Dynamic Analysis Part 1.2
Video Activity
This session opens with a quick demo to explain malware analysis using certain tools. Next, we'll download a malware code from the Github site. The required malware analysis tools are also downloaded on the virtual machine. We will then discuss how to identify indicators (or IOC's) for a Dyre malware. The tools that will be explored for IOC's are C...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description
This session opens with a quick demo to explain malware analysis using certain tools. Next, we'll download a malware code from the Github site. The required malware analysis tools are also downloaded on the virtual machine. We will then discuss how to identify indicators (or IOC's) for a Dyre malware. The tools that will be explored for IOC's are CaptureBAT, RegShot, and Autoruns. You'll also learn how these tools help in identifying malware activity and how do they differ from each other.
Video Transcription
00:04
>> For a quick demo today,
00:04
I'll be looking at the Dyre malware family.
00:04
It's a bit old but I think
00:04
it's pretty good for our purposes right here.
00:04
Here is another malware sample repository up on GitHub.
00:04
It's called theZoo,
00:04
the malware DB for database.
00:04
If you go to this URL like we'll
00:04
do here in a minute and download this binary,
00:04
be careful this is live malware.
00:04
Let's go ahead and do that and let's look over some of
00:04
these tools like captureBAT,
00:04
RegShot, and Autoruns.
00:04
I mentioned them last time where we looked at VM.
00:04
Here we have the GitHub for this particular gentleman.
00:04
If we go under the zoo on github.com/ytisf/thezoo,
00:04
we can go under malwares,
00:04
we can go under binaries
00:04
because here there is source code for
00:04
many malware families that have been leaked over
00:04
the years and we're just going to
00:04
click down here to dyre.
00:04
Then we're going to click here under
00:04
dyre.zip and then view all.
00:04
This will prompt us to download the zip file.
00:04
I'm going to go over here and drag and drop
00:04
here, stolen desktop.
00:04
I'm going to drag it and drop it
00:04
into my virtual machine here.
00:04
I'm going to do the same for another set of tools
00:04
that I'm not sure if I mentioned last
00:04
time but here I have already downloaded them.
00:04
This is the Sysinternals Suite made by Mark Russinovich,
00:04
a very smart guy, very popular and very knowledgeable,
00:04
makes a lot of great tools
00:04
and I'm going to
00:04
drag and drop that into our VM as well.
00:04
Now here is the VM the way we left it before.
00:04
We're going to install some of
00:04
these tools like captureBAT.
00:04
Before we install it,
00:04
we actually need to run
00:04
the Visual C runtime redistributable packages
00:04
and I don't know exactly which package it
00:04
relies on but I know 2005 works well.
00:04
[inaudible]
00:04
The Visual C or
00:04
C++ runtime libraries have been installed.
00:04
We'll now install captureBAT,
00:04
that needs reboot, we're going to let it do that.
00:04
It does it by installing a driver.
00:04
This does not work in Windows 7 but usually,
00:04
I always use a Windows XP machine to do my analysis.
00:04
Most malware is backwards
00:04
compatible.I'm just installing these other tools.
00:04
We've installed a number
00:04
of tools and I'm just going to go ahead and
00:04
get rid of the installers for RegShot.
00:04
[inaudible] RegShot.
00:04
I'm just going to extract
00:04
out here so it's on the desktop.
00:04
I'll get rid of that
00:04
and extract this [inaudible] into the desktop,
00:04
get rid of that and we organize this a little bit.
00:04
CaptureBAT is what we're going to be using.
00:04
I'm going to do something here
00:04
that'll make things easier for us in
00:04
the future which is I'm going to go here to
00:04
capture and see program files
00:04
captured and here's captureBAT.
00:04
I'm going to save us some time in the future by going to
00:04
here Program Files capture
00:04
and go to captureBAT right here, which is the program.
00:04
I'm going to say send to desktop,
00:04
which will create a short cut.
00:04
Go to properties.
00:04
Here's the location on the desktop
00:04
so it'll run this executable.
00:04
I don't want to run with the arguments of
00:04
dash C for capturing
00:04
deleted files and dash L for store the files,
00:04
for storing the output of capturedBAT somewhere.
00:04
I'm going to paste,
00:04
I had copied it from this tab over
00:04
here and I'm going to just say log.txt.
00:04
Now we're all ready to start executing our malware.
00:04
Right before we do this, I'd like to take
00:04
a snapshot and say,
00:04
ready to infect.
00:04
[NOISE]
00:04
>> Now, we're going to extract Dyre malware.
00:04
Now, most malware is a zip file with the password
00:04
are infected like so.
00:04
Industry-standard. Now,
00:04
we just downloaded this from the website.
00:04
Here we can see a few files.
00:04
Now, if you looked at this one,
00:04
you'll notice that it's a PDF icon
00:04
that it has a.fcr ending.
00:04
Little do most people know that that is an executable.
00:04
That it does have the same file format as
00:04
a.exe and it can be just as dangerous.
00:04
We can double-click on it and it would execute.
00:04
A good verification for this would be open up
00:04
a hex editor like 010 is my favorite and very powerful.
00:04
We can see that it does indeed have the MZ file header,
00:04
which means it's a DOS executable,
00:04
just a classic string.
00:04
Then we see down here there's
00:04
the PE executable file header,
00:04
but we'll get more into this when we
00:04
do some more stack analysis.
00:04
We're going to go ahead and execute
00:04
this OCR but first we're going to run CaptureBAT.
00:04
First, I always like to check to make
00:04
sure that it's not connected to the Internet.
00:04
I'm going to see the network adapter
00:04
is how we left it last time is
00:04
connected into our own virtual network of VMNet2.
00:04
The only other thing on VMNet2 is
00:04
our Kali Linux box that we
00:04
have suspended so no network traffic can get out.
00:04
We're going to execute CaptureBAT.
00:04
It's now capturing. There's log.txt
00:04
and now we're going to execute the Dyre sample.
00:04
We notice it deletes itself.
00:04
The little icon for loading
00:04
and waiting, it's doing some stuff.
00:04
You might want to wait a few minutes,
00:04
but I typically wait just 10 seconds
00:04
and press control C. It exits the CaptureBAT.
00:04
Now, look at the log.
00:04
We can see here, and one of the programs I
00:04
installed was Notepad Plus Plus.
00:04
You can see here
00:04
high-level things of what the Dyre malware has done.
00:04
We can see that explorer.exe,
00:04
that's us, we executed it by double-clicking on it.
00:04
We see process execute that.
00:04
We see that that program see it made a registry key,
00:04
current users software, Microsoft Windows,
00:04
current version Explorer, shell folders, AppData.
00:04
That's pretty common just by programs executing,
00:04
so it's not that suspicious.
00:04
We see that it
00:04
then wrote a file
00:04
to see C/documents and settings,
00:04
administrator/application data/googleupdaterr.exe.
00:04
I'm going to copy that because
00:04
I think that is a good indicator of compromise.
00:04
I usually keep a little notepad open on
00:04
the side just throw that data into.
00:04
As you go down the list, you'll notice right here that
00:04
0.70 52.70 and then is then preceding 52.54,
00:04
that means these did not happen
00:04
sequentially and they were timed sequentially,
00:04
but they were not written to the file sequentially.
00:04
We're going to sort all the lines in the file so
00:04
that they are in correct time order.
00:04
Line Operations ascending,
00:04
so now they're in correct time order.
00:04
We can see that 2,
00:04
3 then 5, 4 then 0.
00:04
Down at the bottom here I'm
00:04
going to keep some little notes.
00:04
I'm going to say that is an indicator of compromise.
00:04
I would say reading here,
00:04
set all your key app data.
00:04
That's pretty common shelf holders, basis file,
00:04
and then execute set file,
00:04
process created, registry key set.
00:04
Here we can Googleupdaterr.exe,
00:04
create this registry key.
00:04
Yeah, that's pretty normal.
00:04
Let me see if it creates another registry key down here.
00:04
Current user software, Microsoft.
00:04
That is another indicator of compromise right there.
00:04
We can see it does a file write
00:04
and then we can see it does another file write down here.
00:04
This is also important when you notice it says, system,
00:04
not the Google Updater anymore that is doing this.
00:04
We see C/Program Files/capture logs/deleted files.
