Monday, April 16, 2018

Practical Malware analysis tutorial - Part 2 - Basic Dynamic analysis

Dynamic analysis is any examination after executing the malware. Usually, you can gain more insight into the functionality of the malware using dynamic analysis than just basic static techniques. Since the malware is being executed, utmost precaution must be taken as this can put the host system or network at risk.

Few dynamic analysis techniques are described below:

Sandboxes:

Sandboxes are automated software packages that execute the malware and collect various artifacts such as process execution artifacts, file, registry artifacts, network traffic etc., for us to analyze.
But, as suggested in Part 1 of this tutorial, it is never a good idea to upload samples to online sandboxes in targeted attacks, as this might alert the attacker about the analysis efforts.

Few notable online sandboxes are Hybrid analysis, https://www.hybrid-analysis.com/, Any.Run https://any.run/, malwr.com.

One good offline sandbox is Cuckoo sandbox https://cuckoosandbox.org/



Running malware and monitoring it manually:

You can run the malware on the analysis VM and use various tools to monitor it. I'll describe a few commonly used tools below.



Tools from Sysinternals Suite are very helpful in performing analysis. You can find it here:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Process Monitor (Procmon) is one such tool which can be used to monitor registry, file system, network, process and thread activity. It has very good filtering capabilities, enabling us to effectively analyze the events it generates.

Process Explorer (Procexp) is another tool from Sysinternals Suite which can be used to monitor the process running on a system in a tree style with parent-child relationship, the DLLs loaded, handles used,


Network traffic of all sorts can be analyzed by running Wireshark and capturing network traffic.

Fiddler can be used to capture HTTP traffic if the malware uses WinInet API for network calls.

FakeNetNG which is available in FlareVM is a great way to capture network. This tool spoofs whatever network services the malware is looking for and logs the requests sent to it.

We'll have a look at how to use some of the tools mentioned above in the next labs walkthrough post.



Posted by at No comments:

Wednesday, April 4, 2018

Practical Malware analysis tutorial - Part 1 - Basic Static analysis - Labs walkthrough

Lab Walkthroughs:


Lab 1-1:
  1. Upload Lab01-01.exe annd Lab01-01.dll to VirusTotal. You'll see that both of them are identified as Trojan/Win32 variant.
  2. Looking at the TimeDateStamp field of File Header, the compile timestamp is 0x4D0E2FD3 (Sun Dec 19 21:46:19 2010) and 0x4D0E2FE6 (Sun Dec 19 21:46:38 2010)
  3. Looking at the strings and Import directory there doesn't seem to be any indication that the exe and dll are packed or obfuscated.
  4. The exe imports mainly file based API, which indicates it searches for files. The DLL has imports from WS2_32.dll, which indicate that it has some functionality related to networking.
  5. Looking at the strings of both samples, one host based indicator is "C:\Windows\system32\kerne132.dll"
  6. Connections to the IP address 127.26.152.13 can be considered as network based indicator.
  7. Probably the purpose of these samples would be to search for any files and send them over to a remote host.


Lab 1-2:

  1. The sample is being identified as a Win32.Trojan.Downloader variant on VirusTotal.
  2. From the Import Directory, we can see that LoadLibrary, VirtualAlloc, GetProcAddress are present. This almost always means that the code is packed and these APIs are used to unpack the code into memory. Also, the sections are named UPX0, UPX1, UPX2 which indicates UPX packer has been used to pack this executable. The file can be unpacked by running the UPX utility to unpack.
  3. The imports CreateService and InternetOpenUrl indicate that the malware may create a service and connect to a URL.
  4. The service MalService can be checked. Also, network traffic to http://www.malwareanalysisbook.com can be checked for identifying infection.
Lab 1-3:

  1. VirusTotal detects the sample as a generic Windows trojan.
  2. It looks like the sample is packed because of the very low number of imports and no meaningful strings inside it. CFF explorer detects that it is packed by FSG packer.
  3. Only LoadLibrary and GetProcAddress are present in the imports. So, nothing much could be said about the functionality of the actual application without unpacking this sample.
  4. No host or network based indicators can be determined.
Lab 1-4:
  1. VirusTotal detects this sample as a generic Windows downloader.
  2. The sample is not packed as there is no obfuscation of import directory or the strings.
  3. The compile timestamp is Sat Aug 31 03:56:59 2019.
  4. Imports such as FindResource, LoadResource, CreateProcess, OpenProcess indicate that the sample may be loading another executable from its resource section and executing it.
  5. \system32\wupdmgrd.exe, http://www.practicalmalwareanalysis.com/updater.exe are some of the indicators.
  6. The resource section contains another PE executable which has functionality to download a file from the Internet.

Posted by at No comments:

Practical Malware analysis tutorial - Part 1 - Basic Static analysis

Basic static analysis:



Static analysis is usually the first step that is followed when analyzing any malicious sample. The sample is never run during static analysis. Some common techniques are described below:


AV scanning:

 Common malware are usually detected by most AV based on file signatures. It is best to check using multi AV scanners such as Virus Total, Hybrid Analysis which provide a detailed report of the behavior of the sample. But, make sure you don't share your samples in case of targeted attacks as this would alert the attacker and take steps to cover his tracks. Ideal way is to search for the hash of the file on VirusTotal and check if it has been already uploaded by anyone.


Strings:

 By extracting strings present in an executable, a lot can be deduced about the behavior. Bits of information such as the Windows APIs, URLs, IP Addresses, useful text information etc., can be extracted.

Some good tools to extract strings on Windows are GNU Strings, SysInternals Strings and FireEye Floss.
Floss from a FireEye is a very good tool to extract strings as it includes some dynamic extraction too instead of just static extraction. You can find Floss here: https://github.com/fireeye/flare-floss

PE Header:

By analyzing the PE header a lot of information can be obtained about the sample. Some important fields that can be captured from PE header are  Imports, Exports, Time date stamp, Sections, Resources.

A very good resource for learning more about PE header is the Life of Binaries(LoB) course by Xeno Kovah at OpenSecurityTraining.info
URL: http://opensecuritytraining.info/LifeOfBinaries.html

You can test your understanding by playing the game roxor:  https://code.google.com/archive/p/roxor-arcade/wikis/BinaryScavengerHunt.wiki


PE Studio and CFF Explorer are some very good tools that can be used for PE header analysis.

The next part will have a walkthrough of the Labs of Chapter-1 of Practical Malware Analysis book.

Posted by at No comments:
Subscribe to: Posts (Atom)