all the hashes (SHA256) of malware which I will be analyzing throughout this article. These hashes can be used for finding the malware used in the analysis on virustotal/malwarebazaar.
1df1f90da9a07dfe25f0368fc24830fd1513e938c590e9ca6cfbe422dcfedc38 0ce3541dd3f8e7184555112cde56fac27e3664e5d7d1f4020a2636810b9716 1a7fe9f45a80c2dae0237cc9aada201d3fa5eca08bfbc297e48f22faa35f131e 4b8b49bdfa435d0faba2e3964b04e20bbfc86aa4ffc3c3b8e1449894892f125b 32f57d349f6b7008209b1edb9531f46b7903c5f509f6500c0cd33b6ebe8a2723 97e961ffd1883624c6629f8e621d86ac6388751a15a851c33eb12006ab9e1bff 903ceb802bdb0a58f173f1d9e369d10fc14378232400dc2cb0d14377c5f4a4fe 5185e5f10315eeb5b39b32d3f310c5789d88d5e47d849b2fe8ce9df8ae461099 83457e2b8f9209ec1c987b1a0bee65140cc41d1d59ed38f1d1ad160ea0d1d13c 087697d241c62f0668f25caa7c739611b4ab1ff5ff7fba466757e67aa5e3a608 10315925b522edfdb4a4fdbd067493ed9bf97796fc3dd61242de5b4bf71c6471 4163583794b9438194fedb4ca287e30d0c540c8c615e43613ada022534606ac9 a621cde9778f6fe594633e515e55db31e70aab2109d72a12ad14e502dd873ec7 bed06510d878aedc81671ebf83fb2dd246f88de58514124d166e0831b4d9c4d0 c9fa8e9c44e5fb934569771f39093e4ba7b66dcb2204b51fea382f0065d6c240 c86adaa9802afda5346e7b351ebe646dcf3bdeff37af3beb9f72b2bf42d2b5e2 d0a8b39bc4bd58191a4b6db1a71621e7d9e2e124c05ad01922aafb9eba72205a d87c6077423627f449ad0706b6aae722a75b8cb2bd8f977b01b2ee5d6333b069 da8dada541439344559a32faa08cc442d26f900afb5202080921c4396890e491 e165e9b297ead19fb65c8510105aaed635dacdb999483321525e456187804391
OK so now we have a list of hashes that we can use for downloading the malware samples. Let’s take a look at one of these samples which gave quite interesting results!
I chose this hash: 4163583794b9438194fedb4ca287e30d0c540c8c615e43613ada022534606ac9
Finding the Meta-data of the file
Before we proceed any further let’s try to find the metadata of this file, for this I will use exif-tool . This tool is great to find metadata from a number of file extensions. Whether it’s a .jpg file or a .exe it will always yield some good results on your terminal screen.
OK enough of talk let’s run it !
And Voila! we found it! One of the interesting entries i found here was about the Internal Name which had the value of (tcgcQZrjffyIAPzmPfcQNoEQSJxlP.exe). Upon searching this filename on Google we found no pages which had this file name because of which many would think that this is a false positive but why not find the strings inside this exe?
Using the strings command
“strings” command can be used for finding the strings inside a file which can be helpful to have a quick lookup instead of opening those fancy debuggers.
So we ran the strings command (strings filename.exe)on the file and it yielded some interesting results.
One of these entries was ” get_PasswordHash” which surely doesn’t pop up in any random file. You might think it would be a part of some function but I also found some other results out there which surely was a part of spyware.
Continuing the analysis
I kept on analyzing other files and one of the most frequently found references was HT.Shop.DownAndUpLoad, I consulted one of my friends for this one and according to him, it was used on some other RATs and Malwares as well!
I decided to extract the meta-data of other malware as well and surprisingly the same reference was present in around 7 different files. This didn’t end here one more thing which surprised me was that all of these files had a value for Legal Copyright which was directed towards Piriform Software Ltd which owns the product CCleaner.
This leads to a clue that a good amount of malware out there have something identical which was HT.Shop.DownAndUpLoad and had a copyright of Piriform Ltd. The hackers might have deliberately added this copyright name there but the reference can help us to understand the fact that many of them are from a possibly similar source.
Well here’s the end for this article, I plan to publish some more articles regarding malware analysis in the future but for now, I hope that you are satisfied with this one.
My only advice for the viewers would be not to click on random links in your email which you find suspicious. And do not download any software/PDF from the same!