00:04
This is CaptureBAT catching
00:04
the file that Google Updater had deleted.
00:04
It deleted its original file.
00:04
Here, I've kept this window open, logs.
00:04
I'll make another shortcut to that.
00:04
Sum to desktop.
00:04
Doesn't matter now. We've infected
00:04
this machine. We're going to revert it.
00:04
But if we follow the logs here,
00:04
you can see it makes an opening
00:04
and this is the file but tried to delete.
00:04
Another one of those tools I installed that I
00:04
described last time was the Macpath.
00:04
Get an MD5,
00:04
copy that hash,
00:04
and then now I'm going to go find this program,
00:04
this Google Updater,
00:04
copy-paste, go that location, Google Updater.
00:04
I'm going to grab that same MD5 hash. What do you know?
00:04
It's the same. You pair them
00:04
round top of each other. They are the same.
00:04
So that means it copied
00:04
itself from whatever folder was in to this folder,
00:04
the application data folder,
00:04
and then added a registry entry
00:04
for running as soon as the current user logs in.
00:04
This is interesting because running,
00:04
whenever the current user on it
00:04
is logging in, is great,
00:04
and most computers are
00:04
single-use computers and only one user
00:04
uses the amount of time.
00:04
But this is an administrator on XP machine.
00:04
That means if it had made the same registry value
00:04
to high key local machine,
00:04
it would have executed whenever anyone logged in,
00:04
but instead it did it only for this user.
00:04
That's interesting to me
00:04
because maybe the malware auth didn't know
00:04
that or maybe our sample
00:04
was doing something very specific.
00:04
It's interesting that the same hash or a copy of itself,
00:04
we can confirm that with them because it is the same hash
00:04
because some malware will actually drop something else.
00:04
It has another executable within it,
00:04
and it will decrypt that and then drop it
00:04
somewhere on the system so the hashes don't always match.
00:04
I like to confirm
00:04
that anything that it
00:04
drops is something that we are aware of.
00:04
These right here, these are
00:04
our first indicators of compromise.
00:04
These are local host indicators of compromise.
00:04
That's important because next time we're going to look
00:04
at other indicators of
00:04
compromise such as network indicators of compromise.
00:04
Those are very important
00:04
because you can find those much more easily
00:04
across hundreds or thousands of
00:04
machines if you have a large enterprise.
00:04
Network indicators, kind of harder to
00:04
find unless you have some agent or
00:04
you have some group policy wizard
00:04
or someone who has set up some SIM,
00:04
some security events log
00:04
aggregation thing and you've
00:04
configured all your computers on
00:04
your network to send their logs or
00:04
registry configurations to that server.
00:04
I want to show you some of
00:04
the tools now because you just shouldn't
00:04
rely on one or two tools for your findings like this.
00:04
Let's go back and reset.
00:04
It is also good to run the sample
00:04
multiple times because many pieces of malware
00:04
out there will use
00:04
not just one or two names for their malware,
00:04
they'll have multiple names.
00:04
Sometimes they'll name the dropped or copied
00:04
malware windows.exe or win32.exe,
00:04
or sas.exe or whatever.
00:04
They'll switch between them
00:04
randomly or depending on the time of
00:04
day or whatever the malware author has made.
00:04
But we should also use
00:04
other tools to confirm what we just saw.
00:04
Another good one is Regshot and it
00:04
does what you would imagine.
00:04
We're going to launch it.
00:04
[inaudible] is not really
00:04
important unless you're doing international stuff.
00:04
We go in standard infected password. Typed it wrong.
00:04
>> [NOISE] A good thing to note,
00:04
zip files don't encrypt the file names.
00:04
If you send something with a file name
00:04
of the Internet and you think it's password protected,
00:04
the file name is not password protected.
00:04
In fact, the CRC values,
00:04
the correction codes inside
00:04
the zip files aren't encrypted either,
00:04
only the content is.
00:04
You can positively identify something
00:04
inside of a zip file by its CRC values.
00:04
Someone could have identified this as a bunch
00:04
of dire samples inside it,
00:04
just by the CRC codes.
00:04
CRCs aren't as good as legit hashes like MD5,
00:04
SHA-1, or SHA-256,
00:04
but they can be used to confirm things.
