Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

This session opens with a quick demo to explain malware analysis using certain tools. Next, we'll download a malware code from the Github site. The required malware analysis tools are also downloaded on the virtual machine. We will then discuss how to identify indicators (or IOC's) for a Dyre malware. The tools that will be explored for IOC's are CaptureBAT, RegShot, and Autoruns. You'll also learn how these tools help in identifying malware activity and how do they differ from each other.

Video Transcription

00:04
now
00:05
for the quick demo. Today I will be looking at the dire malware family Uh, a little bit old, but I think it's
00:13
pretty good for our purposes. Right here. So
00:16
here is another malware sample repositories upon Get hub. That's called Zoo A k a. The malware Devi dipper Data days. So if you go this Euro
00:27
elect will do here man, download this binary. Be careful. This is life now where?
00:34
So
00:34
let's go ahead and do that. It must look over some of these tools like
00:39
capture bat great shot in auto runs. I mentioned them last time we worked our BM.
00:55
So should we have to get hard for worse?
00:59
Particular gentleman and we go under the zoo. Get have dot com slash
01:03
Why t i s f
01:07
flash the zoo, go under my wares.
01:11
We have no other buyers because here there is source code for many of our families that have been leaked over the years.
01:18
I was gonna click down here too dire.
01:19
You Why you are.
01:22
And then we're quick here under dire doubts it
01:26
and then you saw
01:29
this will
01:30
prompt us to download visit while
01:44
so I'm gonna go over here and drag and drop here.
01:52
No, it's
01:53
stolen death. So
01:56
drag and drop it into my virtual machine here.
02:00
I'm gonna do the same for another set of tools that I'm not sure I mentioned last time that your ivory down with them.
02:07
The fists and moral sweet
02:10
made by Mark This cottage for a smart guy and very, very
02:15
popular, very knowledgeable. Makes a lot of tools
02:20
and ah,
02:24
dragon drop that into our
02:29
the end as well.
02:30
Now here.
02:32
Is that the way we left it before? We're gonna install some of these tools.
02:37
Like couch about
02:38
now, before we in stolen.
02:42
We actually need to run the visual. C'mon, time re distributable packages.
02:47
Uh, and I don't know exactly which package it relies on by No. 2005 works Well,
02:58
Moses execute you, Mina,
03:12
the visual c
03:15
are people supposed onetime libraries have been sold. Well, now install capture about.
03:21
So then these re boots. So we're gonna do that,
03:23
does it by installing ah, driver.
03:27
This is not working with those seven,
03:30
but usually I always, uh,
03:35
usual in his ex p machine to do my analysis. Most malware is backwards compatible.
03:45
Listen stalling
03:46
his other tools.
04:39
Well, there
04:40
no installed. Ah,
04:42
number of tools. Just gonna go ahead and get rid of the
04:47
installers
04:51
for a red shot. I want being kind sold with seven. Did Ray shot? I'm just gonna
04:59
extract out here. So it's on the desktop.
05:01
Get rid of that
05:03
on track. This are here into the desktop
05:12
with that
05:17
organizes a little bit.
05:23
Okay,
05:24
Now, chapter, that is what we're gonna be using. So
05:30
I'm gonna do something here That'll make things easier
05:33
for us in the future.
05:35
Which is I'm gonna go shoot to capture secret Grandpa. Lt's capture. And here's capture that,
05:41
uh,
05:42
cmd
05:45
oh,
05:46
their month
05:46
Don't you got
05:48
to go? I'm gonna say with some time
05:51
in the future
05:53
by going to hear capture, see
05:56
program files, capture and go to capture Bat right here is the program
06:01
I'm gonna say Send to stop which will be a short that
06:06
good properties.
06:13
Here's a location on the desktop.
06:16
So little room is actually curable. I wanna run it with the arguments of Dash C
06:21
for capturing deleted files
06:26
and
06:28
dash l for store the files
06:30
for storing the output of capture about somewhere
06:34
so I'm, uh,
06:35
haste.
06:36
I had copied it from this town
06:40
over here. I'm trying to say Logue, that t x t
06:44
and quote.
