Skip to main content

Five awesome tools to perform behavioural analysis of a malware

Introduction 
This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.

Tools 

  1. Process Hacker (http://processhacker.sourceforge.net/)
  2. Process Monitor (ProcMon) (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx)
  3. CaptureBat (https://www.honeynet.org/node/315)
  4. Microsoft Network Monitor (https://blogs.technet.microsoft.com/netmon/p/downloads/)
  5. Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Disclaimer
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Analysis 
A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot. The above mentioned tools were explained with various malware specimen. Find below hash values for malware used in this analysis and run all tools in background while executing malware 

Hash
846416b8b5d3c83e0191e62b7a123e9188b7e04095a559c6a1b2c22812d0f25e

Process hacker
The malware was executed while process hacker was running in the background. 

It was interesting to see the description for the malware. We could poke around the memory section of the malware later. 

The initial process was terminated and new process was created with some strange executable and the location of file could also be found by looking at the properties of the process. It's always suggested to dump the memory of the infected system so that all the terminated processes can be identified and also made a timeline analysis of all processes. Looking at the properties of the newly created process
 
We could see many interesting strings in process memory related to ransomware and also a help instructions file for decryption process. We could also identify an IP address within process memory strings  and it's recommended to filter using regular expression for IP addresses 

(?:(?:\d|[01]?\d\d|2[0-4]\d|25[0-5])\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d|\d)(?:\/\d{1,2})?

We can also dump entire process memory strings to a text file and search offline for IP addresses or anything of interest using filters. 

Process Monitor 
Upon running the process monitor in process create filter mode while the malware was executed. Using process monitor, we could identify all newly created processes and also all command line arguments for those processes 

It was identified that the malware stops all critical services and delete all volume shadow copies on the system and then ran the dropped binary to encrypt all files. The location of newly created process was also identified as Users Appdata folder. 
It was observed that notepad process was started to show the dropped help instructions file 

CaptureBat 
CaptureBat was used to capture all dropped files and also the network traffic. Easy to use tool that could also capture all modified and newly created files on disk.
The logs of CaptureBat 
Below were the dropped files on disk 
Further analysis (reverse engineering or dynamic analysis)of these files could bring better understanding of the malware. These file hashes could be used as IoC or signatures in malware detection

Adwind Sample Hash: 728f71096842b505ddaaa1b9084e8b1950d9eef6831f44a9a88ded61e5cdcab7

The below were the dropped files on disk by Adwind malware ( captured by CaptureBat) 
Dropped dll can be seen above screenshot 
Dropped VB scripts on disk 

Adwind Indicators of compromise ( hash value of all dropped files) 
  • 0b7b52302c8c5df59d960dd97e3abdaf
  • 781fb531354d6f291f1ccab48da6d39f
  • 781fb531354d6f291f1ccab48da6d39f
  • a4c133612fcb6e3e26564594661c3338
  • a32c109297ed1ca155598cd295c26611
  • 3bdfd33017806b85949b6faa7d4b98e4

Microsoft Network Monitor 
Microsoft Network Monitor should be run with admin privileges to capture all network traffic. The beauty of this tool is that it can identify which process is establishing connections with remote hosts. Wireshark can also be used but it's limited to network traffic and it can not associate a running process with it's network connection 
It was observed that newly created process connected to an external entity 
We could also dump and save entire traffic as pcap file for further analysis

Autoruns 
Microsoft windows has many Auto Start Execution Points (ASEPs) through which the persistence can be achieved. This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
As shown above, the malware made an entry into registry Run keys to maintain its persistence 
Leverage inbuilt virustotal scanning for executable images located in autostart locations. 

This is just an explanatory post to explain how to use these tools for quick and effective behavioural analysis of a malware :) 














Comments

  1. Mohegan Sun Pocono - JT Hub
    Hotel Details. The property offers 3,590 춘천 출장마사지 rooms and suites. The property is located in Wilkes-Barre, 구리 출장안마 PA. The 경상남도 출장샵 hotel has a 서울특별 출장샵 number of amenities including a casino, 동두천 출장샵

    ReplyDelete

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction  This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)  WannaCry  WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack Discalimer You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlle

Malicious office doc with process hollowing shellcode

Introduction  This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer  Part-1  and  Part-2  to get an understanding of  tools and approach to analyse phishing documents.  Tools  Didier Stevens Suite    sudo pip install oletools  Analysis   SHA256:  5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d   This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it.  This maldoc leverages  VBA macros  to execute its payload  and t he encoded shellcode is a property in stream 17.  T he shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explore

Decoding Metasploit and CobaltStrike shells

Introduction This post is about how to decode one type of shellcode generated by Metasploit framework and CobaltStrike to get the C2 domain/IP address so that the incident responder can able to identify and block the further adversary activity. FYI this post doesn't cover the initial infection vector (like phishing thorough office maldoc) or how the shellcode will get generated (like from Metasploit framework or Cobaltstrike ). It leverages CyberChef to fully decode and get the shellcode from an encoded powershell command and further it will be fed into scdbg  emulator to get the IP address of C2 or an adversary ShellCode Here we have the encoded powershell command  powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAH