What is SillyPuTTY?

SillyPutty is a type of malware used by attackers for post-exploitation activities, allowing them to maintain persistent access to compromised systems. It operates stealthily, often leveraging legitimate tools like PowerShell to evade detection. Its functions may include keylogging, credential dumping, and data exfiltration. SillyPutty typically communicates with a Command-and-Control server for remote control and manipulation.

This analysis is going to be in two phases.

Basic Static Analysis
Basic Dynamic Analysis

In this Article, we would be going through Static Malware Analysis

Tools:

Cmder
File hashes
VirusTotal
FLOSS
PE Studio
PE View
Capa

This lab was performed in a sandboxed environment, FlareVM, provided by MANDIANT – https://github.com/mandiant

Basic Static Analysis Methodology

1. Fingerprinting

It is important to note that for Static Analysis, we DO NOT EXECUTE the Malware Binary

This is done to understand the features /characteristics of what the malware could be doing

We have to pull the hashes (sha256 & md5) of every malware sample – THIS IS NEEDED TO FINGERPRINT THE SAMPLE

Steps

Pull the SHA256 hash for this particular malware sample – using Cmder
Pull the MD5 hash

λ sha256sum.exe putty.exe
 # OUTPUT 
# 0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83 *putty.exe - SHA256 HASH 

λ md5sum.exe putty.exe
# 334a10500feb0f3444bf2e86ab2e76da *putty.exe - MD5 HASH

3. Check the malware and if it’s been known/has any digital signatures in the real world – using VirusTotal – https://www.virustotal.com/

We notice few things from initial investigation in the Detection Pane.
We see the Malware Binary name – PuTTY
The category of said Malware Binary – Trojan
Flagged by 86% of Security Vendors as malicious
Details Pane
- We see the names the Malware Binary bears in the Wild

- Graph Summary to show Relations
- This tells us what the malware does once detonated.
- It performs CreateFile and WriteFile processes – as seen in the Files Dropped category.
- It makes url calls to certain IPs and Domains.

2. String Extraction

Strings & FLOSS

Strings: An array of characters

Floss pulls the strings out of the binary and decodes/de-obfuscates any strings it finds

floss.exe putty.exe > floss.txt
# to make it easier to analyse the floss strings

Not much was seen here, but it can be noted that its operations are mostly remote connection based (judging by the number of “ssh” and “tcp socks” keywords seen

3. Investigation using PE View

To find more information about when the malware was compiled and its functions

What is PE View? – Portable Executable View

PE View is a static analysis tool that enables in-depth analysis of unpacked malware. It provides access to import/export tables, resource data, and file sections. Analysts can investigate the malware’s functionality and identify potential threats.

Load up

MZ – tells the OS what kind of file it is
- windows PE

2. IMAGE_NT_HEADERS → IMAGE_FILE_HEADER: we get the time stamp for malware creation

3. IMAGE_SECTION_HEADER.txt: this gives us insight into the Malware Binary and whether it is a Packed Binary or Unpacked Binary

Virtual Size
- 95F6D (Base 16) == 614253 (Base 10)
Size of Raw Data
- 96000 (Base 16) == 614400 (Base 10)
Virtual Size < Raw Data: which is indicative of an Unpacked Malware

📌 IF Virtual Size was > Size of Raw Data: this is indicative of a Packed Malware. meaning it is more than what we see or perceive.

4. IMAGE_SECTION_HEADER.txt → IAT (Import Address Table) This is where we see API Function calls made by the Malware PE. – in-depth understanding of these functions can be found at;

https://learn.microsoft.com/

https://malapi.io/

GDI32.dll
USER32.dll
SHELL32.dll: library which contains Windows Shell API functions, which are used when opening web pages and files.

4. COMDLG32.dll: Creates an Open dialog box that lets the user specify the drive, directory, and the name of a file or set of files to be opened.

5. ole32.dll

6. IMM32.dll

7. ADVAPI32.dll

8. KERNEL32.dll

4. Investigation using PE Studio

Here we get an even more in-depth look of the Malware Binary

Magic Byte: MZ – Indicative of a Windows Executable
Architecture is 32-Bit
We also see it has remote connection tendencies, as evident in “description”
it is also a network client and terminal emulator

Here we get to understand the API calls the Malware would make when detonated, as well as the Techniques deployed in its Kill Chain

5. Investigation using CAPA

Capa is The FLARE team’s open-source tool that detects malicious capabilities in suspicious programs by using a set of rules

Introducing, Capa: https://github.com/mandiant/capa

basically, it translates the technical information in a binary into a simple, human-readable piece of information.

Capa rules

capa uses a collection of rules to identify capabilities within a program.

These rules are easy to write, even for those new to reverse engineering. By authoring rules, you can extend the capabilities that Capa recognizes.

λ capa.exe putty.exe

Based on the CAPA output, we see the capabilities the PuTTY.exe Malware executable has

it can log keystrokes
encode and decode data
read and delete file
registry key manipulation

amongst many others

CAPA also plays well with the MITRE ATT&CK Framework, giving us techniques this malware binary implores

The MITRE ATT&CK Framework is a standard knowledge base of adversary tactics, techniques, and procedures (TTPs).

MITRE ATT&CK seeks to define and classify cyber adversary activity into groups based on

what the activity seeks to accomplish and;
how the activity is carried out.

We see the Shared Modules technique: Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions
List of Tools and Payloads that make use of this Tactic can also be seen

Navigate to Techniques – Enterprise | MITRE ATT&CK® to find out more

CAPA + MBC (Malware Behavioural Catalog)

📌 MBC translates MITRE ATT&CK items into terms that focus on the malware analysis use case.

Here, Capa has identified items of interest in the binary, matched them to rules based on MBC items, and returned the results.

We’ve accurately identified that the PuTTY.exe sample has the capability to

Manipulate Processes (Create and Terminate)
Manipulate Registry Keys
Create and Delete Files
Obfuscate Files
Establish HTTP communication
Encrypt data

And there we have it folks, that’s all for Static Malware Analysis. In the next article, I would be going through Dynamic Malware Analysis

Summary

Static malware analysis involves studying the code and structure of a malware sample without executing it, which can uncover details about its functionality, methods of obfuscation, and potential targets. Over time, I have grown more proficient in this field, using tools like PE Studio and Capa to analyse malware samples. PE Studio helped me explore the structure of Portable Executable (PE) files, highlighting suspicious components such as imported functions and strings, while Capa provided valuable insights into the malware’s capabilities by categorizing its behaviour. Despite challenges like obfuscation and complex anti-reverse engineering techniques, these tools have been essential in improving my understanding of malware analysis.

Looking ahead, I am excited to explore dynamic malware analysis, where I can observe malware in action and study its real-time behaviour in a controlled environment. While static analysis has provided a solid foundation, dynamic analysis will offer deeper insights into how the malware interacts with the system and network. I anticipate challenges related to safely executing potentially dangerous code, but I am eager to expand my skills in identifying and mitigating more advanced threats.

Cybersecurity Malware Reverse Engineering