Dynamic Analysis Part 2.2
Video Activity
This module will explore further into the basic malware dynamic analysis. We'll be demonstrating this using a malware called IllusionBot that has been downloaded from the Github website. A useful tip for Linux virtual machine, particularly Kali, is to change the settings for the display if the VMware tools don't automatically resize the interface. ...
Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description
This module will explore further into the basic malware dynamic analysis. We'll be demonstrating this using a malware called IllusionBot that has been downloaded from the Github website. A useful tip for Linux virtual machine, particularly Kali, is to change the settings for the display if the VMware tools don't automatically resize the interface. You'll learn about the various tools that are used for the dynamic analysis such as CaptureBAT, inetsim, netstat –untap, servicebindaddress. We'll begin with the identification of certain network indictors. We'll also discuss about other tools like Process Explorer which is like a powerful task manager, and is similar to Process Hacker. Process Explorer allows us to watch the processes very closely. You'll also learn about Autorun and the different files types it has.
Video Transcription
00:04
today
00:05
our demo will be working with the illusion bought
00:08
and you can delegate from this. You're all from the same get hub that we got the dire sample.
00:16
So we're gonna take our windows VM that we made previously and
00:20
reset it.
00:27
You can reset your Lennox be Emma's. Well,
00:37
a common trick for
00:41
Olynyk Siem,
00:43
particularly Kelly
00:46
is too.
00:49
Change the settings for the display.
00:53
If the VM where tools doesn't automatically resize the interface.
01:00
That aside Waltz,
01:23
that's much better.
01:30
Confirm our I p address
01:34
on East One. We have turned out
01:38
0.0. That one,
01:41
which should be on the same little network, is our Windows box.
01:51
That's 10.2
01:53
It should be able to pee each other. And just to make sure before we begin infecting things, I always like to double check my network
02:00
to make sure it's not
02:00
going out to the Internet. And it's not an added,
02:04
like this option. It is indeed on our own custom v net.
02:14
I also like to run wire shark
02:19
on my linen
02:21
routing machine,
02:23
and since we are going to start running, service is here.
02:28
Ah, that catch and analyze network traffic and other things. I should warn you that it is very dumb to do it as root like I'm doing right now,
02:38
so don't do that.
02:42
But I'm gonna do it anyway.
02:44
Um, because if that
02:46
the program, like wire short gets compromised, which is completely possible because it has lots and lots of different
02:53
plug ins Modules for
02:55
protocols
02:57
contributed by lots of people. And I haven't fully been vetted. It could be a very bad thing.
03:02
So we're going toe, Just look at
03:06
Well, I p address the different interfaces have on wire shark.
03:10
And we are gonna watch the 10.0 dot one interface because that is where the traffic from the infected machine
03:19
we'll be going.
03:22
So there's no traffic right now, and we're going to
03:24
just do us full ping
03:28
of 10.1
03:30
We are getting something back,
03:32
Pop. Over here,
03:35
we see these coping requests,
03:42
and then we have these AARP
03:45
requests
03:46
completely normal traffic.
03:49
You said it
03:50
either.
03:53
So this time we're going to be working with the illusion baht
03:59
downloaded from the same
04:00
place as Thea. Dire example. We're working with
04:04
the standard industry standard password is infected.
04:09
Antivirus companies usually know better than to try to open.
04:13
Is it files with that password?
04:16
So we're going to simply,
04:18
uh, do some dynamic analysis
04:21
on this machine
04:24
or excuse me on this malware.
04:26
We're going to what I typically do,
04:29
sort, capture bat
04:32
on, start the binary,
04:35
then watch the traffic.
04:39
Okay, we see from this I p addresses trying to reach out to this Internet
04:43
I P address,
04:48
and it is
04:51
trying to go over port
04:56
its origin. Port is not a big deal,
05:00
but its destination port
05:01
is 6667
05:10
So what we want is the malware to act normally to think it's an AA safe environment. So what, we're gonna uses a few tools, particularly a tool called Annette's SIM.
05:23
So I met Sim
05:26
is a tool. It basically emulates a many different service is
05:30
listening on standard default ports.
05:32
So I met Sim
05:36
is all we need to type in,
05:42
and it starts listening on all these ports.
05:46
And I'll tell you that process I d. S will tell you where it's storing
05:50
the logs
05:53
where it's getting its data from
05:56
and where is producing its report.
06:00
And here in particular. We want to see where the CONFIG files coming from.
06:05
So I can highlight this in the terminal and do control shift C to copy within the terminal.
06:12
And I'm going to kill
06:15
these processes by hitting control. See?
06:20
So the simulations stopped. Nothing is listening on those sports anymore. We can verify this by doing Net Stat
06:29
Net stat Stash Untapped is where I usually go with.
06:33
You can see You can look up for yourself what the options are.
06:38
And we could just see DCP Client is is running on those ports which were standard a secret client force.
06:44
So
06:45
I'm gonna use them and then
06:47
groups.
06:49
I'm gonna use them
06:50
space control shift be to paste What I copied before, which is the i Net Sim config file
07:00
and them is V. I improved.
07:03
It's the my default
07:06
text editor, Command line text editor. There are friendlier ones like Nano
07:12
by like them.
07:15
So the first thing we're gonna do when we're at a teen are config file is I'm gonna do a slash
07:21
on 10.0 dot zero doubt one or a 10 dot
07:26
is fine and it's basically searching the document for 10 dot
07:32
So here
07:34
the first line is
07:36
where we see a service bind address parameter.
07:41
We're gonna uncommon this line,
07:44
which means to start paying attention to it,
07:46
which means which tells the which sells I net sim that it should start
07:50
paying attention to this problem that we're giving it and some of whatever default it has. I'm gonna change the
07:58
and dress. It should find 2 to 10.0 not one.
08:01
And the reason is,
08:03
if we were to pull up a another terminal
08:09
and you and I have a convict to see our I p address will have one That's our Internet votes behind in that.
08:18
And it goes out to the Internet and has this I p address and then our other interface has this I p address. So by default, it would probably go with zero, and it would
08:28
emulate all the service is on the on the ports on this I p address this interface. Uh, and we want to guarantee that it's running on this interface,
08:41
so I'm gonna hit
08:43
escape, cause them some tax is a little weird and do another search
08:48
for
08:50
Dennis.
08:54
So
08:54
first option is a D n s buying port. We're gonna keep it as default hit in for next hit in for next
09:01
Deena's default i p.
09:03
And for next and for next,
09:07
and I for inserts. I'm gonna delete the comment on this line,
09:13
and I'm going to specify that the address it should return for all d. N s queries will be this one a 10.0 as you're not one. So I'm specifying that not only am I
09:26
oh,
09:28
everything it's ever looking for, but
09:31
I am also all these things. There's a thick time server on here. There's a fake
09:39
http server and all sorts of good stuff.
09:41
So now we've configured
09:45
I know it's him to how we want it
09:50
executed again.
09:52
Again, we probably shouldn't be running. This is route,
09:56
but we can
09:58
over our Windows computer
10:00
Just open up Internet Explorer.
10:03
It goes to Microsoft dot com,
10:07
but it's intercepted by our dinette SIM program
10:11
and the D. N s server says, Oh, Microsoft dot com has this I p. Address 10.0 not one. And it goes there, and the Web server. That's, uh, uh, fine. It's fine. It's, um, has set up. Will return this page for everything.
10:28
So google dot com
10:31
we'll return this page anything I want.
10:33
If I
10:35
and you can also specify a particular files eso all PHP files will return something or all
10:43
No,
10:46
e x e files will return a file that I've pre specified for I net seven.
10:58
So here we are
11:01
and we see all this traffic.
11:03
This was from the browser
11:07
that I just opened. I'm gonna reset it,
11:11
and our malware should still be
11:15
actives.
11:18
It doesn't look like it's calling out anymore.
11:20
Oh, there it is.
11:22
So you'll see that it's not using d. N s to resolve an I. P. Address is trying to contact that I p address directly,
11:31
So that might tell us one of a few things. One. It might be clumsily written piece of malware because
11:39
it's not take into account machines that are behind proxies.
11:43
But that's not our problem. Our problem is we want to know what kind of traffic is being sent out.
11:50
We want to know what it's doing.
11:52
So
11:56
there is something cool. We can d'oh
12:00
in that we can redirect not only all domains, but all I P addresses.
12:05
We could do that pretty simply. I'm gonna stop capture back for money. I will try to grab host indicators later. But now I am trying to
12:13
collect Maur network indicators.
12:16
So
12:16
in order to capture all the I P addresses
12:20
instead of just domain names,
12:24
I'm gonna add a wrote.
12:26
So the syntax is route ad
12:30
I'm gonna get Give it a base address
12:35
000
12:37
mask. Like what should
12:41
To which they ignore. Just found out 55 to 35 to 35
12:46
and then the i p. Address
12:48
of where I want all this traffic to go. Let's just find that all traffic
12:54
should be funneled to this I p address,
12:58
which is 10.0 dot zero doubt one
13:05
and over on the Lenox side,
13:09
I'm gonna have to open another terminal
13:11
actual shift in,
13:13
and I'm gonna add an i p tables route.
13:22
So I p tables Dash T
13:24
Matt Dash capital, a
13:28
pre route
13:31
team
13:35
cash
13:35
I
13:37
for East one. Because that's where we want to direct all of our traffic too.
13:45
And then ash
13:46
J for re direct.
13:54
All right,
13:54
Pope or wire short.
13:56
Now, suddenly it made a successful connection.
14:03
So we can look at the successful TCP connection,
14:07
and we can see
14:09
it's I R C
14:11
so
14:13
and the red
14:13
we can see the victim
14:18
network traffic
14:18
it first sins pass
14:22
2580
14:24
and it's Nick. It's, ah, nickname. It's it's user name. Pretty much
14:31
eyes this
14:33
user.
14:35
This
14:37
and the server responded with notice authentication. Welcome to Eire. See dinette Simba or because IRC is also emulated here
14:46
and then it tries to join
14:50
the channel skaters underscore 1990.
14:54
So if we were security researchers, we could hop on to
14:58
that I p address the IRC channel
15:03
of
15:05
skaters
15:07
1990 1990
15:09
on that I p address and we could find other bots there. Um
15:15
and that's happened before. I've had numerous people tell me that you know, they
15:18
we're working at, ah, hosting provider and someone notify them that, uh,
15:24
they're hosting some malicious contents and they look at it. It's an IRC chat room, and a lot of old malware used that as a command and control mechanism
15:33
because they could still say relatively anonymous. But the problem is that they usually didn't have good authentication. So
15:41
the password we can see to this channel was 2580 So we can hop on this channel now.
15:50
So maybe I want to interact with this pot. Maybe I want to send it commands.
15:56
Maybe I want to try to control it.
16:00
Well, how can I do that?
16:02
Well,
16:03
luckily for us,
16:06
we can simply
16:07
changed the convict again
16:08
for my nets. Um,
16:15
good. I R C C. Words starting that service. Put a pound sign to commented out
16:19
colon escape colon W Q For right. Then quit
16:25
and then rerun Dinette sim.
16:29
So it's doing everything it did before. Except now that I R C
16:33
port and process are no longer listening,
16:38
we can see that there is an attempted connection and it's rejected.
16:44
The attempt in connection came from Tenn 0.0 dot two from our victim machine. Tried to go to this I p address. Ah,
16:52
it's a sink packet synchronized packet.
16:56
Ah, And then
16:57
our machine
17:00
said,
17:00
uh, reset.
17:06
So
17:07
I would really like to introduce if you don't already know about a program called Net Cat. Of course, like I nets him, you can just say man
17:15
and then the command
17:17
and see,
17:19
And it will tell you all about it and how to use it.
17:22
And I'm gonna use in C dash l for listen and then dash p and specify a port. So I'm gonna say
17:30
in C dash
17:32
Bill
17:33
and then dash p for 6667
17:37
So now, listening on that port
17:44
that looks like our malware isn't calling back anymore.
17:53
What do I owe? Did call back? It was just waiting a second. So we're listening on this port,
18:00
and
18:03
we see you gave the same password.
18:03
It's using the same user name. Which is?
18:07
That looks like
18:08
the
18:10
host name of the machine that can verify that.
18:18
Certainly. You click on my computer?
18:23
Yep. So that's the host name.
18:26
Using the host name of the infected computer.
18:30
I'd be willing to bet that's a time stamp.
18:33
Maybe something else. I don't know. We could do more analysis.
18:37
Um,
18:38
this is the same number.
18:41
It is the same number. It might be some kind of identify WR,
18:44
like a campaign code built into them. Our,
18:47
um,
18:48
further reverse engineering would reveal exactly what it is.
18:52
Uh, but
18:55
I'm not sure if it's important right now, but I can guess this Maybe not
19:00
So here with Net cat, I can also send commands back
19:03
and
19:06
it's not responding to
19:08
some commands here, so maybe it needs some specific string
19:12
before it reacts.
19:15
Uh, I'm going to just play with things because I like poking things and send a lot of A's.
19:26
And then control C will kill the connection.
19:29
We'll see if that did anything
19:32
but binary dot t x c has crashed.
19:34
So apparently the bought the Mauer author didn't write this malware very well.
19:41
That's interesting to me.
19:42
So
19:44
if we were
19:45
vigilantes,
19:48
uh, we could
19:49
get on to
19:52
this I p address
19:53
using this password,
19:56
and we could jump on. They're using some,
20:00
you know,
20:00
host name, maybe even this, uh, this user
20:06
joined this channel
20:07
and then send
20:08
all these ays
20:11
two
20:12
every
20:14
thing that is listening on that channel
20:17
crash all of the
20:18
malware on all those computers.
20:21
And
20:22
let's see if it calls back,
20:27
reset
20:29
wire short,
20:32
clear it.
20:33
And it doesn't look like it's going back.
20:36
So
20:37
that,
20:38
I will say, is a reckless,
20:41
uh, endeavor.
20:44
And it may not be appropriate,
20:47
and in fact, I'm pretty sure it is illegal
20:52
because
20:53
you are executing code Or actually you're stopping code from executing on other people's machines. Is those air not your computers?
21:03
Even if they're compromise, Thea appropriate thing might be to notify law enforcement. They probably would do anything, though, because they're even bound more tightly about what they can and can't do. They probably would shut down the command and control server
21:18
or someone some security expert and see Colin back. Nope, This is just normal operation.
21:27
Or they would bring in a expert, too.
21:33
Come in and dismantle the botnet, if you will.
21:38
So Microsoft has done that with law enforcement to take down large
21:45
pot nets. Sometimes it's been very successful. Sometimes it has not been.
21:51
But if you
21:52
interfere,
21:56
uh
21:56
like that
21:57
I am not a lawyer. So I'm not gonna say that that is legal or not.
22:04
So if we wanted to play with this some more,
22:08
I would suggest
22:11
using this build dot dxc
22:18
Here we have some interesting options
22:19
at a binary.
22:22
It says
22:23
open 1.1 bought binary.
22:26
I'm just gonna go with this,
22:30
and here it looks like this was the I. P address that it was beginning out, too.
22:34
This sport,
22:37
the channel
22:37
the password it was using.
22:40
So
22:41
let's test our d. N s. Resolving manipulation capabilities
22:47
like
22:48
free node
22:51
dot net
22:52
and
22:53
usually malware has this kind of backup commanding control server functionality. I'm just gonna go with google dot com
23:03
and I'm gonna change this too.
23:07
I don't know
23:07
by 55
23:10
on DDE
23:11
111
23:17
just to see what happens.
23:18
It looks like there's a web panel
23:22
that would open
23:26
refresh every five seconds. It looks like that sucks for and sucks. Five proxy setting that we saw
23:33
that we see here
23:37
can be verified.
23:48
It looks like it will open up FTP server.
23:52
It looks like on the I. R. C.
23:56
The bought password is this. I don't know what this does.
24:00
Looks like there's a fire wall bypass
24:06
and we can see that in here.
24:15
Authorized applications.
24:22
It looks like it
24:26
White Listen itself in the location that it was executed,
24:33
so an attacker would probably compromise machine going toe a directory
24:38
somewhere the user's not likely to access and then execute the malware.
24:45
It looks like it has a colonel driver as well,
24:51
So save service is state in the registry.
24:53
These are all interesting options
24:56
that I would suggest that you play with.
24:59
I'm gonna say Save
25:00
finally saved.
25:03
I'm also going to show another tool here.
25:14
Process Explorer.
25:18
It's basically task manager
25:22
on steroids. It is incredibly powerful.
25:26
Process Hacker is very similar
25:29
in interface and very similar in function,
25:33
but it lets us watch process is very closely and identify the deals that are injected into them. And I would also like to run
25:42
auto runs.
25:49
The difference between auto runs don t x C and auto runs see
25:55
dot Xing is this one will produce a
25:57
consul.
26:00
Output in this one will produce a gooey
26:03
the council output is useful for
26:06
if you wanna chunk all of the current
26:10
and trees oughta run entries into a file
26:14
and then compare that before.
26:17
Compare that file,
26:18
um,
26:19
to another file of the auto run entries. After the mountain has been runs, he can see if anything's been added.
26:27
It looks like auto runs is having some trouble.
26:30
It's okay. It happens.
26:45
That may be the malware. Probably not.
26:52
So it's highlighted some things here.
27:03
So in the configuration for the malware,
27:07
it mentioned drivers.
27:12
Oh, it mentioned Colonel Driver,
27:15
so
27:17
we might want to check drivers
27:22
and see where the souse
27:23
we might like to look at the host log and see
27:29
maybe one of these files
27:33
see if there's any mention of them.
27:37
It doesn't look like it.
27:40
Um,
27:41
we could look through all of these individually, and we can take a before and after snapshot. Because, remember, uh, we've already executed this binary before.
27:49
Well, a similar one.
27:52
But the best way to be sure is to keep running it over and over again. But it may not have a persistence mechanism.
28:00
Not all my work does.
28:00
So
28:02
water runs usually finds
28:04
when malware is doing something.
28:10
Okay, let's see what's going on here.
28:14
It looks like
28:15
our victim machine
28:17
trying to connect
28:19
to this port, but it's closed. So I'm gonna start listening with that cat again.
28:30
So there was our d N s quarry free no dot net.
28:34
Let's see if it made another quarry so we can do that.
28:38
Just my type in Deanna's.
28:41
I tried to resolve c r l that Microsoft dot com and we gave it our own I p address. Again. It was probably some internal Microsoft tool,
28:52
and here
28:55
it was asking for free, no dot net
28:56
and is connected and given us the same configuration data.
29:00
It's given us the password
29:03
of 2580 So
29:07
not the other value
29:10
that we had before that we entered into the configuration.
29:14
That is interesting.
29:23
Okay, so this did not change.
29:27
But let's see if the other value did.
29:33
Yes,
29:36
the channel try to join
29:40
was one that we had to find.
29:41
So it looks like this malware is configurable.
29:47
I like to crash things, so I'm gonna send it
29:49
a bunch of data. Don't see if it crashed.
29:52
It did indeed crash it.
29:56
I hope that you play with us and enjoy it.
Up Next
Intro to Malware Analysis and Reverse Engineering
In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.
Instructed By
Similar Content