00:04
We have our second tool, Regshot.
00:04
It does what you would think, we can
00:04
take a snapshot of the registry,
00:04
and then we can take
00:04
another snapshot of the registry
00:04
after we've executed our sample.
00:04
Let's go to sample.
00:04
Shot, now we're ready to explore sample,
00:04
check the network settings just to be sure.
00:04
Now, we're executing the same sample at
00:04
the lethal file. Wait a few seconds.
00:04
Now, second shot, compare.
00:04
Now we see some stuff like user assist.
00:04
We see stuff like MUI cache.
00:04
These things are normal for just an executable.
00:04
Any executable will produce noise on
00:04
a system and you
00:04
will realize as you're doing this,
00:04
malware analysis is just a subset of software analysis.
00:04
Aiding on these tools for all things, like an installer.
00:04
If you want to see exactly what changes in
00:04
a PSM program is making to your registry.
00:04
You can use these tools to figure that out
00:04
or what files it's leaking or whatever else.
00:04
Here we see that same value
00:04
in the register that we saw before.
00:04
There is a world update
00:04
for high key current user software,
00:04
Microsoft Windows, current version run.
00:04
The file is there, it will execute.
00:04
You see here two volumes,
00:04
modified cryptography, random number generator seed.
00:04
These things change very frequently and if you
00:04
just ran your Regshot for awhile and then stopped it,
00:04
having not done anything,
00:04
you will see a bunch of these values have been modified.
00:04
It's just the natural way that
00:04
Windows is executing or the natural way it does things.
00:04
We can also scan directories and see
00:04
what files have changed within
00:04
those and that can be useful too.
00:04
But for now, we're just going to
00:04
reset and use a different tool.
00:04
We probably didn't have to reset
00:04
but I like to be scientific about things.
00:04
We're going to use a system
00:04
journals tool called autorun,
00:04
it's fantastic. There's two autoruns.
00:04
One that again we're going to see which is Command Line,
00:04
which is great if you just want
00:04
to do a lot of automated stuff.
00:04
You can write a quick script to
00:04
execute this and then execute the malware,
00:04
and then execute this again.
00:04
Basically what it will give
00:04
you in the command-line format instead of
00:04
this nice graphical format is all these locations
00:04
where programs were used to execute as soon as
00:04
it boots or a soon as the user logs onto the computer.
00:04
It breaks it up into
00:04
some pretty well organized categories.
00:04
Over on the left, the people tab
00:04
is where we see everything.
00:04
But we can break that out and say,
00:04
this is where a user logged in.
00:04
What runs Microsoft Outlook Express
00:04
and our software program,
00:04
Address Book 6, this is pretty normal.
00:04
This is a fresh install.
00:04
VMware Tools, we knew about that.
00:04
We can go through all of these and really pick up
00:04
apart what's running on our system.
00:04
Here we have a bunch of
00:04
things that are made by Microsoft,
00:04
and that's pretty common.
00:04
A good option is to hide Microsoft entries.
00:04
Anything that's been signed by Microsoft,
00:04
we can just automatically discount this like based
00:04
on this and that's the stuff as we can trust them.
00:04
Girls, we have a lot worse problems.
00:04
We can probably trust
00:04
VMware and we trust all these other things.
00:04
We trust these drivers because we know this is
00:04
a fresh install of the OS.
00:04
Here we're going to
00:04
[NOISE] extract iron password infected.
00:04
Execute the same malware and see if it pops up here.
00:04
These colors will indicate different levels of trust.
00:04
Like green that doesn't trust so much.
00:04
Let's refresh this.
00:04
There is our Google update.
00:04
See it didn't trust it very well.
00:04
It has what we call low integrity.
00:04
We can see the time it was added, 1983.
00:04
I don't think so. It was
00:04
timestamped is what we would say.
00:04
Whereas some of these other ones have
00:04
more legitimate looking times.
00:04
Like those, those are wrong.
00:04
Here, we can jump to entry.
00:04
We can see where it is.
00:04
If we wanted to disable this malware,
00:04
we can simply delete this key
00:04
and then restart the machine
00:04
and it would not boot up again.
00:04
That's the way of disabling this malware.
Up Next
Instructed By
Similar Content
