Notes on Malware Analysis of the Trojan Powelik

Working with the Powelik Malware today, I thought I would record some of my notes so I could refer back to how I utilized volatility and other tools.

To find the malware it is embedded in the registry under a random key at the following location:

HKEY_CLASSES_ROOT\CLSID\{<random}

To further identify that, you can google various other pages that have an analysis online about Powelik.  Another way to find the registry key is to conduct a vaddump on the process of dllhost.exe which powelik utilizes:

vol.py -f mem.dump --profile=Win7SP0x86 vaddump -p <processid of dllhost.exe> -D <output>

Then search for signs of the CLSID\{<random>} registry key using the following command:

strings <output>* | grep -i -e "CLSID"

To extract the malware I used volatility to first identify where the registry hives are located:

vol.py -f mem.dump --profile=Win7SP0x86 hivelist

This gives you the virtual offset for the UsrClass.dat file for the user.  Then you can use that to pull the registry key that I am looking for:

vol.py -f mem.dump --profile=Win7SP0x86 printkey -o 0xb5d54ae3 -K "CLSID\{<random>}\LocalServer32"

With the output from the (Default) key and one that has an "a" I can see the malware embedded as the value of a.  The malware is encoded multiple times and to decode it the first time I utilized the "Microsoft Script Encoder".  An interesting tool that developers can utilize with Javascript and VBScript.

After decoding it initially you then see another section that needs to be base64 decoded, then another, and another.  Through decoding it a couple of times the IP Addresses and domains that the malware calls home to are displayed:

fa8072.com,f0fff0.com,db7093.com,195.2.240.79,95.215.1.57,31.184.194.39

Then after decoding it a few times too many using foremost will pop-out a dll.  This dll then can be uploaded to virustotal and it is confirmed that this is Powelik.