44con malware workshop
DESCRIPTION
Dynamic analysis malware workshop I did for 44Con 2013TRANSCRIPT
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)
Malware Analysis Reverse Engineering Workshop(44Con 2013)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2
• Thumb drives being passed around– Disclaimer about new malware of your own
• Wifi– SSID hbn– PSK ILoveTheSmellOfHackInTheMorning
– www http://192.168.252.5/
Grab a copy of the files
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3
1. Basic Concepts
2. Behaviors Analysis
3. Memory Analysis
4. Static Analysis
Agenda
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4
• Any piece of software that performs malicious activities.– Executable– Documents– Flash– Java– …
What is Malware
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5
• Some examples of categories
Types of Malware
Worm Trojan
Spyware Adware
Ransomware Rootkit
Keyloggers Stealers
Virus Backdoor
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6
• An executable under the hood• Structure:
• Imported Functions• Exported Functions• Sections• Code• Data• Relocation information• Certificate
•PE File
Windows Executable
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7
Binary Content
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8
Interpreted Content
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9
The BIG picture
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10
• Examining the content of a Windows executable (exe, cpl, ocx, dll, …)
• Editor, disassembler, resource editor.
PE Explorer
General Info
Data Directories
Sections Resource Editor
Imports Dependencies
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11
• Use PE Explorer over installer.exe and pafish.exe
• Questions– Could you enumerate some notable
differences?– Could you find something interesting in
installer.exe?
LAB – 1
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12
LAB – 1
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13
LAB – 1
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14
LAB – 1
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15
• From File to Process
From File to Process
Loader
Read Header
Place Executable in Memory
Create Process Object
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16
Monitoring Behavior
Process
DLL
Fun1Fun2Fun 3
DLL DLL
Fun1Fun2Fun 3
Fun1Fun2Fun 3
• Interaction with the Operating System
• File Activity• Network flows• Registry monitor• Api Calls
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17
• Execution in a controlled environment.• Not as time consuming as static analysis.• Focused on results.• VM and Snapshots.• MSDN – Api calls
Behavior Analysis
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18
• New processes• Code injection• Downloads• File activity• Persistence mechanism• Registry changes• C&C Communication• Network activity (LAN)
What are we looking for
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19
• Included in the Sysinternals Suite with many other interesting tools.
Process Monitor
Filter Search Event
Filter by Event
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20
Process Monitor
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21
Lab – 2 (File Activities)• Open Process Explorer• Execute installer.exe• Filter the results• Questions
– Which file was created?– Where?– Why has the installer.exe vanished?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22
LAB – 2 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23
LAB – 2 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24
Lab – 3 (Process Activities)• Use the previous capture• Questions
– How many processes were spawned?– Could you identify who deleted the original
installer.exe file?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25
Lab – 3 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26
Lab – 3 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27
Regshot
• Takes Registry Snapshots• Compare Snapshots
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28
Regshot Report
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29
Lab – 4 (Registry)• Restore the Snapshot• Execute Regshot and take a first
snapshot.• Execute Process Explorer.• Execute installer.exe.• Sleep 1m • Take a second snapshot and compare.
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30
Lab – 4 (Registry)• Questions
– Could you identify the persistence mechanism using RegShot?
– And with Process Monitor?– Could you find any new service added by the
malware?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31
Lab – 4 (Answer)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32
Lab – 4 (Answer)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33
Network Activity• Wireshark is a well known network sniffer.• Many protocol decoders• Drawback: Secure connections
Capture Options
Start
Stop
Restart
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34
Lab – 5 • Network Activity – Wireshark• Questions
– Did the malware contact with a C&C?– Was it successful?– What was the IP/domain name?– Could you find information about the C&C?
• DNS redirection (*)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35
Lab – 5 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36
Lab – 5 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37
Lab – 5 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38
Sysanalyzer• Logs some interesting APIs• Sniffer• Less noisy• Less information
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39
Lab – 7 • Run installer.exe and compare the results
from previous tools.
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40
• Logs a set of Windows APIs from a large set of them
• Low-level information• Don’t try to log all
API Monitor
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41
API Monitor
Start new process
Filters
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42
WinApiOverride32
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43
• Log the network and file activity• Monitor newly created processes on
demand.• Questions
– Could you find the C&C?– Could you find when the file is deleted?
Lab – 8
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44
LAB – 8 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45
LAB – 8 (Answers)• Were you able to find the C&C?• Why?
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46
• Why not automation?• Cuckoo Sandbox executes the malware
inside a VM for us.• Analyzer and reporting system all in one
solution.• Extensible• Must be installed on Linux
Sandbox
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47
• Web interface
• Command Line
Submit Samples
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48
Cuckoo Architecture
Agent.py
Cuckoomon.dll
malware
Analyzer.py
Cuckoo.py
Processors
Signatures
Reports
Virtual MachineHost
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49
• Upload a sample to the Sandbox• Meanwhile, check the report for sample
a6ff0e175acc7aaa3c2a855e44b11e3b.• Question
– Could you identify the same indicators of compromise from extracted from previous tools?
– Could you find the C&C? – And the function call?
Lab – 9
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50
Lab – 9 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51
Lab – 9 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52
• Volatility can extract information from a memory dump.
• Hidden process, handles, connections, …• Malfind• Dump memory from Cuckoo, Winpmem,
Post Mortem Analysis
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53
Dumping Memory
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54
Dumping Memory
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55
Dumping Memory
Cuckoo
VirtualBox
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56
• Offline Memory analysis tool• Search for
– Open handles– Hooked Apis– New Dlls– Hidden processes– Registry values
• No diff tool (Anyone?)
Volatility
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57
• Dump memory from a clean system• List process list• Find explorer.exe and list its dlls• Store this information in a file and repeat
all the process with the malware running
LAB – 10
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58
• Question– Could you find anything suspicious?
LAB – 10
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59
LAB – 10 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60
LAB – 10 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61
LAB – 10 (Answers)
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62
• Iñaki Rodriguez– @virtualminds_es– [email protected]
CONTACT ME