Practical Malware analysis tutorial - Part 2 - Basic Dynamic analysis

Dynamic analysis is any examination after executing the malware. Usually, you can gain more insight into the functionality of the malware using dynamic analysis than just basic static techniques. Since the malware is being executed, utmost precaution must be taken as this can put the host system or network at risk.

Few dynamic analysis techniques are described below:

Sandboxes:

Sandboxes are automated software packages that execute the malware and collect various artifacts such as process execution artifacts, file, registry artifacts, network traffic etc., for us to analyze.
But, as suggested in Part 1 of this tutorial, it is never a good idea to upload samples to online sandboxes in targeted attacks, as this might alert the attacker about the analysis efforts.

Few notable online sandboxes are Hybrid analysis, https://www.hybrid-analysis.com/, Any.Run https://any.run/, malwr.com.

One good offline sandbox is Cuckoo sandbox https://cuckoosandbox.org/



Running malware and monitoring it manually:

You can run the malware on the analysis VM and use various tools to monitor it. I'll describe a few commonly used tools below.



Tools from Sysinternals Suite are very helpful in performing analysis. You can find it here:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Process Monitor (Procmon) is one such tool which can be used to monitor registry, file system, network, process and thread activity. It has very good filtering capabilities, enabling us to effectively analyze the events it generates.

Process Explorer (Procexp) is another tool from Sysinternals Suite which can be used to monitor the process running on a system in a tree style with parent-child relationship, the DLLs loaded, handles used,


Network traffic of all sorts can be analyzed by running Wireshark and capturing network traffic.

Fiddler can be used to capture HTTP traffic if the malware uses WinInet API for network calls.

FakeNetNG which is available in FlareVM is a great way to capture network. This tool spoofs whatever network services the malware is looking for and logs the requests sent to it.

We'll have a look at how to use some of the tools mentioned above in the next labs walkthrough post.

Practical Malware analysis tutorial - Part 1 - Basic Static analysis - Labs walkthrough

Lab Walkthroughs:

Lab 1-1:

1. Upload Lab01-01.exe annd Lab01-01.dll to VirusTotal. You'll see that both of them are identified as Trojan/Win32 variant.
2. Looking at the TimeDateStamp field of File Header, the compile timestamp is 0x4D0E2FD3 (Sun Dec 19 21:46:19 2010) and 0x4D0E2FE6 (Sun Dec 19 21:46:38 2010)
3. Looking at the strings and Import directory there doesn't seem to be any indication that the exe and dll are packed or obfuscated.
4. The exe imports mainly file based API, which indicates it searches for files. The DLL has imports from WS2_32.dll, which indicate that it has some functionality related to networking.
5. Looking at the strings of both samples, one host based indicator is "C:\Windows\system32\kerne132.dll"
6. Connections to the IP address 127.26.152.13 can be considered as network based indicator.
7. Probably the purpose of these samples would be to search for any files and send them over to a remote host.

Lab 1-2:

1. The sample is being identified as a Win32.Trojan.Downloader variant on VirusTotal.
2. From the Import Directory, we can see that LoadLibrary, VirtualAlloc, GetProcAddress are present. This almost always means that the code is packed and these APIs are used to unpack the code into memory. Also, the sections are named UPX0, UPX1, UPX2 which indicates UPX packer has been used to pack this executable. The file can be unpacked by running the UPX utility to unpack.
3. The imports CreateService and InternetOpenUrl indicate that the malware may create a service and connect to a URL.
4. The service MalService can be checked. Also, network traffic to http://www.malwareanalysisbook.com can be checked for identifying infection.

Lab 1-3:

1. VirusTotal detects the sample as a generic Windows trojan.
2. It looks like the sample is packed because of the very low number of imports and no meaningful strings inside it. CFF explorer detects that it is packed by FSG packer.
3. Only LoadLibrary and GetProcAddress are present in the imports. So, nothing much could be said about the functionality of the actual application without unpacking this sample.
4. No host or network based indicators can be determined.

Lab 1-4:

1. VirusTotal detects this sample as a generic Windows downloader.
2. The sample is not packed as there is no obfuscation of import directory or the strings.
3. The compile timestamp is Sat Aug 31 03:56:59 2019.
4. Imports such as FindResource, LoadResource, CreateProcess, OpenProcess indicate that the sample may be loading another executable from its resource section and executing it.
5. \system32\wupdmgrd.exe, http://www.practicalmalwareanalysis.com/updater.exe are some of the indicators.
6. The resource section contains another PE executable which has functionality to download a file from the Internet.

Practical Malware analysis tutorial - Part 1 - Basic Static analysis

Basic static analysis:

Static analysis is usually the first step that is followed when analyzing any malicious sample. The sample is never run during static analysis. Some common techniques are described below:


AV scanning:

Common malware are usually detected by most AV based on file signatures. It is best to check using multi AV scanners such as Virus Total, Hybrid Analysis which provide a detailed report of the behavior of the sample. But, make sure you don't share your samples in case of targeted attacks as this would alert the attacker and take steps to cover his tracks. Ideal way is to search for the hash of the file on VirusTotal and check if it has been already uploaded by anyone.


Strings:

 By extracting strings present in an executable, a lot can be deduced about the behavior. Bits of information such as the Windows APIs, URLs, IP Addresses, useful text information etc., can be extracted.

Some good tools to extract strings on Windows are GNU Strings, SysInternals Strings and FireEye Floss.
Floss from a FireEye is a very good tool to extract strings as it includes some dynamic extraction too instead of just static extraction. You can find Floss here: https://github.com/fireeye/flare-floss

PE Header:

By analyzing the PE header a lot of information can be obtained about the sample. Some important fields that can be captured from PE header are  Imports, Exports, Time date stamp, Sections, Resources.

A very good resource for learning more about PE header is the Life of Binaries(LoB) course by Xeno Kovah at OpenSecurityTraining.info
URL: http://opensecuritytraining.info/LifeOfBinaries.html

You can test your understanding by playing the game roxor:  https://code.google.com/archive/p/roxor-arcade/wikis/BinaryScavengerHunt.wiki


PE Studio and CFF Explorer are some very good tools that can be used for PE header analysis.

The next part will have a walkthrough of the Labs of Chapter-1 of Practical Malware Analysis book.

Practical Malware analysis tutorial - Part 0 - Analysis VM setup

It is essential to have an isolated machine when analyzing malicious samples, so as not to infect our own networks or systems.

The VM setup that I find very useful is a Windows 7 + Flare VM environment running on VirtualBox.

FlareVM is a great customizable VM environment from FireEye which includes lot of tools that are useful in Malware analysis and reverse engineering. I'll try to write about the tools as and when their use arises.

You can find FlareVM here:  https://github.com/fireeye/flare-vm

Network:

Configuring network options correctly is essential as ideally malicious samples should not be allowed to make network connections to external hosts because this might result in compromise of other assets in our network.

VirtualBox offers various network options that can be configured. I'll describe some useful configurations here:

• NAT connection: This configuration is useful only when you need Internet access for the VM. It is not recommended to use this configuration when a malware sample is live on the VM. Only use this on a fresh snapshot of the VM when you need Internet access to install any software/tool or to update the VM.
• Internal network: This configures all VMs to function as if they are in a local network. No Internet access will be allowed in this option.
• Bridged Adapter: This configures the VM to act as if it is a new device in the Host network. Never use this configuration because the malware will have direct access to the Host network.

Shared Folders:

Sometimes you'll find the need to share files between your Host machine and the analysis machine. VirtualBox provides a Shared Folders feature which you can enable to have some folders shared between Host and Guest machines. But be sure to never give Read/Write access to a folder which you access routinely on the Host machine. It is always better to create a new folder on a separate drive and give Read/Write access to only it.

Practical Malware analysis Tutorial series

I've decided to refresh my malware analysis skills, so I picked up the book "Practical Malware analysis" by Michael Sikorski and Andrew Honig. I'll go through each of  the chapters and try to write a brief overview of it and also provide a walkthrough of the labs. There are about 22 chapters and I'll try to finish each in 3 days, so probably the entire series would be done in around 60 days.


Please note that I am not an absolute beginner in malware analysis and reverse engineering so I would be finishing the initial chapters quickly, though I would try to keep the content beginner friendly and provide adequate resources wherever required.