My Road to Digital Forensics Excellence

msrll.exe visits #mils

Posted by Paul Bobby on August 3, 2009


During the course of the recently taken Reverse Engineering class, Lenny encouraged us to practice our skills on a variety of malware that he had included on the class CD. This post is based on the specimen, msrll.exe (MD5: B4ACFE96A98590813413122C12C11AAA) (41,984bytes)

My analysis took 12 steps:

  1. Simple Execution
  2. Live Analysis Part 1
  3. Live Analysis Part 2
  4. Live Analysis Part 3
  5. Analysis Goals
  6. Static Analysis – Unpacking
  7. Static Analysis – First look
  8. Static Analysis – Command analysis
  9. Static Analysis – jtram.conf
  10. Static Analysis – Interaction with port 2200
  11. Static Analysis – Interaction in IRC channel
  12. Incident Response

One of the things I learned during this exercise is the value of the baby step approach – thinking you know what’s happening, leaping ahead and assuming too much, gets me in to trouble. Another lesson learned is that after live analysis is complete, I had to identify a series of analysis goals. With this specific specimen I found myself getting bogged down in the encryption routines, achieving no real progress, so I backtracked, and identified exactly those aspects of this malware I needed to explore.

Simple Execution

Running the program, msrll.exe from C:\Temp produced no visible output. After a few seconds the file disappeared from C:\Temp.

Live Analysis Part 1

  1. Wireshark showed a DNS query for collective7[.]
  2. Regshot showed the following items of interest
    1. HKLM\SYSTEM\CurrentControlSet\Services\mfm key added
    2. HKLM\SYSTEM\CurrentControlSet\Services\mfm\security key added
    3. Various key-value pairs added
      1. ImagePath = “C:\Windows\system32\mfm\msrll.exe”
    4. Files added
      1. system32\mfm\jtram.conf (contains obfuscated text)
      2. system32\mfm\msrll.exe
  3. CaptureBAT.exe
    1. preserved the deleted file msrll.exe from C:\Temp
    2. Both msrll.exe specimens MD5 match
  4. Process Explorer
    1. msrll.exe executing from system32\mfm\msrll.exe
    2. msrll.exe listening on two ports
      1. TCP 113 (Auth identd)
      2. TCP 2200

Live Analysis Part 2

  1. A host entry in system32\drivers\etc\hosts was made to resolve collective7[.] to my Linux VM.
  2. Wireshark reports a connection attempt on port 6667

Live Analysis Part 3

  1. Fire up IRCD on the Linux VM
  2. msrll.exe connects to the IRC daemon
  3. Wireshark lights up with the following activity
   1: USER PKjlVumLCrI localhost 0 :xIzUYurlIIlnEpkWTWTLmKmxpEjwTR



   4: JOIN #mils :

   5: MODE #mils

   6: WHO #mils

   7: PONG :localhost.localdomain

   8: PONG :localhost.localdomain

Analysis Goals

  1. What is in the file “system32\mfm\jtram.conf”?
  2. Interact with what is listening on port 2200
  3. Interact with the IRC bot
  4. Incident Response
    1. 4n6 indicators
    2. Network indicators leading to mitigations

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: