top of page
Search

Basic Static & Dynamic Analysis - SillyPutty

  • Hacking By Doing
  • Dec 7, 2022
  • 2 min read

This post will be showing you my analysis of the "Putty.exe" file

downloaded from the HuskyHacks GitHub page.

ree


This is the information I have on the file

ree

My objective is clear, I need to perform basic static and dynamic analysis on this PuTTY file.


For anyone who doesn't know PuTTY, it's a free implementation of SSH (and telnet) for PCs running Microsoft Windows, and it's a legitimate software.



Static Analysis


Let's start by inspecting the file with PEstudio.


First I tried searching the hashes on virustotal but nothing came up.

ree


Then I looked through the strings.

ree

ree


By looking at the strings, it is very difficult to determine whether the API's are

malicious or normal because PuTTY is a real software and it could mislead me to think the API's are malicious.


for example, the OpenClipboard and GetClipboardData functions, which according to the Microsoft windows API guide, can retrieve data from the clipboard.

ree

Another string I found is a GetForegroundWindow function, which is commonly used by keyloggers and spyware to determine which window is being utilized by the victim, but it can be used with legitimate software.

ree

Another string I found is a "Listen" function

So I should be on the lookout for an open socket in the dynamic analysis stage.

ree


Again, it is very difficult to determine the nature of this software by looking at the strings, as all of the API's I just listed could be legitimate, so I will move on to the next stage.


Dynamic Analysis


Initial Detonation:


ree

There was a PowerShell script that ran for a split second at detonation, which is probably the "blue window" the Help Desk team was referring to in the txt file.



A record DNS: bonus2.corporatebonusapplication.local

ree

ree


Host-Based Indicators:

ree

ree

ree

TCP socket:

ree

After adding the DNS address to the hosts file

ree



Conclusion:


It looks like this PuTTY file has a backdoor and is not a legitimate version of the software.


Unfortunately, I could not connect back to the socket because it was encrypted and I needed the TLS certification.


overall this was a great exercise and a very fun malware to analyze, I especially liked the fact that PuTTY is a real software, so this means that I had to take every string i found with a grain of salt, and it basically forced me to use my head, and find another way in.


Thank you for reading and thank you HuskyHacks.


















bottom of page