Static & Dynamic Analysis on An Unknown Sample

Today, I will complete the "SickoMode" challenge from PMAT Labs. My objective is to analyze a suspicious file suspected to be a trojan.

Let's dive into the analysis process.

Extracting Hashes

To start, I extracted the hashes of the file and submitted them to VirusTotal, where it was flagged as a potential trojan.

Determining the Language

Next, I needed to determine the programming language used for the binary.

By extracting strings with FLOSS, I observed indicators suggesting it might be written in Nim.

However, it's worth noting that malware authors sometimes manipulate strings to mislead analysts.

Identifying the Architecture

I loaded the binary into PEstudio to determine its architecture.

The analysis provided a clear understanding of the binary's structure.

Dynamic Analysis

During dynamic analysis, I noticed the malware deletes itself immediately upon execution unless INetSim is running.

This behavior warrants further investigation to understand what triggers this response.

Checking for Persistence

To check for persistence mechanisms, I used Procmon.

Surprisingly, the binary did not exhibit typical persistence behaviors such as writing files to disk or modifying the registry.

Identifying Callback Domains

Next, I looked for any callback domains associated with this malware.

By running INetSim and Wireshark on my REMnux VM, I discovered a network signature.

However, when searching for this string using FLOSS, no results were found.

It appears the binary exfiltrates a domain upon execution with INetSim.

Static Analysis

Moving on to static analysis, I aimed to identify the encryption algorithm used in the binary.

Opening the malware in Cutter, I observed a call to RC4, an encryption algorithm.

Upon further inspection, I traced the invocation of this call to a loop that eventually uses RC4 encryption.

Curious about the encryption key, I went back to Procmon and filtered by "CreateFile" and the binary's name.

 I discovered a file containing the key "SikoMode".

By looking into the file itself, it simply says: SikoMode which seems to be the encryption key.

Investigating the Kill Switch

Finally, I examined the kill switch mechanism that deletes the binary after execution.

In Cutter, I found a "Call Houdini" technique setting a kill switch for the program.

 This call appears multiple times, indicating that the program will delete itself if interrupted or if it completes successfully.

Conclusion

In summary, this analysis revealed that the "SickoMode" malware employs several techniques to obfuscate its behavior and ensure its self-deletion, whether its being executed successfully or interrupted.

Thank you for reading this analysis.

I hope it provides valuable insights into the dissection of this malware.