Malware Analysis: Dynamic Analysis

Dynamic analysis is any examination performed after executing malware. This technique require analyst to execute malicious code in a virtual machine in order to observe what changes it will make to the operating system. Based on the observed changes, we will try to figure out how the malware works and what the indicators of the system infection are. Behavioral analysis will cover following topics:

·         Detecting new process creation
·         Detecting file system and registry changes
·         Detecting rootkit artifacts using GMER
·         Analyzing in-memory strings

·         Monitoring system events 

1.   Preparing the analysis

Setup the clean Windows Machine and snapshot as a clean version. Install the tools such as Regshot, Process Explore, Process Monitor and etc in the Windows Machine. Then use INetSim that installed in Linux machine to simulate common Internet services.


After running the INetSim, start the following tools; Process Explorer, Process Monitor and Regshot


Disable capturing events and clear capture view.

2.Executing the malware

Run the Regshot and save the shot’s results in any directory. Then, create a clean image by take a snapshot and rename as “Clean VM” or etc.



   Once finished, the 2nd shot button will activate and start events capturing on Process Monitor.

   Execute the malware sample and in the same time, go to Process Explorer to monitor if any changes on the process list. Let the malware running and infect the machine in few minutes until the malware is fully loaded in the system and finishes its installation routines. Then take the 2nd shot on the Regshot.


3.   Analysis on Process Explorer



   After executing the malware sample, new process 1102231642.exe appears in the process list.


    Further process indicates the malware spawned 3 child processes: winlogon.exe, sass.exe and win.exe (random names, different in each analysis).
   
   Next, right click to winlogon.exe and click to Properties. Notice that spawned process by malware was located in %LOCALAPPDATA%\Temp (C:\Users\ENISA\AppData\Local\Temp) directory. This is a typical location where malicious executables store their copies or drop other malware files.


    Then go to Stings tab and choose Memory. Strings found in memory differ from strings found in the image. There are various strings pointing to potential malware functionality.


   This list of WinAPI functions are most likely dynamically imported by the malware during execution.



   The suspicious URL with some PHP file names and a likely user-agent string. This suggests that the malware might be using http communication and this might be the address of the C&C server.



  Some URL formatting string that might be used in communication with C&C server.

  4.   Regshot Analysis

  After completing the second shot in Regshot tool, students should click the Compare button to detect filesystem and registry changes between first and second shot. As a result, a notepad window should appear with seven sections:

·         Keys added (registry)
·         Values deleted (registry)
·         Values added (registry)
·         Values modified (registry)
·         Files added (file system)
·         Files deleted (file system)
·         Files [attributes?] modified (file system) 

In the Values added section we see that the malware achieves persistence by adding new value hsfio38fiosfh398rfisjhkdsfd "C:\Users\ENISA\AppData\Local\Temp\win.exe" in HKU\S-1-5-21-606041777-3127973734 24514010581001\Software\Microsoft\Windows\CurrentVersion\Run\. This is popular persistence mechanism used by malware letting it to be executed after each reboot.

----------------------------------
Values added: 26
----------------------------------
....
HKU\S-1-5-21-57354354-733244509-1090203162-1000\Software\Microsoft\Windows\CurrentVersion\Run\hsfio38fiosfh398rfisjhkdsfd: "C:\Users\fikri\AppData\Local\Temp\win.exe"

In the Values modified section we can see that the malware changed the values of Hidden and HiddenFileExt, which makes the operating system hide well known file extensions and disable showing hidden files.

Values modified: 20
----------------------------------
....

HKU\S-1-5-21-57354354-733244509-1090203162-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000001
HKU\S-1-5-21-57354354-733244509-1090203162-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000000
HKU\S-1-5-21-57354354-733244509-1090203162-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: 0x00000000
HKU\S-1-5-21-57354354-733244509-1090203162-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: 0x00000001

   In the Files added section we see that the malware added four executable files and one file with a .tmp extension.

----------------------------------
Files added: 19
----------------------------------
C:\Users\fikri\AppData\Local\Temp\lsass.exe
C:\Users\fikri\AppData\Local\Temp\skaioejiesfjoee.tmp
C:\Users\fikri\AppData\Local\Temp\win.exe
C:\Users\fikri\AppData\Local\Temp\winlogon.exe

  5.   Process Monitor Analysis

   After event capture is stopped it is good to save the results for later analyses. Next using process tree (Tools -> Process Tree…) find suspicious malware processes.



From analysing the process Life Time it is clear that malware process (1102231642.exe) first started, spawned additional child processes and quit. Right click each malware process and choose “Add process to Include filter”. Now only visible events in the main Process Monitor window will be the events related to selected processes.


   Highlight the following operations: Process Create, WriteFile, and Process Start. This can be done using Process Monitor Highlighting dialog window (Filter -> Highlight…). An alternate way is to right click on a selected event and choose ‘Highlight ’.


    After highlighting filter main Process Monitor window should look similar to the following:



   Next, the students should try to add include filters in the same manner (highlight filter can be now disabled). Operations for include filter: RegSetValue, WriteFile, Process Create. This can be done using Process Monitor Filter dialog (Filter -> Filter…).


Following filtered events, we are able to see that the main malware process isn’t responsible for setting persistence and modifying other registry values. It is the first spawned process (in this case login.exe) which installs itself in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ and also creates .tmp file in %LOCALAPPDATA%.

In general the highlight feature is useful to analyse certain events with respect to other events. For example to check which events progressed with a new process creation, highlight Process Create event and then analyse events proceeding each highlighted event. On the other hand, using the include filter is useful when one needs to focus only on a group of events that meet a given criteria and no other events.

    Double clicking on each event will reveal additional information. Double click on one of the WriteFile events of the main 1102231642.exe process and switch to the Stack tab in the new dialog window.


At this window, the student can view the call stack of the calling process at the
moment when the event occurred. In this example, the event was a result of the  CopyFileA function call from the main malware process. Additional helpful information is the address at which the call took place – 0x404d70. This address can be used during more advanced static analysis to quickly locate the routine responsible for copying new executable files.


  Next, the students should view the Cross Reference Summary (Tools -> Cross Reference Summary…). This window shows which files and registry keys were written to or read from, and by what processes



We can see that .tmp file is written by only one spawned process. The rest of the processes only read this file. This means that this file might be used for the IPC (Inter Process Communication) of spawned processes. It is also worth to notice the UserID key is written to only by the main malware process, and read by rest of the processes. This means that this key might be used to store configuration data for other processes.

Then create filter in Process Monitor which will detect all writes to the .exe files by any system process.



6.   Searching for rootkit artifacts by GMER
In the final step of the analysis, the students will be searching for rootkit artifacts using GMER tool. Depending on the GMER results, additional analysis steps may be taken – for example if GMER detects new hidden file that wasn’t detected in any of the previous steps.

First close all open tools used in the first part of the exercise (Process Explorer, Process Monitor, etc.) and then start GMER.


Leaving the default analysis options set (System, Sections, IAT/EAT, etc.) click Scan to begin system scanning. Depending on the VM size and resources, analysis might take some time (up to several minutes). Sometimes, to speed up the scanning, a user might decide to choose fewer analysis options.


   In this case, the first three changes reported by GMER (two hooks and a file system problem) are changes that are always reported by GMER on this system. An additional two changes report a suspicious structure of the debug.exe which indicate that some obfuscation was used. There are no changes indicating typical rootkit activity (e.g. hooks on many system functions, hidden files, and hidden processes). Note that running GMER more than once can produce additional hits, for instance files in a temporary directory that can be created during previous runs by the tool itself.





























Comments

Post a Comment

Popular posts from this blog

Port Scanning, Intrusion Detections, and Packet Analysis by Using Nmap, Snort and Wireshark

Image
Motivated from the following article, http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf Then, I’ve setup Virtual Lab to see how to analyze the different type of scanning on packet and IDS perspectives. Kali Linux as an attacker machine that will running Nmap for scanning activities and capturing traffics by using Wireshark. I’ve installed Snort on Ubuntu 12 LTS Server as IDS and enable portscan configurations and store log in /var/log/snort/portscan.log.   Metasploitable Linux as a victim machine. Portscan detection.   For more information, see README.sfportscan preprocessor sfportscan: proto   { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log } Configurations of my Virtual Lab:    Kali Linux                  Snort IDS               Metasploitable Linux [192.168.197.209] --->   [192.168.197.217]  --->     [192.168.197.216]             
Read more

Penetration Testing on Windows XP SP2/ SP3 by Exploiting a Vulnerability in Windows Samba Service {ms08-67}.

{Requirements:} ———————— All Machines Running on VM 1. Kali Linux (172.16.66.193) 2. Windows XP SP2 (172.16.66.193) 3. IDS - Suricata {Scan for open ports:} ———————————- root@fikri:~# nmap -n -sV 172.16.66.199 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-17 10:25 MYT Nmap scan report for 172.16.66.199 Host is up (0.11s latency). Not shown: 918 closed ports, 79 filtered ports PORT    STATE SERVICE      VERSION 135/tcp open  msrpc        Microsoft Windows RPC 139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds MAC Address: 00:0C:29:D1:55:23 (VMware) Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.51 seconds {Exploit:} ————— msf > use exploit/win
Read more

Malware Analysis Part 2: Using RemNux

Malware Analysis  Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan} ———————————————————————————————————————————————————— remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe  Short information ------------------------------------------------------------ File Name          Lab01-02.exe File Size          3072 byte Compile Time       2011-01-19 11:10:41 DLL                False Sections           3 Hash MD5           8363436878404da0ae3e46991e355b83 Hash SHA-1         5a016facbcb77e2009a01ea5c67b39af209c3fcb Imphash            096aa05b8a2e1f2dc66fc73a1a978a7b Detected           Packer Directory          Import Packer matched [1] ------------------------------------------------------------ Packer             UPX -> www.upx.sourceforge.net Suspicious API discovered [8] ------------------------------------------------------------ Function           CreateServiceA Function           ExitP
Read more