Post

ASEAN Mustang Panda

Posted Updated
Preview Image
By os1ris
2 min read
ASEAN Mustang Panda

Executive Summary

The program executes “office.exe” with various command lines and parent processes from the "C:\Users\Public\Desktop" directory. It also runs "GetCurrentDeploy.dll" and writes values to the registry. While legitimate programs might use similar actions for file execution and registry updates, malicious software could also use these processes to execute harmful files or modify settings for persistence or evasion. The specific registry actions may indicate malicious behavior. Further analysis is required to assess the intent and nature of the process.

Case Details

Sample information

AttributeDetails
File nameASEAN Notes.iso
File size588 KB
File typeDisc Image File (ISO)
MD59832bd120aa506758b3c1850dc2f7e41
SHA18e7dfe85c00f76c2525b0ea001b735b1240f3342
SHA256a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c
AttributeDetails
File nameASEAN 2024.lnk, MS.lnk, Mofa memo.lnk
File size2 KB
File typeShortcut (LNK)
MD5b1c2cac5b573523a0394b82c2e097077
SHA1e27a237acb643391a7a5d6c57bd882e4ac72bdb0
SHA256d66ab44e898c909d0e2a8b8bbe2eb47dfb76af4962ede47d63477a0f8fcfef23
AttributeDetails
File nameNS.lnk
File size2 KB
File typeShortcut (LNK)
MD5698382d42978ee9b86046682cacc76ab
SHA1dd149a0c4a650df907557b3c0219fde81d339d11
SHA256e537c5da268c6a08d6e94d570e8efb17d0ca3f4013e221fadc4e0b3191499767
AttributeDetails
File nameGetCurrentDeploy.dll
File size96 KB
File typeApplication Extension (DLL)
MD5d901af6c326d9d6934d818beef214e81
SHA1b78e786091f017510b44137961f3074fe7d5f950
SHA25651d89afe0a49a3abf88ed6f032e4f0a83949fc44489fc7b45c860020f905c9d

Case Specific Requirements

  • Machine
    Windows Environment

  • Tools Used

    • Floss
    • IDA
    • ProcMon
    • DiffView
    • Wireshark
    • Fakenet

Static Analysis

The file was first received as a Disc (.ISO). After opening the ISO, four shortcut PDFs were found:

img1

Checking one of the shortcut files shows the target command:

img2

Target command executed:

1

C:\Windows\System32\ScriptRunner.exe -appvscript _\_\_\_\_\_\_\_\_\_\_\_\office.exe

Upon inspecting the folder, two files were found. The office.exe file was not malicious when checked via hash, but the GetCurrentDeploy.dll is.

img3

Using PEStudio to analyze the file content:

PEStudio Analysis

Next, Floss was used to extract the content.

Floss1

Content inside floss:

Floss2

Floss3

Floss4

The extracted functions from IDA were analyzed:

  1. sub_10001BD0:

    Function 1

  2. sub_10004150:

    Function 2

  3. sub_10003820:

    Function 3

Dynamic Analysis

Using ProcMon, we observe the CreateFile and WriteFile actions being executed under the Public directory.

D1

Using DiffView, any interesting changes were monitored.

D2

It shows the registry entries being set for auto-execution during boot.

D3

To confirm file creation, the directory was checked and both office.exe and GetCurrentDeploy.dll were found present.

D4

Starting the Wireshark to see any connections was made by this malicious:

Wireshark Connection Attempt

Image above we get to see the openservername[.]com attempt to connect with the machine. The following ip also establishes as TCP to the destination of 103[.]159[.]132[.]80:

Wireshark Connection Attempt

Filtering the TCP Port of 443 and get to see the ip above had a connect with the machine IP.

Wireshark Connection Attempt

Using Fakenet to monitor the traffic and the TCP comes from office.exe:

Fakenet_Connection_Attempt

Checking the Relations of those ip on Virustotal have the relation with the panda malware:

Virustotal

Indicators of Compromise (IOCs)

IOCType
openservername[.]comURL
103[.]159[.]132[.]80[:443]IP:Port
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GAMEESTRTORegistry
C:\Users\Public\office.exeFile
C:\Users\Public\GetCurrentDeploy.dllFile

Additional Notes

  • SHA256 hash of the malicious ISO file
    a00673e35eaccf494977f4e9a957d5820a20fe6b589c796f9085a0271e8c380c

  • Full command line configured in one of the malicious shortcuts in the ISO file
    C:\Windows\System32\ScriptRunner.exe -appvscript _\_\_\_\_\_\_\_\_\_\_\_\office.exe

  • Domain name found in the sample
    openservername.com

  • Full path, including the filename, to which the malware copies itself
    C:\Users\Public\GetCurrentDeploy.dll

  • Registry key name created by the malware
    gameestrto

  • Parameters string required for the malware to execute after the initial infection
    StarWegameToyOU

  • Hosting provider used by the threat actor for their C2 server
    Gigabit Hosting Sdn Bhd

Malware Analysis, Malware-Analysis-and-Reversing-Workshop
Malware Analysis Malware-Analysis-and-Reversing-Workshop
This post is licensed under CC BY 4.0 by the author.