Malware Analysis Part 1.1 : Basic Static Analysis

I've decided to improve my previous entry about Malware Analysis 1. I've learnt several tools and techniques that obtained from ENISA training sheets and Sam Class. Thanks ENISA  and SAM for a good stuff!

So I just used malicious sample from Practical Malware Analysis Lab for this analysis. 

 -----------------------------------------------
Detecting and Unpacking Packers
-----------------------------------------------

This is a techniques that has been used by malware author to obfuscate or evade from AV detection. First, upload the malware sample into PEid:


Indicates that the malware was using UPX packer. Then use ExeInfo PE for further verification. 


Confirmed that malware was using UPX and use advance scan by clicking '>' button.


Then unpacking the malware using UPX


Re-analyzed the sample by using PEiD. Its recognized the sample as Microsoft Visu C++ file.










-----------------------------------------------
Strings Analysis
-----------------------------------------------

Searching through strings can be simple way to get hints about the functionality of a program by observe multiple Win . For instance, if the program accesses a URL, we will see the URL stored as a string in the program. Or if the program connects to C&C, the IP address will appear in the strings. 

It can be done by upload the unpacked malware and click Go button to extract strings.


The import from kernel32.dll and msvcrt.dll are imported by nearly every program. Advapi32.dll (CreateService) indicates that the code creates a service.


Then ,the imports from wininet.dll indicates this code connects to the Internet 


Notice that, http://www.malwareanalysisbook.com which probably link opened by InternetOpenURL. And MalService could be the name of the service that is created. Based on above analysis, found the several indicators this malware will connect to Internet and create suspicious services.

-----------------------------------------------
Examining PE Files
-----------------------------------------------

PE file format stores interesting information within its header. Use PEview tool to browse through the information.


The Time Date Stamp informed that when the executable file was compiled. It is useful information for malware analysis for instances, its can inform the malware is an older attack and antivirus might contain signatures for the malware. However, the malware author can easily fake the compile time


IMAGE_OPTIONAL_HEADER and the address of the entry point (EP) will be used for the next step to determine in which PE section the entry point is located.

--------------------------------------------------------------------
Exploring Dynamically Linked Functions and Import Table Analysis
--------------------------------------------------------------------

Dynamic linking is the most common and interesting in malware analysis. When libraries are dynamically linked, the host OS searches for the necessary libraries when the program is loaded. When the program calls the linked library function, that function executes within library. 



By uploading sample into Depedency Walker, we noticed that the sample was import 4 DLL [kernel32.dll, advapi32.dll, msvcrt.dll and wininet.dll]. For example, the program import the function InternetOpenUrl, it indicates that it parses the URL string, establishes a connection to the server, and prepares to download the data identified by the URL. Alternatively, we can use CFF Explorer to analyze Import Address Table (IAT).


The imports from Kernel31.dll shows that this program or file can manipulate processes (ExitProcess) and files (SystemTimeToFileTime and GetModuleFileNameA). 


The imports from Advapi32.dll shows that the program creates a service (CreateServiceA).


Meanwhile, the imports from Wininet.dll tell us the program will connect to Internet once the host infected. 

-----------------------------------------------
Searching for embedded objects

-----------------------------------------------
Malware might sometimes contain embedded objects outside of the resources section. Exeinfo PE tool has a special function allowing to scan any file for embedded objects in popular formats such as PE files, MSI files, Word documents, images, etc.

Using Exeinfo PE and clicking on the Rip button. Then choose what type of object Exeinfo PE should search for, or choose the I’m hungry for Ripping option to search for all known file types.


If any embedded objects are be found they will be saved to the same directory in which the analyzed sample resides.


In this binary sample, there are 2 icons and 2 zip files found. 

-----------------------------------------------
Viewing the Resource Section

-----------------------------------------------

 Then use Resource hacker tool to browse the .rsrc section. By using this tool, we will see the strings, menus, icons and etc.

The icon section lists images shown when the executable is in the listing.


The version Info section contains a version number and often the company name and a copyright statement.

* The last 2 exercise I've used differen sample called LockControl.ex_. 

Comments

Post a Comment

Popular posts from this blog

Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Image
Motivated from the following article, http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf Then, I’ve setup Virtual Lab to see how to analyze the different type of scanning on packet and IDS perspectives. Kali Linux as an attacker machine that will running Nmap for scanning activities and capturing traffics by using Wireshark. I’ve installed Snort on Ubuntu 12 LTS Server as IDS and enable portscan configurations and store log in /var/log/snort/portscan.log.   Metasploitable Linux as a victim machine. Portscan detection.   For more information, see README.sfportscan preprocessor sfportscan: proto   { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log } Configurations of my Virtual Lab:    Kali Linux                  Snort IDS               Metasploitable Linux [192.168.197.209] --->   [192.168.197.217]  --->     [192.168.197.216]             
Read more

Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

{Requirements:} ———————— All Machines Running on VM 1. Kali Linux (172.16.66.193) 2. Windows XP SP2 (172.16.66.193) 3. IDS - Suricata {Scan for open ports:} ———————————- root@fikri:~# nmap -n -sV 172.16.66.199 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT Nmap scan report for 172.16.66.199 Host is up (0.11s latency). Not shown: 918 closed ports, 79 filtered ports PORT    STATE SERVICE      VERSION 135/tcp open  msrpc        Microsoft Windows RPC 139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:D1:55:23 (VMware) Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds {Exploit:} ————— msf > use exploit/win
Read more

Malware Analysis Part 2: Using RemNux

Malware Analysis  Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan} ———————————————————————————————————————————————————— remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe  Short information ------------------------------------------------------------ File Name          Lab01-02.exe File Size          3072 byte Compile Time       2011-01-19 11:10:41 DLL                False Sections           3 Hash MD5           8363436878404da0ae3e46991e355b83 Hash SHA-1         5a016facbcb77e2009a01ea5c67b39af209c3fcb Imphash            096aa05b8a2e1f2dc66fc73a1a978a7b Detected           Packer Directory          Import Packer matched [1] ------------------------------------------------------------ Packer             UPX -> www.upx.sourceforge.net Suspicious API discovered [8] ------------------------------------------------------------ Function           CreateServiceA Function           ExitP
Read more