Dynamic Analysis Part 2.2 | Cybrary

.banner-container.gbi--116541877-tSQad7v9VULeYZNA3ajYmH:before { opacity: 1; background-image: url('//images.ctfassets.net/kvf8rpi09wgk/3hUcX8WiOn05PzcYQDcIk7/1e0d04f6b9f4186577bbcef0a585bc3f/Intro_to_Malware_Analysis_and_Reverse_Engineering.jpg?w=500&q=55'); }

Video Activity

Create Free Account

This module will explore further into the basic malware dynamic analysis. We'll be demonstrating this using a malware called IllusionBot that has been downloaded from the Github website. A useful tip for Linux virtual machine, particularly Kali, is to change the settings for the display if the VMware tools don't automatically resize the interface. ...

OR

Already have an account? Sign In »

Time

9 hours 10 minutes

Difficulty

Advanced

CEU/CPE

9

Create Free Account

This module will explore further into the basic malware dynamic analysis. We'll be demonstrating this using a malware called IllusionBot that has been downloaded from the Github website. A useful tip for Linux virtual machine, particularly Kali, is to change the settings for the display if the VMware tools don't automatically resize the interface. You'll learn about the various tools that are used for the dynamic analysis such as CaptureBAT, inetsim, netstat –untap, servicebindaddress. We'll begin with the identification of certain network indictors. We'll also discuss about other tools like Process Explorer which is like a powerful task manager, and is similar to Process Hacker. Process Explorer allows us to watch the processes very closely. You'll also learn about Autorun and the different files types it has.

00:04

today

00:05

our demo will be working with the illusion bought

00:08

and you can delegate from this. You're all from the same get hub that we got the dire sample.

00:16

So we're gonna take our windows VM that we made previously and

00:20

reset it.

00:27

You can reset your Lennox be Emma's. Well,

00:37

a common trick for

00:41

Olynyk Siem,

00:43

particularly Kelly

00:46

is too.

00:49

Change the settings for the display.

00:53

If the VM where tools doesn't automatically resize the interface.

01:00

That aside Waltz,

01:23

that's much better.

01:30

Confirm our I p address

01:34

on East One. We have turned out

01:38

0.0. That one,

01:41

which should be on the same little network, is our Windows box.

01:51

That's 10.2

01:53

It should be able to pee each other. And just to make sure before we begin infecting things, I always like to double check my network

02:00

to make sure it's not

02:00

going out to the Internet. And it's not an added,

02:04

like this option. It is indeed on our own custom v net.

02:14

I also like to run wire shark

02:19

on my linen

02:21

routing machine,

02:23

and since we are going to start running, service is here.

02:28

Ah, that catch and analyze network traffic and other things. I should warn you that it is very dumb to do it as root like I'm doing right now,

02:38

so don't do that.

02:42

But I'm gonna do it anyway.

02:44

Um, because if that

02:46

the program, like wire short gets compromised, which is completely possible because it has lots and lots of different

02:53

plug ins Modules for

02:55

protocols

02:57

contributed by lots of people. And I haven't fully been vetted. It could be a very bad thing.

03:02

So we're going toe, Just look at

03:06

Well, I p address the different interfaces have on wire shark.

03:10

And we are gonna watch the 10.0 dot one interface because that is where the traffic from the infected machine

03:19

we'll be going.

03:22

So there's no traffic right now, and we're going to

03:24

just do us full ping

03:28

of 10.1

03:30

We are getting something back,

03:32

Pop. Over here,

03:35

we see these coping requests,

03:42

and then we have these AARP

03:45

requests

03:46

completely normal traffic.

03:49

You said it

03:50

either.

03:53

So this time we're going to be working with the illusion baht

03:59

downloaded from the same

04:00

place as Thea. Dire example. We're working with

04:04

the standard industry standard password is infected.

04:09

Antivirus companies usually know better than to try to open.

04:13

Is it files with that password?

04:16

So we're going to simply,

04:18

uh, do some dynamic analysis

04:21

on this machine

04:24

or excuse me on this malware.

04:26

We're going to what I typically do,

04:29

sort, capture bat

04:32

on, start the binary,

04:35

then watch the traffic.

04:39

Okay, we see from this I p addresses trying to reach out to this Internet

04:43

I P address,

04:48

and it is

04:51

trying to go over port

04:56

its origin. Port is not a big deal,

05:00

but its destination port

05:01

is 6667

05:10

So what we want is the malware to act normally to think it's an AA safe environment. So what, we're gonna uses a few tools, particularly a tool called Annette's SIM.

05:23

So I met Sim

05:26

is a tool. It basically emulates a many different service is

05:30

listening on standard default ports.

05:32

So I met Sim

05:36

is all we need to type in,

05:42

and it starts listening on all these ports.

05:46

And I'll tell you that process I d. S will tell you where it's storing

05:50

the logs

05:53

where it's getting its data from

05:56

and where is producing its report.

06:00

And here in particular. We want to see where the CONFIG files coming from.

06:05

So I can highlight this in the terminal and do control shift C to copy within the terminal.

06:12

And I'm going to kill

06:15

these processes by hitting control. See?

06:20

So the simulations stopped. Nothing is listening on those sports anymore. We can verify this by doing Net Stat

06:29

Net stat Stash Untapped is where I usually go with.

06:33

You can see You can look up for yourself what the options are.

06:38

And we could just see DCP Client is is running on those ports which were standard a secret client force.

06:44

So

06:45

I'm gonna use them and then

06:47

groups.

06:49

I'm gonna use them

06:50

space control shift be to paste What I copied before, which is the i Net Sim config file

07:00

and them is V. I improved.

07:03

It's the my default

07:06

text editor, Command line text editor. There are friendlier ones like Nano

07:12

by like them.

07:15

So the first thing we're gonna do when we're at a teen are config file is I'm gonna do a slash

07:21

on 10.0 dot zero doubt one or a 10 dot

07:26

is fine and it's basically searching the document for 10 dot

07:32

So here

07:34

the first line is

07:36

where we see a service bind address parameter.

07:41

We're gonna uncommon this line,

07:44

which means to start paying attention to it,

07:46

which means which tells the which sells I net sim that it should start

07:50

paying attention to this problem that we're giving it and some of whatever default it has. I'm gonna change the

07:58

and dress. It should find 2 to 10.0 not one.

08:01

And the reason is,

08:03

if we were to pull up a another terminal

08:09

and you and I have a convict to see our I p address will have one That's our Internet votes behind in that.

08:18

And it goes out to the Internet and has this I p address and then our other interface has this I p address. So by default, it would probably go with zero, and it would

08:28

emulate all the service is on the on the ports on this I p address this interface. Uh, and we want to guarantee that it's running on this interface,

08:41

so I'm gonna hit

08:43

escape, cause them some tax is a little weird and do another search

08:48

for

08:50

Dennis.

08:54

So

08:54

first option is a D n s buying port. We're gonna keep it as default hit in for next hit in for next

09:01

Deena's default i p.

09:03

And for next and for next,

09:07

and I for inserts. I'm gonna delete the comment on this line,

09:13

and I'm going to specify that the address it should return for all d. N s queries will be this one a 10.0 as you're not one. So I'm specifying that not only am I

09:26

oh,

09:28

everything it's ever looking for, but

09:31

I am also all these things. There's a thick time server on here. There's a fake

09:39

http server and all sorts of good stuff.

09:41

So now we've configured

09:45

I know it's him to how we want it

09:50

executed again.

09:52

Again, we probably shouldn't be running. This is route,

09:56

but we can

09:58

over our Windows computer

10:00

Just open up Internet Explorer.

10:03

It goes to Microsoft dot com,

10:07

but it's intercepted by our dinette SIM program

10:11

and the D. N s server says, Oh, Microsoft dot com has this I p. Address 10.0 not one. And it goes there, and the Web server. That's, uh, uh, fine. It's fine. It's, um, has set up. Will return this page for everything.

10:28

So google dot com

10:31

we'll return this page anything I want.

10:33

If I

10:35

and you can also specify a particular files eso all PHP files will return something or all

10:43

No,

10:46

e x e files will return a file that I've pre specified for I net seven.

10:58

So here we are

11:01

and we see all this traffic.

11:03

This was from the browser

11:07

that I just opened. I'm gonna reset it,

11:11

and our malware should still be

11:15

actives.

11:18

It doesn't look like it's calling out anymore.

11:20

Oh, there it is.

11:22

So you'll see that it's not using d. N s to resolve an I. P. Address is trying to contact that I p address directly,

11:31

So that might tell us one of a few things. One. It might be clumsily written piece of malware because

11:39

it's not take into account machines that are behind proxies.

11:43

But that's not our problem. Our problem is we want to know what kind of traffic is being sent out.

11:50

We want to know what it's doing.

11:52

So

11:56

there is something cool. We can d'oh

12:00

in that we can redirect not only all domains, but all I P addresses.

12:05

We could do that pretty simply. I'm gonna stop capture back for money. I will try to grab host indicators later. But now I am trying to

12:13

collect Maur network indicators.

12:16

So

12:16

in order to capture all the I P addresses

12:20

instead of just domain names,

12:24

I'm gonna add a wrote.

12:26

So the syntax is route ad

12:30

I'm gonna get Give it a base address

12:35

000

12:37

mask. Like what should

12:41

To which they ignore. Just found out 55 to 35 to 35

12:46

and then the i p. Address

12:48

of where I want all this traffic to go. Let's just find that all traffic

12:54

should be funneled to this I p address,

12:58

which is 10.0 dot zero doubt one

13:05

and over on the Lenox side,

13:09

I'm gonna have to open another terminal

13:11

actual shift in,

13:13

and I'm gonna add an i p tables route.

13:22

So I p tables Dash T

13:24

Matt Dash capital, a

13:28

pre route

13:31

team

13:35

cash

13:35

I

13:37

for East one. Because that's where we want to direct all of our traffic too.

13:45

And then ash

13:46

J for re direct.

13:54

All right,

13:54

Pope or wire short.

13:56

Now, suddenly it made a successful connection.

14:03

So we can look at the successful TCP connection,

14:07

and we can see

14:09

it's I R C

14:11

so

14:13

and the red

14:13

we can see the victim

14:18

network traffic

14:18

it first sins pass

14:22

2580

14:24

and it's Nick. It's, ah, nickname. It's it's user name. Pretty much

14:31

eyes this

14:33

user.

14:35

This

14:37

and the server responded with notice authentication. Welcome to Eire. See dinette Simba or because IRC is also emulated here

14:46

and then it tries to join

14:50

the channel skaters underscore 1990.

14:54

So if we were security researchers, we could hop on to

14:58

that I p address the IRC channel

15:03

of

15:05

skaters

15:07

1990 1990

15:09

on that I p address and we could find other bots there. Um

15:15

and that's happened before. I've had numerous people tell me that you know, they

15:18

we're working at, ah, hosting provider and someone notify them that, uh,

15:24

they're hosting some malicious contents and they look at it. It's an IRC chat room, and a lot of old malware used that as a command and control mechanism

15:33

because they could still say relatively anonymous. But the problem is that they usually didn't have good authentication. So

15:41

the password we can see to this channel was 2580 So we can hop on this channel now.

15:50

So maybe I want to interact with this pot. Maybe I want to send it commands.

15:56

Maybe I want to try to control it.

16:00

Well, how can I do that?

16:02

Well,

16:03

luckily for us,

16:06

we can simply

16:07

changed the convict again

16:08

for my nets. Um,

16:15

good. I R C C. Words starting that service. Put a pound sign to commented out

16:19

colon escape colon W Q For right. Then quit

16:25

and then rerun Dinette sim.

16:29

So it's doing everything it did before. Except now that I R C

16:33

port and process are no longer listening,

16:38

we can see that there is an attempted connection and it's rejected.

16:44

The attempt in connection came from Tenn 0.0 dot two from our victim machine. Tried to go to this I p address. Ah,

16:52

it's a sink packet synchronized packet.

16:56

Ah, And then

16:57

our machine

17:00

said,

17:00

uh, reset.

17:06

So

17:07

I would really like to introduce if you don't already know about a program called Net Cat. Of course, like I nets him, you can just say man

17:15

and then the command

17:17

and see,

17:19

And it will tell you all about it and how to use it.

17:22

And I'm gonna use in C dash l for listen and then dash p and specify a port. So I'm gonna say

17:30

in C dash

17:32

Bill

17:33

and then dash p for 6667

17:37

So now, listening on that port

17:44

that looks like our malware isn't calling back anymore.

17:53

What do I owe? Did call back? It was just waiting a second. So we're listening on this port,

18:00

and

18:03

we see you gave the same password.

18:03

It's using the same user name. Which is?

18:07

That looks like

18:08

the

18:10

host name of the machine that can verify that.

18:18

Certainly. You click on my computer?

18:23

Yep. So that's the host name.

18:26

Using the host name of the infected computer.

18:30

I'd be willing to bet that's a time stamp.

18:33

Maybe something else. I don't know. We could do more analysis.

18:37

Um,

18:38

this is the same number.

18:41

It is the same number. It might be some kind of identify WR,

18:44

like a campaign code built into them. Our,

18:47

um,

18:48

further reverse engineering would reveal exactly what it is.

18:52

Uh, but

18:55

I'm not sure if it's important right now, but I can guess this Maybe not

19:00

So here with Net cat, I can also send commands back

19:03

and

19:06

it's not responding to

19:08

some commands here, so maybe it needs some specific string

19:12

before it reacts.

19:15

Uh, I'm going to just play with things because I like poking things and send a lot of A's.

19:26

And then control C will kill the connection.

19:29

We'll see if that did anything

19:32

but binary dot t x c has crashed.

19:34

So apparently the bought the Mauer author didn't write this malware very well.

19:41

That's interesting to me.

19:42

So

19:44

if we were

19:45

vigilantes,

19:48

uh, we could

19:49

get on to

19:52

this I p address

19:53

using this password,

19:56

and we could jump on. They're using some,

20:00

you know,

20:00

host name, maybe even this, uh, this user

20:06

joined this channel

20:07

and then send

20:08

all these ays

20:11

two

20:12

every

20:14

thing that is listening on that channel

20:17

crash all of the

20:18

malware on all those computers.

20:21

And

20:22

let's see if it calls back,

20:27

reset

20:29

wire short,

20:32

clear it.

20:33

And it doesn't look like it's going back.

20:36

So

20:37

that,

20:38

I will say, is a reckless,

20:41

uh, endeavor.

20:44

And it may not be appropriate,

20:47

and in fact, I'm pretty sure it is illegal

20:52

because

20:53

you are executing code Or actually you're stopping code from executing on other people's machines. Is those air not your computers?

21:03

Even if they're compromise, Thea appropriate thing might be to notify law enforcement. They probably would do anything, though, because they're even bound more tightly about what they can and can't do. They probably would shut down the command and control server

21:18

or someone some security expert and see Colin back. Nope, This is just normal operation.

21:27

Or they would bring in a expert, too.

21:33

Come in and dismantle the botnet, if you will.

21:38

So Microsoft has done that with law enforcement to take down large

21:45

pot nets. Sometimes it's been very successful. Sometimes it has not been.

21:51

But if you

21:52

interfere,

21:56

uh

21:56

like that

21:57

I am not a lawyer. So I'm not gonna say that that is legal or not.

22:04

So if we wanted to play with this some more,

22:08

I would suggest

22:11

using this build dot dxc

22:18

Here we have some interesting options

22:19

at a binary.

22:22

It says

22:23

open 1.1 bought binary.

22:26

I'm just gonna go with this,

22:30

and here it looks like this was the I. P address that it was beginning out, too.

22:34

This sport,

22:37

the channel

22:37

the password it was using.

22:40

So

22:41

let's test our d. N s. Resolving manipulation capabilities

22:47

like

22:48

free node

22:51

dot net

22:52

and

22:53

usually malware has this kind of backup commanding control server functionality. I'm just gonna go with google dot com

23:03

and I'm gonna change this too.

23:07

I don't know

23:07

by 55

23:10

on DDE

23:11

111

23:17

just to see what happens.

23:18

It looks like there's a web panel

23:22

that would open

23:26

refresh every five seconds. It looks like that sucks for and sucks. Five proxy setting that we saw

23:33

that we see here

23:37

can be verified.

23:48

It looks like it will open up FTP server.

23:52

It looks like on the I. R. C.

23:56

The bought password is this. I don't know what this does.

24:00

Looks like there's a fire wall bypass

24:06

and we can see that in here.

24:15

Authorized applications.

24:22

It looks like it

24:26

White Listen itself in the location that it was executed,

24:33

so an attacker would probably compromise machine going toe a directory

24:38

somewhere the user's not likely to access and then execute the malware.

24:45

It looks like it has a colonel driver as well,

24:51

So save service is state in the registry.

24:53

These are all interesting options

24:56

that I would suggest that you play with.

24:59

I'm gonna say Save

25:00

finally saved.

25:03

I'm also going to show another tool here.

25:14

Process Explorer.

25:18

It's basically task manager

25:22

on steroids. It is incredibly powerful.

25:26

Process Hacker is very similar

25:29

in interface and very similar in function,

25:33

but it lets us watch process is very closely and identify the deals that are injected into them. And I would also like to run

25:42

auto runs.

25:49

The difference between auto runs don t x C and auto runs see

25:55

dot Xing is this one will produce a

25:57

consul.

26:00

Output in this one will produce a gooey

26:03

the council output is useful for

26:06

if you wanna chunk all of the current

26:10

and trees oughta run entries into a file

26:14

and then compare that before.

26:17

Compare that file,

26:18

um,

26:19

to another file of the auto run entries. After the mountain has been runs, he can see if anything's been added.

26:27

It looks like auto runs is having some trouble.

26:30

It's okay. It happens.

26:45

That may be the malware. Probably not.

26:52

So it's highlighted some things here.

27:03

So in the configuration for the malware,

27:07

it mentioned drivers.

27:12

Oh, it mentioned Colonel Driver,

27:15

so

27:17

we might want to check drivers

27:22

and see where the souse

27:23

we might like to look at the host log and see

27:29

maybe one of these files

27:33

see if there's any mention of them.

27:37

It doesn't look like it.

27:40

Um,

27:41

we could look through all of these individually, and we can take a before and after snapshot. Because, remember, uh, we've already executed this binary before.

27:49

Well, a similar one.

27:52

But the best way to be sure is to keep running it over and over again. But it may not have a persistence mechanism.

28:00

Not all my work does.

28:00

So

28:02

water runs usually finds

28:04

when malware is doing something.

28:10

Okay, let's see what's going on here.

28:14

It looks like

28:15

our victim machine

28:17

trying to connect

28:19

to this port, but it's closed. So I'm gonna start listening with that cat again.

28:30

So there was our d N s quarry free no dot net.

28:34

Let's see if it made another quarry so we can do that.

28:38

Just my type in Deanna's.

28:41

I tried to resolve c r l that Microsoft dot com and we gave it our own I p address. Again. It was probably some internal Microsoft tool,

28:52

and here

28:55

it was asking for free, no dot net

28:56

and is connected and given us the same configuration data.

29:00

It's given us the password

29:03

of 2580 So

29:07

not the other value

29:10

that we had before that we entered into the configuration.

29:14

That is interesting.

29:23

Okay, so this did not change.

29:27

But let's see if the other value did.

29:33

Yes,

29:36

the channel try to join

29:40

was one that we had to find.

29:41

So it looks like this malware is configurable.

29:47

I like to crash things, so I'm gonna send it

29:49

a bunch of data. Don't see if it crashed.

29:52

It did indeed crash it.

29:56

I hope that you play with us and enjoy it.

Basic Static Analysis Part 1

Basic Static Analysis Part 2

Basic Static Analysis Part 3

Basic Static Analysis Part 4A

Basic Static Analysis Part 4B

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.