06:45
Okay,
06:49
now we're already start executing our malware.
06:54
So right before we do, I'd like to take a snapshot
06:58
and say,
07:00
ready to impact.
07:15
Now we're gonna extract
07:18
dire Mauer.
07:20
Now, most malware is on file with the passport of Are infected
07:29
like so
07:31
industry standard.
07:36
Now, we just downloaded this from the website here. We can see
07:43
ah, few files.
07:46
Now, if you look at this, one will notice that it
07:50
ah, pdf icon
07:54
that
07:55
has the sea or
07:58
indeed
07:59
will do. Most people know that that is an actual cuticle,
08:03
that it does have the same file format as got yet see,
08:11
and it can be just as dangerous. We can double the phone, and it would execute
08:16
good verification for this
08:18
would be open up. A hex editor like 010 is my favorite
08:22
very powerful.
08:26
And we can see that it does indeed have the empty file header,
08:30
which means it's a dos executable.
08:31
It's a classic string
08:33
and then we see down here there's a p x beautiful letter, but we will get more into this when we do some more stack analysis.
08:43
So we're gonna go ahead and execute this s e R. But first, we're gonna run Capture bad.
08:48
Well, first, I always like to check to make sure that it's not connected to the Internet.
08:58
I'm gonna see, you know, working doctor is how we left it last time has connected into our own virtual network of'em net, too.
09:05
The only other thing on being that, too, is our Callie linen
09:09
box that we have suspended. So,
09:13
you know, no one network traffic can get out,
09:18
so they execute cash about
09:20
It's not capturing.
09:22
There's long dot TFT. Now we're gonna execute the dire sample
09:26
warehouse it leads. So
09:30
the little icon for loading, waiting,
09:33
doing from stuff
09:35
you might wanna wait
09:37
a few minutes, but I think we wait just 10 seconds.
09:41
Approach control. See if exits capture about
09:45
now. Look at the log
09:48
so
09:52
we can see here. Mother Partings are installed. Was no pad plus Plus,
10:01
we can see here
10:03
hirable things of what the Donna Mauer has done. We can see that explored that yak scene we let us we executed by double quick enough.
10:11
So you see, process execute that.
10:15
We see that that program
10:20
See it?
10:20
Male registry, key
10:22
current user software, Microsoft Windows current version Explorer, shell holders after data, That's pretty common. Just micrograms executing.
10:33
So snap out suspicious. Um, we see that. Then
10:41
created a file, wrote a file to see on slash documentarians administrator application at Google, updated on the exit. So I'm gonna copy that
10:52
because I think that is a good indicator of compromise.
10:58
And I usually keep a little note pad open on the side. Um,
11:03
just threw that kind data into.
11:05
Now, if you were going on the list, you notice right here
11:09
that
11:11
0.70 flight chewed up
11:16
70 then is then preceding 52 dot
11:20
five. Or that means
11:22
these did not happen sequentially in.
11:26
They were timed sequentially, but they were not written to the file sequentially. So we're gonna
11:33
for online in the file
11:37
so that they are incorrect
11:41
water time order.
11:43
So line operations sort of sending.
11:46
So now they're incorrect.
11:48
Time order.
11:50
We can see that,
11:52
you know, 23 and 54 than you're so down at the bottom here. I'm gonna keep some little notes. I'm saying that is an indicator of compromise.
12:01
I would say
12:03
reading here, set value key after data. Now, that's pretty common. Shell folders,
12:09
Um,
12:13
three small face smile and then executes that final process created
12:22
registry key.
12:24
Look.
12:24
So here we can see Cool update. Er, yeah. CSI create this registry key.
12:31
Yeah, that's pretty normal.
12:35
We feel great. Another register key down here.
12:39
Current user is somewhere
12:43
Microsoft. So that is another indicator of compromise right there.
12:50
We can see if there's a file, right,
13:03
and then we can see.
13:07
But there's another file right down here. Okay, So this is also importantly, signaling system,
13:13
not the will update her anymore.
