3 hours 41 minutes
alright. In part two of our dynamic analysis process, we're gonna learn about how our malware affect our Windows 10 operating system.
To safely analyze malware, we should create malware sandbox. Now, these days it's pretty easy to create a malware sandbox. All you need is a piece of virtual ization software like VM ware. Or you could download Virtual Boxer free, and you could set up a target system to run the malware Windows 10. You could get an evaluation copy of Windows 10.
What I like to dio is I like to set up another virtual guest
in this case will use Linux rednecks to perform some other malware operations, such as faking Internet services. Now, if you're not familiar with rednecks, it is a Linux distribution, preloaded with a lot of malware analysis tools that will help you get up and running and analyzing malware fairly quickly.
If you've never used it before, I encourage you to head over to
room next dot org's and download a copy and added to your malware analysis lab and my lab set up, I am running Os X VM ware with two virtual guests, the Windows 10 box and the remnants box and they're connected together. The 1 72 network with
the realm next machine acting as a gateway for the Windows host.
In my Windows lab, I've got Windows 10 with little to no updates, user access, controls, disabled as well as the firewall in Windows Defender. From a sandbox security perspective, we want to implement some controls so that we limit the risk of malware escape ability. In that regard, we have created a
virtual air gap system as thes two hosts are Onley connected
via host Onley mode. We have no Internet access and cutting paces disabled as well as no network share access. Now remember, my lab may look a little bit different than yours, but if you're running any recent version of Windows, any of the tools that you see here will run in your lap.
Okay, so here we are in our Windows 10 environment. And before we get started, we just want to test our connectivity between this host and our room next guest. So let's go ahead and bring up a terminal window.
And to test connectivity, will Ping the host 172 down 16.0 dot one and As you can see, we're getting a ping back. So our collectivity is established and we could go ahead and start analyzing our malware in my lab. I've got a folder on the desktop that contains my malware samples.
So let's go ahead and navigate to sample one which is contained within
this malware samples folder. And one thing you want to remember is that when you do handle now where you want to handle it appropriately to save a bit of time already gone through the process of unzipping my malware sample so that it's ready to go for analysis now a good rule of thumb before attempting to dynamically analyze your malware
is to do a
quick, static analysis of your sample. This will give you some insight as to what you're looking for when you actually run the sample in your now our analysis environment. Now it's up to you as to how far you're going to go with your initial analysis.
However, the first thing I do in my lab is I typically run the file Command to be sure that the particular file I'm working on is going to run on my target system.
Okay, So first things first, Let's run the file tool on our sample one dot been.
And, as you can see here, our file tool response that our sample one top in is in fact a P E 30 to execute Herbal.
Now that we know that this is an executed file, let's go ahead and rename our been filed to sample dot e x e.
All right, so go ahead and click. Yes, all right, so now we can put our execute herbal into P e studio. Okay, so what is P e Studio? Well, P e studio is a malware assessment tool, and it's a multi functional application, which allows us to view different properties of a suspicious file. We can also view
different hash values, time stamps,
certification information as well as a view Windows AP Ice strings and other file properties. Now to view Windows Ap eyes, we can click on the import menu item, and by viewing this information, we can get an idea of the different type of functionality we might encounter when we're running the sample in our lab.
Now, in our malicious file here, you can see that we've got some windows, a p. I. S
that hint at different interactivity, such as interactions with the file system.
We've got interactions with process execution.
There are also functions related to D. L. L's and indications that this malware might interact with the console.
Another nice feature of P e studio is that with the tool we can look at what strings are contained within our application, and by doing so, we can see right off the bat that the sample appears to create a scheduled task, which is used for persistence.
We also have some type of network functionality. It looks like it's going to be creating some shortcut links. You can also see that we've got a process name here that we should be on the lookout for. And finally, our malware contains some base 64 encoded strings.
Now, if you remember, the first step of our dynamic analysis process is, of course, to start with a clean snap shop. We've already done that. So next we want to start our malware analysis tools so that we can see what affect the malware has on our target system. When it's run, there's several tools that we can use that will assist us in this process,
and the ones that you use are largely based off
the typical Mauer artifacts, which we'd like to retrieve
in my lab. I've got a few tools that I typically stick to. The first is process hacker, and this allows me to see which processes are created on the system as the malware runs.
So let's go ahead and open process Hacker
and at the same time will close up a few of these services that are running already
and will make this a little bit smaller and move it to the right part of the screen here.
And let's also move our malware folder container over a little bit. And, of course, that's the problem you run into when you're doing this type of analysis, right? You start to run out of real estate on your screen.
In addition to using process hacker, we can view what type of changes the malware is making tow our system in real time. Using the CIS internals Parkman application,
we can execute Brockmann directly from the command line, and when Parkman launches, we can set up a filter so that we only get events related to our sample one. Execute herbal now. I already added the sample one Dottie xy to the process list here that I wanted to monitor. But you can get the process Monitor filter dialog box
by pressing control l
and then using the filter drop down for the condition that you'd like to filter on to view what changes the malware will make to the Windows registry. You can use a registry snapshot ing tool such as red shop.
The way that rig shot works is you take a snapshot of the registry before you run your malware. You run your malware and then you take another shot of system registry and you can compare the changes
to run right? Shot. All you need to do is double click on the execute herbal, and then the only change you want to make is you want to put a check mark in the box that says scan directory, and you want to change this to the root directory, which will scan the entire hard drive. Once you make the change, you click. First shot.
It will take
a shot of the registry as it stands, depending on how big your hard drive is. This could take a little bit of time. As you can see here, mine took a little bit more than a minute. But after the registry has been scanned, the second shot button becomes illuminated and you're ready to run your malware. Another artifact that we're gonna want to look for from a
dynamic analysis perspective
is network traffic. So to do this will use wire shark running on our rednecks machine toe. Actively monitor the network connection.
So let's hop over to our Lennox machine and from the command line will simply run wire shark.
Oops, Wire shark.
Now, once the dialog appears, will pick the Ethernet link that we want to monitor. In this case, mine is N s 34 then I will enter my password for VM Ware. And as you can see here now, we are monitoring the network. Blink.
Okay, so now let's navigate back to our windows host
and run our malware
to run our sample. We can just double click it, and as you can see, it begins. And the process can be viewed from process hacker on the right hand side.
Now it initially starts under the console application
and through looking at process hacker, you can see that it executes yet another process that's dropped to the system named a DB. Trey Soto Let malware do It's malicious work. We can let it run for a little bit. This will ensure that all of our tools
can log all of the changes that it's making to the system.
Okay, so let's terminate the process. And from here we can stop our monitoring tools. Now that our process is terminated, we can take our second registry shot,
and once it's completed, we can compare the first one to the second one. But before we compare the two, let's stop process monitor from capturing events by pressing the magnifying glass. And if we maximize the pro common dialog box, we can see that our malicious sample
has made different registry changes.
It's logged how the sample has created processes and threads, etcetera. Now we can use the compare button to look at the different events that regs shot has logged.
Remember, this is taking a diff of both registry files before and after we've run them out. Where
and when we look at the file, we can see that the malware sample has interacted with our hard drive.
It's been making modifications to the file system into the system registry.
And when we look even further, you can see that the samples adding temporary files and folders to file system. It's adding a process called a D B manager to the temporary folder. As you can see, you temporary spelled wrong.
And so here you can see that the registry is definitely a database that we're gonna want to monitor because essentially all the changes that are made to the system are tracked in the Windows registry. And these events, combined with all of the outputs from our different types of tools,
can give you a really good sense of what your malware is doing on this system.
Okay, so next, in addition to understanding what's happening on our Windows host, we also want to investigate the network traffic. Earlier, of course, we set up our Lennox machine to capture network traffic, so lets navigate over there and investigate any network activity.
That theme our sample would have initiated.
All right, so here we are in our Lennox environment and wire shark has been happy enough to capture all of our network traffic.
Now, if we inspect it, we can see that the problem with Windows 10 is that it's pretty noisy from a network perspective. Now there's some tools out there that can help you remove some unwanted Windows 10 applications. However, in the interest of time, we'll review our network traffic here and we'll try to detect any anomalies.
Now, as you see here, as we scroll through the network traffic, we've got lots of traffic related to Windows domains. However, in interesting domain, here is this colonel dot W s domain, which looks a little bit strange. The DNS record has quite a long name,
and this could be an indication that this particular piece of malware is trying to utilize some DNS channel
to communicate with the command and control server. Now, because of the domain name can't be reached, pack is gonna be dropped. However, this still may be of interest to us. So what we could do is we could look at the contents of the communication by right clicking on the wire, shark output,
navigating to follow and then looking at the UDP stream.
Now, as you can see, this really doesn't give us much information, however, we could run our simulation again and this time with the tools such as in its, um, where we could fake the DNS server and observe the traffic there by attempting to observe what the malware needs to communicate with the command and control server.
Now, as I mentioned with dynamic analysis, we get a pretty good idea of what a piece of malware is doing by first inspecting it from a quick analysis perspective and then viewing the changes made to your system as the malware is run.
Now remember, during this process, you're looking for changes to the file system. This includes dropped and creative processes, changes to the system registry persistence mechanisms like newly created services, scheduled tasks or run keys and finally looking for anomalous network traffic.
Now, as we've gone through this session, you may have noticed that I didn't cover every single tool detail.
Now we took this approach because not only are there many different tools we can use to accomplish the same analysis tasks, but because also in this course we want to present you with a clear methodology that you can implement using any tool that you choose and any Mauer sample that you wish to analyze,
All right, So now that we have performed some basic dynamic analysis in the next session, let's look at performing some advanced analysis using some debugging tools.
Advanced Malware Analysis: Redux
In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.