Replaying Regin in PANDA

Regin, a piece of state-sponsored malware that may have been used to attack telecoms and cryptographers, has recently come to light. There are several good writeups out there, and I encourage you to check them out.

Getting access to samples in cases like this is often a challenge. Luckily, both The Intercept and VXShare (warning: both links contain live malware) have released samples thought to be associated with Regin, so that others can perform independent analysis. So far, it appears that the samples are all of the "stage1" component of the malware, rather than the initial "stage0" infector or the later stages.

In order to allow others to do dynamic analysis of this malware, I built a very small malware sandbox setup using PANDA. The sandbox essentially just executes a sample for five minutes, recording it using PANDA's record and replay facility. The process is slightly complicated by the fact that most of the stage1 samples are kernel-mode components; to (hopefully) deal with this I use the sc utility to create and start a service with the malware sample.

So, for normal executables:

start sample.exe

And for the kernel mode components:

sc create sample binPath= sample.exe type= kernel
sc start sample

So, without further ado, here are the recordings, associated PCAPs, and videos of the samples being executed:

http://laredo-13.mit.edu/~brendan/regin/

The index.txt file shows the mapping between the original sample names and the auto-generated names used by the malware sandbox, along with the MD5s of each sample. Note that I have not tried to ensure that these samples really are Regin, and at least one (sample ID 26ed64ef-fcde-4171-99aa-e1e46301315d, MD5 0e783c9ea50c4341313d7b6b4037245b) seems to in fact be a QQ info stealer. There are also a few duplicates due to overlaps in the samples provided by The Intercept and VXShare; I have kept both in case a differential analysis between two runs turns out to be useful.

Happy malware analysis! And if you have more samples, please get in touch on Twitter (@moyix) or email me!

Comments

Popular posts from this blog

Someone’s Been Messing With My Subnormals!

Decrypting LSA Secrets

SysKey and the SAM