[Day 12] Malware Analysis Forensic McBlue to the REVscue!¶
Cours¶
Learning Objectives¶
Learn the fundamentals of analysing malware samples without relying on automated sandbox scanners.
Learn and understand typical malware behaviour and its importance in the incident investigation pipeline.
Key Malware Behaviours¶
Before touching the malware sample for this task, we need to briefly introduce common malware behaviours to have a good perspective on what to expect in handling malware samples.
A prominent word in cybersecurity, malware is software created to harm a computer or an entire network. Threat actors develop malware to achieve specific goals, such as infiltrating networks, breaching sensitive data, or disrupting operational services.
If you were to inspect several malware samples in the wild, a typical pattern arises, making analysing other samples easier with experience. Knowing these common behaviours gives us an idea of what to look for on the defensive side, such as:
Network connections - Malware tends to establish either external network connections or internal connections. External connections allow remote access or for downloading staged payloads from a threat actors” infrastructure. Meanwhile, internal connections allow for lateral movement, a technique used to extend access to other hosts or applications within the network.
Registry key modifications - Malware typically uses registry keys to establish persistence, a technique used by threat actors to discreetly maintain long-term access to a system despite disruptions. A good example is Registry Run Keys, which allows binaries to be automatically executed when a user logs in or the machine boots up.
File manipulations - Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.
Given this knowledge, we can expect the possible behaviour of malware during an investigation.
Dangers of Analysing Malware Samples¶
WARNING: Handling a malware sample is dangerous. Always consider precautions while analysing it.
With this, here are some helpful tips when handling live malware:
Always assume that malware samples will infect your device; hence executing it is not always the first and only step in analysing it.
Only run the malware sample in a controlled environment that prevents potential compromise of unwanted assets.
It is always recommended to have your sandbox, which allows you have a worry-free execution of malware samples.
A sandbox is a controlled test environment that mimics a legitimate end-user working environment. It gives analysts a safe environment to execute malware samples and learn their behaviour. Lastly, having a ready sandbox prevents analysts from running malware samples in their workstations, which is highly dangerous and impractical for the possibility of unwanted impact.
In a typical setup, sandboxes also provide automated analysis at the disposal of Security Analysts to determine if a binary from a set of malware samples requires further manual investigation.
For this task, you may start the attached FlareVM instance by clicking on the Start Machine button. This VM will serve as your sandbox. However, do not expect this machine to provide an automated analysis since we will assist Forensic McBlue in conducting manual analysis.
Note: If the VM is not visible, use the blue Show Split View button at the top-right of the page.
You may use the following credentials for alternative access via Remote Desktop (RDP):
Machine IP: 10.10.147.46
User: administrator
Pass: letmein123!
Static and Dynamic Analysis¶
We have understood the prerequisites needed to handle the malware safely from the previous section. Now, let’s have a quick refresher on the two methods of malware analysis.
Static Analysis is a way of analysing a malware sample without executing the code. This method mainly focuses on profiling the binary with its readable information, such as its properties, program flow and strings. Given the limitation of not executing it, sometimes this method gives insufficient information, which is why we resort to Dynamic Analysis.
Meanwhile, Dynamic Analysis mainly focuses on understanding the malware by executing it in a safe environment, such as a Sandbox. By doing this, you will see the malware live in action, its exact behaviour, and how it infects the environment.
Profiling Executables through Static Analysis¶
As discussed above, before popping the malware sample in $Desktop\Malware Sample directory, let’s conduct a Static Analysis for the mysterygift binary. For this exercise, we will mainly use the following tools: Detect It Easy and CAPA.
Detect It Easy.¶
Right-click the sample and execute Detect It Easy (DIE). This tool provides information about the file, such as its architecture, significant headers, packer used, and strings. In this task, we will only utilise the basic functionalities of Detect It Easy to gain the basic information needed to analyse the binary. If you want to learn more about this tool, you may refer to this link.
Upon opening, we will immediately discover the binary’s architecture, and the executable packer used.
Packing malware is a common technique used by malware developers to compress, obfuscate or encrypt the binary. With this, contents such as significant strings and headers will not be immediately visible to Static Analysis Tools.
You may test this information by doing the following:
View the strings from Detect It Easy, which shows an overwhelming number of strings that are not that significant for investigation.
Note: Strings are pieces of text inside a binary, often containing information such as IP addresses, URLs, or file names used by the malicious program.
Run CAPA, which shows that the binary mostly hides its logic and analysis is affected due to a packer.
CAPA¶
CAPA detects capabilities in executable files. May it be for the installation of a service, invocation of network connections, registry modifications and such.
To start playing with CAPA, fire up the command prompt located in the taskbar and navigate to the Malware Sample directory, as shown below.
C:\Users\Administrator>cd "Desktop\Malware Sample"
C:\Users\Administrator\Desktop\Malware Sample>capa mysterygift
loading : 100%|████████████████████████████████████████████████████████████| 485/485 [00:00<00:00, 1633.69 rules/s]
matching: 100%|██████████████████████████████████████████████████████████████████| 3/3 [00:02<00:00, 1.11 functions/s]
WARNING:capa:--------------------------------------------------------------------------------
WARNING:capa: This sample appears to be packed.
WARNING:capa:
WARNING:capa: Packed samples have often been obfuscated to hide their logic.
WARNING:capa: capa cannot handle obfuscation well. This means the results may be misleading or incomplete.
WARNING:capa: If possible, you should try to unpack this input file before analyzing it with capa.
WARNING:capa:
WARNING:capa: Use -v or -vv if you really want to see the capabilities identified by capa.
WARNING:capa:--------------------------------------------------------------------------------
Given the CAPA output, we have discovered that the malware sample is packed. You may have also seen previously from Detect It Easy that the binary is packed by UPX.
So now, let’s unpack the binary using UPX and re-analyse the binaries using CAPA.
C:\Users\Administrator\Desktop\Malware Sample>upx -d mysterygift
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96w Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
502169 <- 227737 45.35% win64/pe mysterygift
Unpacked 1 file.
C:\Users\Administrator\Desktop\Malware Sample>del mysterygift.viv
C:\Users\Administrator\Desktop\Malware Sample>capa mysterygift
You may observe that CAPA now has provided important information about the malware sample.
Note: We have executed del mysterygift.viv to delete the cached results of the first CAPA execution. By deleting the viv file, CAPA re-analyses the binary with accurate results.
With prior, yet limited, knowledge about the malware sample, let’s investigate more by doing a dynamic analysis!
Deep-dive into Dynamic Malware Analysis¶
You may have observed that we cannot execute the binary after double-clicking it, as its file extension is not .exe.
Before renaming and executing the binary, let’s prepare the tool we need for analysing its behaviour - ProcMon. ProcMon, or Process Monitor, is a Windows tool that shows real-time registry, file system, and process/thread activity. You can learn more about it here. You may access it via the taskbar beside cmd.exe.
Once opened, you will be prompted by Process Monitor Filter -a feature that allows us to filter the results logged by ProcMon. In this case, we want to only focus on events generated by mysterygift.exe process. Let’s set the condition Process Name - is - mysterygift.exe ; add the filter and choose OK to close the prompt.
Now, let’s prepare the malware sample for execution and rename it to mysterygift.exe.
C:\Users\Administrator\Desktop\Malware Sample>mv mysterygift mysterygift.exe
We are now ready to pop the malware. Navigate to the Malware Sample folder, double-click the binary and observe the results generated by ProcMon. It might be overwhelming at first but let’s utilise its functionalities to only show the information we want.
ProcMon has a panel that can filter the following, as highlighted in the image below (in sequence):
Show Registry Activity
Show File System Activity
Show Network Activity
Show Process and Thread Activity
Show Profiling Events
ProcMon Filter Panel.¶
With these filters, we will focus on the first three; Registry, File System and Network. As discussed above, malware tends to do the following; Registry Modification, File Modification and Network Connections. Let’s start investigating them one by one.
Registry Modification¶
First, we want to determine if any significant Registry Modifications are executed by the binary, which is one of the expected behaviours introduced in this task.
To do this, unclick all filters and only choose Show Registry Activity. The results still give several results so let’s add a filter by finding all Registry Key Creations and Modifications. Remove the following Operations by right-clicking an entry from the Operation column and choosing Exclude “<operation (e.g. RegQueryKey)>” similar to the image below:
RegOpenKey
RegQueryValue
RegQueryKey
RegCloseKey
Exclude Filter.¶
The view from ProcMon should yield fewer results, similar to the image below.
ProcMon Registry Filter.¶
You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.
File Modification¶
Now, let’s also determine if the malware sample executes File Creations. It may indicate that the malware drops prerequisite files for its successful execution.
Unclick all filters and choose the second filter - Show File System Activity. Again, the results are still numerous so let’s add extra filters by focusing only on File Write events. Remove the following Operations again by right-clicking an entry from the Operation column and choosing Exclude “<operation (e.g. CreateFile)>”:
CreateFile
CreateFileMapping
QuerySecurityFile
QueryNameInformationFile
QueryBasicInformationFile
CloseFile
ReadFile
The view from ProcMon should yield fewer results, similar to the image below.
ProcMon File System Filter¶
You may observe that two files are written under the C:\Users\Administrator directory. The first file is located in the user’s TEMP directory, which is commonly used by malware to drop another file for its disposal. The other file is written in the STARTUP directory, also used for persistence via Startup Folders.
Network Connections¶
Lastly, let’s confirm if the malware sample attempts to make a network connection. It may indicate that the malware communicates with external resources to download or establish remote access.
Unclick all filters and choose the third filter - Show Network Activity. Unlike the previous filters, the results are few and can be easily interpreted.
ProcMon Network Filter¶
Please take note of these domains, as we can use this information to investigate the rabbit hole further.
Conclusion¶
We have covered several topics on this task about Malware Analysis. For a quick summary, we have learned the following:
Key behaviours of malware aid in having an overview of what to expect in examining malware samples.
The precautions needed to consider while handling malware samples and the importance of sandboxes.
Conduct a Static Analysis and profile the nature of the binary without executing it.
Perform a manual Dynamic Analysis and observe the interactions of the malware sample in the Registry, File System and Network.
Le chall¶
Le cours au dessus est très détaillé est nous explique exactement comment utiliser CAPA, Detect it Easy pour avoir l’ensemble des informations qu’il nous faut.
Question 1 : What is the architecture of the malware sample? (32-bit/64-bit)¶
La premiere étape consiste à ouvrir le malware avec Detect it Easy. Pour ça, ouvrir le dossier Malware Sample puis clic droit-> Detect it Easy.
On voit sur Detect it Easy sous file type qu’il s’agit d’un PE64 (portable executable 64bits).
Question 2 : What is the packer used in the malware sample? (format: lowercase)¶
On voit sur Detect it Easy que le packer est du upx.
Question 3 : What is the compiler used to build the malware sample? (format: lowercase)¶
Il faut maintenant se servir de capa. Mais avant ça, on doit dépackager le fichier. /!\ Comme dis dans le cours, CAPA créer un fichier .viv afin de ne pas réanalyser le fichier à chaque fois. Si t’as déjà analysé le fichier, il faut que tu supprimes ce .viv !
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
FLARE Mon 12/19/2022 0:07:55.23
C:\Users\Administrator>cd "Desktop\Malware Sample"
FLARE Mon 12/19/2022 0:08:51.80
C:\Users\Administrator\Desktop\Malware Sample>ls
mysterygift
FLARE Mon 12/19/2022 0:09:21.06
C:\Users\Administrator\Desktop\Malware Sample>upx -d mysterygift
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96w Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
502169 <- 227737 45.35% win64/pe mysterygift
Unpacked 1 file.
FLARE Mon 12/19/2022 0:12:11.70
C:\Users\Administrator\Desktop\Malware Sample>capa mysterygift
loading : 100%|████████████████████████████████████████████████████████████| 485/485 [00:00<00:00, 1552.01 rules/s]
matching: 100%|██████████████████████████████████████████████████████████████| 573/573 [00:17<00:00, 33.34 functions/s]
+------------------------+------------------------------------------------------------------------------------+
| md5 | 4e0321d7347cc872a5ac8ca7220b0631 |
| sha1 | 2dfcba8c182e4ea7665c44054d46549cc7b4430a |
| sha256 | 647458e71aea13d92e944bc7b7f305c6da808c71c3d19dc255a96dd60c8800a7 |
| path | mysterygift |
+------------------------+------------------------------------------------------------------------------------+
+------------------------+------------------------------------------------------------------------------------+
| ATT&CK Tactic | ATT&CK Technique |
|------------------------+------------------------------------------------------------------------------------|
| DEFENSE EVASION | Obfuscated Files or Information [T1027] |
| DISCOVERY | File and Directory Discovery [T1083] |
| | System Information Discovery [T1082] |
| EXECUTION | Shared Modules [T1129] |
| PERSISTENCE | Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] |
+------------------------+------------------------------------------------------------------------------------+**/!\\** Comme dis dans le cours, CAPA créer un fichier .viv afin de ne pas réanalyser le fichier à chaque fois. Si t'as déjà analysé le fichier, il faut que tu supprimes ce .viv !
+-----------------------------+-------------------------------------------------------------------------------+
| MBC Objective | MBC Behavior |
|-----------------------------+-------------------------------------------------------------------------------|
| ANTI-BEHAVIORAL ANALYSIS | Debugger Detection::Software Breakpoints [B0001.025] |
| DATA | Check String [C0019] |
| | Encoding::Base64 [C0026.001] |
| | Non-Cryptographic Hash::MurmurHash [C0030.001] |
| DEFENSE EVASION | Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] |
| FILE SYSTEM | Read File [C0051] |
| | Write File [C0052] |
| MEMORY | Allocate Memory [C0007] |
| PROCESS | Terminate Process [C0018] |
+-----------------------------+-------------------------------------------------------------------------------+
+------------------------------------------------------+------------------------------------------------------+
| CAPABILITY | NAMESPACE |
|------------------------------------------------------+------------------------------------------------------|
| check for software breakpoints | anti-analysis/anti-debugging/debugger-detection |
| compiled with Nim | compiler/nim |
| encode data using Base64 | data-manipulation/encoding/base64 |
| reference Base64 string | data-manipulation/encoding/base64 |
| hash data using murmur3 (2 matches) | data-manipulation/hashing/murmur |
| contain a resource (.rsrc) section | executable/pe/section/rsrc |
| contain a thread local storage (.tls) section | executable/pe/section/tls |
| query environment variable | host-interaction/environment-variable |
| check if file exists | host-interaction/file-system/exists |
| read file (3 matches) | host-interaction/file-system/read |
| write file (4 matches) | host-interaction/file-system/write |
| get thread local storage value | host-interaction/process |
| allocate RWX memory | host-interaction/process/inject |
| terminate process | host-interaction/process/terminate |
| parse PE header (2 matches) | load-code/pe |
| reference startup folder | persistence/startup-folder |
+------------------------------------------------------+------------------------------------------------------+
FLARE Mon 12/19/2022 0:12:51.93
En regardant bien,; on voit une ligne compiled with Nim.
Question 4 : How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?¶
Ouvre les yeux : 2
Question 5 : What is the registry key abused by the malware?¶
Afin de savoir comment va réagir le malware, il va falloir le lancer. Faut-il préciser qu’il ne faut pas ça chez vous les enfants ? On le run dans une sandbox pour faire nos tests. Maisa vant, on va lancer Process Monitor de sysinternals en rajoutant le filtre Process Name - is - mysterygift.exe
Ensuite, on va lancer l’exécutable !
C:\Users\Administrator\Desktop\Malware Sample>mv mysterygift mysterygift.exe
C:\Users\Administrator\Desktop\Malware Sample>mysterygift.exe
/!\ Si rien ne se passe sur Process Monitor, c’est sans doute que les cases pour afficher des retours ne sont pas cochées. Cliquer sur les 5 derniers items, base de registres, fichiers, process etc …
Une fois l’ensemble coché, ça vous fait le max d’info … Il faut donc filtrer de nouveau. Comme on cherche une clé de registre, on va filtrer ces dernières. Vu le cours, on sait qu’il peut y avoir plusieurs opérations. On va enlever celles qui ne parraissent pas probantes c’est à dire RegQueryKey,RegQueryValue,RegOpenKey,RegCloseKey. Il nous reste donc des clés créées et une seule paramétrée : HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Question 6 : What is the value written on the registry key based on the previous question?¶
On voit sur la ligne d’après :
12:31:45.0003508 AM mysterygift.exe 2276 RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\(Default) SUCCESS Type: REG_SZ, Length: 192, Data: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
Soit C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
Question 7 : What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)¶
En regardant les actions, on peut filtrer sur sur CreateFile. On voit donc qu’il créé deux fichiers : test.jpg,wishes.bat (jolie d’ailleurs)
Question 8 : What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)¶
Cette fois, on peut filtrer sur TCP Connect : bestfestivalcompany.thm,virustotal.com
Question 9 : Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?¶
Cette fois, il faut repartir sur Detect it Easy et cliquer sur strings ! On filtre sur http et l’on trouve très vite deux urls : http://VirusTotal.com et @http://bestfestivalcompany.thm/favicon.ico