One of the key features released in VMRay Analyzer v2.1 is the enhanced analysis of fileless malware (also referred to as “non-malware”). Fileless malware is defined by malware analysis expert Lenny Zeltser as “..malware that operates without placing malicious executables on the file system.” An important nuance here is there “may” be files associated with fileless malware and they “may” modify existing file structures on the target machine.
One common method used by malware authors is to implement registry changes. To demonstrate VMRay Analyzer’s detection of registry changes we will analyze a well-known Poweliks sample. Even though its command servers are no longer online, this sample of Poweliks offers a great opportunity to study the nature of fileless malware.
On execution, the installer creates two registry entries containing (1) the startup code and (2) the encoded second stage of the infection (see Figure 2).
Figure 1: The startup code stored in the Windows registry
Another noteworthy aspect is the way the Poweliks hides the registry entry with the stub from the user. It is created by using a NULL pointer as its name – making it impossible to see this entry using the Windows Registry Editor (Regedit). However, VMRay Analyzer monitors the complete interaction between the malware and the operating system. Information like this gets extracted automatically for a malware analyst (see Figure 2).
Figure 2: Overview of the monitored interaction with Registry from the Poweliks installer
As seen in Figure 2, the startup stub is added to the autostart key HKCU\\software\\microsoft\\windows\\currentversion\\run\\, which is automatically executed on Windows startup. Remarkably, after rebooting, the complete execution does not involve the installer anymore, thereby making it truly fileless.
Since VMRay Analyzer can automatically detect if a sample tries to achieve persistence, it simulates a user initiated restart allowing us to look at the malware’s behavior after reboot. Even tough this wouldn’t be necessary for this sample, because the first execution is bootstrapped by the installer, we can see in the process graph (Figure 3) how the execution is restarted with the rundll32.exe (Node #5) after the reboot (Node #1).
Figure 3: Process graph of the execution. After rebooting, Poweliks malware gets automatically executed from the Windows registry.
Taking a deeper look at the process graph, we can see that the second stage of the execution uses Powershell to first create the dllhost.exe process then injects and executes the actual payload.
In Figure 4, we are able to monitor the entire injection process without having to decode the corresponding registry entry.
Figure 4: Excerpt of the logged behavior from the dllhost.exe process
Taking a look at the subsection “Injection Information”, we can easily obtain all relevant information regarding the injection. In addition to looking at the used system calls in the function log, we can also download the injected data. Analyzing this binary blob, we see that it consists of some data and a DLL file, which can be used for further analysis.
Figure 5: Hexdump of the injected data including a Windows DLL image
In this analysis we were able to the see execution of Poweliks malware and how persistence can be achieved in a fileless manner using the Windows registry. VMRay Analyzer supports DFIR Specialists and malware analysts by accelerating common analysis tasks, like unpacking and obtaining additional information for the analysis.