Malware Analysis: Utntweep

Ben Lee
4 min readDec 21, 2021

--

MD5 hash: 5b53eab7edc13c1db7c066d96b64ddc6
Virus Total Link: https://www.virustotal.com/gui/file/226962a910ce28aca0c4b8f3f9275254d7b2057aa17bfab0c67b8aa93417d29a/details

Intro:

In this blog post, i will be analysing a malware that has been dropped by a phishing email to Tibet Activists in 2012 to improve my malware analysis and RE skills. I will be analysing one of the DLL’s dropped called utntweep.dll which was dropped by the malware to maintain persistence. I will be analysing it via Olydbg and IDA to determine some of its interesting functions. Feedback on how to improve my analysis is appreciated.

Analysis:

In this function which i renamed InitiateEnvironment, it pushes/ KERNEL32.dll as an argument into eax as a return address. If esi=0 it won’t load library and exit. This is improbable, but malware author put it in case it does. KERNEL32.dll is a library used alongside ntdll.dll as a windows core library.

The function then copies byte of string ~M,RLM>F{BK<>MHKRx into dest until null byte terminate. Returns length of string.

In ‘call DecryptFunction’ i thought it might be decryption since alot of loops inside it. I used Olydbg to see if this was true and we get ‘GetSystemDirectoryA’ from ~M,RLM>F{BK><MHKRx”. It then calls to GetProcAddress. If kernel32.SystemDirectoryA is not equal, continue. If we keep pushing to CALL utntweep.10001810 we can see it leads to path C:\Windows\system32.

Looking into the called function in IDA we can see most of the text related to the malware such as malware version and arguments like download, kill (kill process), read and more. We can even see potential IOC’s (Indicators of Compromise): sourcejob.dat, feelcat.ini, tupix.ini.

Sourcejob.dat, Feelcat.ini, Tupix.ini

If we go back to the start of the malware function we can see it will load LOADDLL.exe as we are analysing a DLL file. It will also exit the code if eax-1 is not equal 0 otherwise it will start to run the malware code. The malware searches for ‘explorer.exe’ inside ‘loaddll.exe’. If found it will return 1 and save to bl register, and if it couldn’t find ‘explorer.exe it will return 0 and continue searching and repeat for other substrings like firefox.exe, outlook.exe, netscp.exe, yahoomessenger.exe etc. all the way to svchost.exe which is last one to be checked. Jnz means if 1 go here since true, if 0 skip as false.

Start of Malware Code
Continuation of code for explorer.exe
svchost.exe string, if compare successful malware continues

Analysing a different function, we can see that the malware tries to move feelcat.ini (the potential IOC) into C:\Windows\System32. It tries to open it and read the first 128 bytes of the file for a filename.

After this process, it deletes feelcat.ini

Delete feelcat.ini after process complete

The Malware also may have some network functionality as we can see ‘WSAStartup’ which can initialize sockets and network connections of winsock.dll. This means that this malware could potentially connect with a C&C (Command and Control Server).

Analyzing further into other functions, we can see the malware tries to get computer name, version, mark, OS, IP and much more from an infected machine.

We can also see some Encrypted strings which we can decrypt in Olydbg. We get a port number 6655 and the potential C&C domain: losang[.]dynamicdns[.]co[.]uk

Decrypted Strings via OlyDbg

The malware also can execute commands or open other applications in the command prompt as seen below.

Conclusion:

This malware is indeed malicious and has many functions that it tries to do after infecting a machine such as collect machine information, IP’s , connecting to a C&C, executing commands, downloading other malicious files and much more.

There are many other functions to be analysed, i showed some of the interesting one’s for a shorter blog post.

The Lesson: Please be wary of emails with suspicious links or attachments from anyone that you don’t know. Check the sender email address. If you don’t know the sender, don’t auto click anything first as many of these spear phishing emails are crafted very well especially if it is from an APT group.

Hope you enjoyed this blog post, more to come.

--

--

Ben Lee
Ben Lee

Written by Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Responses (1)