Open in app

Sign in

Write

Sign in

Malware Forensics: Dynamic Analysis on BlackEnergy Malware

Using any.run

Audrey Betsy Rumapea
7 min readNov 21, 2021

Have you ever got your files encrypted, or even deleted? Are you familiar with this?

If the answer to the questions above are yes, then unfortunately, you’ve come across a malware. Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server.

Malware illustration. Source: Teknologi.id

There are different types of malware, for example:

  • Virus: most common, can execute itself, can spread by infecting other files
  • Worm: can self-replicate without a host program, can spread without any interaction from the malware authors
  • Trojan horse: disguised as a legitimate software program to gain access to system, can execute functions after activated following installation
  • Spyware: collects information and data on the device and user, observes the user’s activity without their knowledge
  • Ransomware: infects a user’s system, encrypts data. Victim must pay ransom for data decryption.

To be able to detect and mitigate threats due to these malwares, we need to do malware analysis. In simple words, malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. Malware analysis can be divided into three types: static (doesn’t run code, only examines file for signs of malicious intent), dynamic (runs code in a sandbox), and hybrid (basically a mix of both).

In this article, we’re going to do dynamic analysis on BlackEnergy malware, hence we use a sandbox called any.run.

Get to Know BlackEnergy

There are actually 3 versions of BlackEnergy. BlackEnergy 1, the oldest one, has been around since 2007 and was a simple Trojan malware that infects machines to establish a bot network and conduct DDoS attacks against Russian sites.

Later, in 2010, BlackEnergy 2 was spotted. Its new addition is Rootkit techniques and enabled plugins. It has some added capabilities, such as executing local files, downloading and executing remote files, updating itself and its plugin, or even executing die or destroy commands.

Finally, in 2015, there was an attack caused by BlackEnergy 3. The attack was launched towards the power centers in Ukraine. Cursor on one of the operators’ computers suddenly moved on its own, clicking the option to turn off the power in Ukraine. A dialogue window popped up as confirmation, and again, the mouse clicked to affirm.

Honestly, poor operator.

The operator grabbed his mouse and tried to gain the control back, but it was unresponsive. The system also logged the operator out of the control panel and his password was changed, making him unable to log back in. That must be really frustrating…

However, in this article, we’re only going to use a sample from BlackEnergy 2, because it’s the only one available online 🙃

Ready?

Preparation

First, what we need to do is prepare a virtual machine. Virtual machine is needed when performing malware analysis so the malware is contained inside the VM and doesn’t get to the host.

I used Windows 7 (32-bit) as OS for the VM because it is the only OS available for free in any.run. The optical disk for this VM can be downloaded here. Do make sure that you download the 32-bit version (I spent an hour downloading the 64-bit one… Only to realize I downloaded the wrong one).

Next, let’s download a more comfortable browser inside the VM. I used Microsoft Edge in this article, but you can use any browser that you prefer.

We’ll also need an application that can extract the program or file inside a .zip folder. For this purpose, I downloaded WinRar due to its simplicity and familiarity.

Current state of VM, downloaded Microsoft Edge and WinRar as supporting tools for malware analysis

Implementation

Here comes the scary part. Even though virtual machines are supposed to keep us safe from malwares, some malwares can detect the use of VM and/or even attack from inside the VM. Fortunately, I’ve never read that BlackEnergy has this capability.

To analyze the malware, we obviously need samples of the malware. There are actually a lot of repositories that provide samples, but here we’ll use The Zoo repository. The list of malwares can be seen in malware/Binaries directory.

List of malwares available in the Zoo

Now, we should download The Zoo in ZIP format. This can be done by going to its master branch, pressing the ‘Code’ button, and pressing the ‘Download ZIP’ button.

Menu to download repository in ZIP
The ZIP will be shown in Downloads folder

Inside the BlackEnergy2.1 folder, we’ll find a ZIP file of BlackEnergy. To extract this ZIP file, we enter the password that can be found in the PASS file. The password is supposed to be ‘infected’.

PASS file opened in Notepad. Copy the password
Paste the password from PASS file here to enable extraction of ZIP file

There you go! An EX1 file has finally appeared. This is the malware that we’re going to analyze. Rootkit is a type of malware that is designed to remain hidden on a computer. We might not be able to notice it, but it’s actually active.

The malware file with EX1 format has appeared

Now that we have the malware file, we will perform the dynamic analysis using any.run. Before starting, you will need to register an account and verify your email. After logged in, you’ll see the page below.

Next, choose ‘New Task’. There will be a pop up where you’ll be asked to upload a malware file or input a URL that contains a malware. Upload the rootkit.ex1 file, and press ‘Run a public task’. You don’t need to change the other settings.

The task will then be loaded.

Unfortunately, when the rootkit.ex1 was being ran, it kept showing this error saying the malware has stopped working.

Here’s the problem details. We can see that it’s an APPCRASH error, which might be because Windows detects some malwares.

Here’s the command that was ran in the process.

C:\Users\admin\AppData\Local\Temp\rootkit.ex1.exe

It showed that there were no threats found during runtime (60s). Any.run also didn’t flag the process as malicious, and instead categorized it as ‘No verdict’.

You can click on ‘More info’ to see detailed explanations of the process. Here, I found out that the warning was about ‘checks supported languages’. There were no modified files, registry changes, or HTTP requests when this malware was executed.

However, when I looked up rootkit.ex1 on VirusTotal — which can be done by pressing ‘Look up on VT’ — this file is actually flagged as malicious! Here’s what VirusTotal finds out inside the EX1 file.

From the Detection tab, we can find out that 57 out of 67 security vendors managed to detect that it’s a malware, specifically Trojan.

There are also 3 sandboxes that flagged this file as malicious, obviously including VirusTotal. However, any.run isn’t on the list.

Moving on to the Details tab in VirusTotal. Here, we can see that the file was first seen in the wild around late February 2010. This aligns with the history of BlackEnergy, where BE2 (this sample) was released in 2010.

Finally, we get to the Behavior tab. On this tab, we can see which file system actions are done when we run the malware. It turns out that this application writes, deletes, and modifies files inside the sandbox.

Wrapping Up

BlackEnergy is a relatively powerful Trojan malware that can threaten both Linux and Windows. To be able to detect and mitigate threats of this malware, we need to understand it using dynamic malware analysis, which can be done in sandboxes. Using any.run sandbox, it keeps giving error messages and isn’t flagged as malicious. However, using VirusTotal, it can be seen that it actually runs some processes such as deleting, modifying, and creating files. It’s also flagged as malicious by security softwares.

This article is written by Audrey Betsy Rumapea (18218039)

Task 6: Malware Dynamic Analysis

Course: II4033 Digital Forensics

--

--

Audrey Betsy Rumapea

Written by Audrey Betsy Rumapea

10 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams