Poweliks Malware – Filelessly Persistent

Aug 21st 2017

Malware Family: Poweliks

Hash Value

SHA256: 4727b7ea70d0fc00f96a28de7fa3d97fa


View the Full Poweliks Malware Analysis Report

One of the key features released in VMRay Analyzer v2.1 is the enhanced analysis of fileless malware (also referred to as “non-malware”). Fileless malware is defined by malware analysis expert Lenny Zeltser as “..malware that operates without placing malicious executables on the file system.” An important nuance here is there “may” be files associated with fileless malware and they “may” modify existing file structures on the target machine.

One common method used by malware authors is to implement registry changes. To demonstrate VMRay Analyzer’s detection of registry changes we will analyze a well-known Poweliks sample. Even though its command servers are no longer online, this sample of Poweliks offers a great opportunity to study the nature of fileless malware.


Poweliks Analysis

On execution, the installer creates two registry entries containing (1) the startup code and (2) the encoded second stage of the infection (see Figure 2).
The startup code (Figure 1) essentially consists of a single JavaScript instruction, which reads in the registry entry containing the second stage of the infection, decodes it and executes. On execution this code eventually carries out yet another stage using Powershell (which we will see later).


Startup Code - Poweliks Fileless Malware

Figure 1: The startup code stored in the Windows registry


One interesting fact of the startup stub is that the malware executes the JavaScript code by creatively utilizing the rundll32 interface as thoroughly described by Stormshield.
Another noteworthy aspect is the way the Poweliks hides the registry entry with the stub from the user. It is created by using a NULL pointer as its name – making it impossible to see this entry using the Windows Registry Editor (Regedit). However, VMRay Analyzer monitors the complete interaction between the malware and the operating system. Information like this gets extracted automatically for a malware analyst (see Figure 2).


Process Graph - Poweliks Fileless Malware

Figure 2: Overview of the monitored interaction with Registry from the Poweliks installer



As seen in Figure 2, the startup stub is added to the autostart key HKCU\\software\\microsoft\\windows\\currentversion\\run\\, which is automatically executed on Windows startup. Remarkably, after rebooting, the complete execution does not involve the installer anymore, thereby making it truly fileless.
Since VMRay Analyzer can automatically detect if a sample tries to achieve persistence, it simulates a user initiated restart allowing us to look at the malware’s behavior after reboot. Even tough this wouldn’t be necessary for this sample, because the first execution is bootstrapped by the installer, we can see in the process graph (Figure 3) how the execution is restarted with the rundll32.exe (Node #5) after the reboot (Node #1).


Process Graph - Poweliks Fileless Malware

Figure 3: Process graph of the execution. After rebooting, Poweliks malware gets automatically executed from the Windows registry.


Execution of the Payload

Taking a deeper look at the process graph, we can see that the second stage of the execution uses Powershell to first create the dllhost.exe process then injects and executes the actual payload.
In Figure 4, we are able to monitor the entire injection process without having to decode the corresponding registry entry.


dllhost Injection Information - Poweliks Fileless Malware

Figure 4: Excerpt of the logged behavior from the dllhost.exe process


Taking a look at the subsection “Injection Information”, we can easily obtain all relevant information regarding the injection. In addition to looking at the used system calls in the function log, we can also download the injected data. Analyzing this binary blob, we see that it consists of some data and a DLL file, which can be used for further analysis.


Injected dll - Poweliks Fileless Malware

Figure 5: Hexdump of the injected data including a Windows DLL image



In this analysis we were able to the see execution of Poweliks malware and how persistence can be achieved in a fileless manner using the Windows registry. VMRay Analyzer supports DFIR Specialists and malware analysts by accelerating common analysis tasks, like unpacking and obtaining additional information for the analysis.

View the Full Poweliks Malware Analysis Report

Keys to the Future of SOC Automation
VMRay Webinar Featuring Forrester