13:16
That is doing this
13:18
and we see. See, program files, capture logs the weird While this is capture bat,
13:24
um,
13:26
catching a file
13:28
that
13:30
cool up later.
13:33
Had deleted it, deleted its original file.
13:37
So here, get this one to open logs. I'll make another shortcut. That
13:41
stop.
13:43
I doesn't matter Now. We've infected this machine. We're gonna revert it.
13:48
But
13:50
if we follow the long here,
13:52
you see, it makes ah whole thing. And this is the file that trying to delete.
13:58
So no one of those tools I installed back. That's great. Last time was the map.
14:03
Do get in 95. Copy that hash.
14:13
And then now I'm going to
14:16
go find this program.
14:18
This will update her.
14:22
Copy, Paste, go. That efficient rule update. Er,
14:26
I'm gonna grab that. Seem injured by cash.
14:30
What do you know? It's the same.
14:31
Compare them. Look round off of each other. Yep, they're the same. So that means
14:37
incompetent itself
14:39
from whatever folder was in to this older, the application data folder.
14:45
And then it added a registry
14:46
entry
14:48
***
14:50
running as soon as the current user want them.
14:58
That is interesting,
14:58
because
15:01
running one of the current user run it is lying in is ***. And most computers are Siegel used computers and only ones there uses about a time. But this is administrator on X T machine. That means
15:16
if they had made the thing registry value to high key
15:20
local machine,
15:22
it would have executed whenever anyone logged in. But instead of did it only for this user. That's kind of interesting to me, because maybe my world, you know that or maybe this our simple was doing from the very specific um,
15:37
and interesting that the same hash or a copy itself? We didn't confirm that with him because it is the same hash, because
15:46
some malware will actually drop something else has another
15:54
execute herbal within it and it will decrypt that and then drop it somewhere on the system so the hashes don't always match. So I'd like to confirm that
16:04
anything that it drops.
16:07
Uh, there's something that we are aware of. So these right here, these are our first indicators of compromises, their local host indicators of compromise.
16:15
And that's important because next time we're going to look at other indicators to compromise, such as network under indicators that compromise and those are very important because you can find those much more easily across hundreds of thousands of machines. If you have large enterprise,
16:33
network indicators are harder to find
16:37
unless you have some agent or you have some group policy, wizard or, um,
16:44
you know, someone who has set up some kind of
16:45
sim some kind of security events long aggregation thing, and you've configured all your years on the network to send their logs
16:55
or registry, um,
16:57
configurations
17:00
to that server.
17:00
So
17:03
I want to show you some of the tools now because you just shouldn't rely on one or two tools
17:08
or your findings like this.
17:15
So let's go back and reset.
17:18
It is also good to run a sample multiple times because many pieces in our out there we'll use not just one
17:26
or two names for their malware will have multiple names. Sometimes they'll name.
17:33
They've dropped or copied.
17:36
Mauer
17:37
windows don't yet see or winter to the or
17:41
SAS. Don't yet see or whatever those switch between them randomly here to pay on the time of day or whatever the Mauer author has made.
17:51
So
17:51
boot.
17:52
We should also use other tools. Confirm what we just saw.
17:56
So another good one is a great shot. Those what you would imagine.
18:00
So we're going to launch it.
18:04
Unico, you're anti use.
18:07
Not really important what you're doing. International stuff.
18:11
Standard infected, Password protected Wrong.
18:23
Good note. Um,
18:26
the balls
18:26
don't in Croat
18:29
the
18:32
oh, don't decrypt the file names.
18:36
So if you send something with a sense of file name of the Internet and you think it's password protected, Um, the following is not possible. Protective and far
18:44
the CRC values
18:45
the
18:48
correction codes
18:48
inside the files aren't encrypted either.
18:53
Only the content is
18:56
so you can positively identify something
18:59
inside of a zip file by CRC values. So someone could have identified. This is a bunch of dire samples
19:07
inside it, just by the CRC codes. GRCs aren't as good as hashes like Good. Legit hash is like Indy five sharp water shot 56
19:18
but they can be used to confirm things.
19:21
Oh, there.
19:22
So we have our second tool, great shot.
19:26
And it does what? You think it would take the snapshot of the registry and then another snapshot of the restaurant after you execute our sample?
19:38
Sure.
19:41
Now we're ready to explore sample
19:42
shut the network feelings
19:45
just to be sure.
19:49
No
19:51
for executing the same cycle
19:53
at the least until
19:59
a few seconds
20:00
now. Second shot.
20:03
Compare.
20:04
Now we're C
20:07
some stuff like user assist.
20:10
We see stuff like,
20:12
um,
20:14
give you cash.
20:15
These things are normal
20:18
for just
20:19
and execute herbal.
20:22
So any excusable will produce in the ways on a system.
20:27
It's bigger
20:32
and
20:33
and you will realize that you're doing this malware analysis is just a subset of software analysis.
20:41
So agent on these tools for all sorts of things. Like an installer. You want to see exactly what changes in some program is making to your registry. Deacon, use these tools toe figure that out, or what files it's leaking or whatever else.
20:56
So here we see that same value in the registry that we saw before, you know,
21:03
it was a
21:06
we'll update for
21:07
I keep current user
21:11
software.
21:11
Microsoft Windows current version run
21:18
and
21:19
file is there that it will execute
21:23
and you see here to values modified
21:26
cryptography, random number generator seed. These things change very frequently. And, um, if you just,
21:37
uh ran
21:37
your red shot for a while
21:41
and then stopped it, having not done anything, you will see a bunch of these values have been modified. It's just
21:48
the natural
21:49
way that Windows is executing her
21:52
the natural way. It does things
21:56
so we can also scan directories and see what files have changed within those on that could be useful to.
22:03
But for now, we're just going to reset
22:07
and use
22:08
a different tool.
22:10
Before, we didn't have to reset, but I like to be scientific about things,
22:19
really use assistant journals, tool old auto runs fantastic.
22:25
It can. Also, there's two hour runs,
22:27
one that in Venice E, which is command line, which is great if you just want to do a lot of automated stuff.
22:34
*** ex script to know. Excuse this and then execute the Mauer and then execute this again.
22:41
And basically what you would give you and the man mind format and says this nice graphical form that is
22:48
always locations where programs or use to execute. As soon as your boots or Susan Persons, the user logs onto the computer and Burkes ease up into some pre,
23:02
um, well organized categories over on the left of people. Tab is where we see everything, but we can break that out and say, Okay, you know, this is where user along. Then you know what runs like something I would express helper program?
23:17
Um,
23:18
settle program.
23:19
I just booked six. Who's pretty normal? This is a fresh install, the M or tools. We knew about that, and we could go through all of these and really take apart. You know whats
23:32
burning on our system.
23:33
At least we'll start on our system.
23:36
So here
23:37
we have a bunch of things that are made by Microsoft,
23:41
and that's pretty common. So
23:44
a good option is to hide Microsoft entry. So anything that's unsigned by Marcus are we can just automatically discount this like, Okay, Big sign things
23:55
and that their stuff is we can trust him. Girls, we have a lot
24:00
worse problems.
24:00
Um,
24:02
you know, we could probably trust am wear just all these other things. And we trust these drivers because, you know, this is a fresh install of the OS.
24:14
So here we're going to
24:19
shack. Tire
24:22
house were infected.
24:26
Excuse the same malware and see what pops up here.
24:41
And these colors will indicate different levels of trust.
24:47
Like the That doesn't trust so much.
24:51
Let's refresh this.
24:53
There's our double updates.
24:56
He didn't trust it very well.
24:59
It has
25:00
what we call low integrity.
25:02
We can see the time it was added
25:03
1983. I don't think so.
25:07
Uh, So it was time. Stop.
25:08
That's what we what we would say.
25:11
Or as some of these other ones have more legitimate looking times,
25:15
You know, it's wrong
25:22
here. We can talk to entry. We can see
25:25
where it is. If we wanted to disable this an hour
25:30
we can simply delete this key
25:32
and then restart the machine and it would not get up again.
25:34
That's one way of saving this malware.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor