Skip to main content

Five awesome tools to perform behavioural analysis of a malware

Introduction 
This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.

Tools 

  1. Process Hacker (http://processhacker.sourceforge.net/)
  2. Process Monitor (ProcMon) (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx)
  3. CaptureBat (https://www.honeynet.org/node/315)
  4. Microsoft Network Monitor (https://blogs.technet.microsoft.com/netmon/p/downloads/)
  5. Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Disclaimer
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Analysis 
A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot. The above mentioned tools were explained with various malware specimen. Find below hash values for malware used in this analysis and run all tools in background while executing malware 

Hash
846416b8b5d3c83e0191e62b7a123e9188b7e04095a559c6a1b2c22812d0f25e

Process hacker
The malware was executed while process hacker was running in the background. 

It was interesting to see the description for the malware. We could poke around the memory section of the malware later. 

The initial process was terminated and new process was created with some strange executable and the location of file could also be found by looking at the properties of the process. It's always suggested to dump the memory of the infected system so that all the terminated processes can be identified and also made a timeline analysis of all processes. Looking at the properties of the newly created process
 
We could see many interesting strings in process memory related to ransomware and also a help instructions file for decryption process. We could also identify an IP address within process memory strings  and it's recommended to filter using regular expression for IP addresses 

(?:(?:\d|[01]?\d\d|2[0-4]\d|25[0-5])\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d|\d)(?:\/\d{1,2})?

We can also dump entire process memory strings to a text file and search offline for IP addresses or anything of interest using filters. 

Process Monitor 
Upon running the process monitor in process create filter mode while the malware was executed. Using process monitor, we could identify all newly created processes and also all command line arguments for those processes 

It was identified that the malware stops all critical services and delete all volume shadow copies on the system and then ran the dropped binary to encrypt all files. The location of newly created process was also identified as Users Appdata folder. 
It was observed that notepad process was started to show the dropped help instructions file 

CaptureBat 
CaptureBat was used to capture all dropped files and also the network traffic. Easy to use tool that could also capture all modified and newly created files on disk.
The logs of CaptureBat 
Below were the dropped files on disk 
Further analysis (reverse engineering or dynamic analysis)of these files could bring better understanding of the malware. These file hashes could be used as IoC or signatures in malware detection

Adwind Sample Hash: 728f71096842b505ddaaa1b9084e8b1950d9eef6831f44a9a88ded61e5cdcab7

The below were the dropped files on disk by Adwind malware ( captured by CaptureBat) 
Dropped dll can be seen above screenshot 
Dropped VB scripts on disk 

Adwind Indicators of compromise ( hash value of all dropped files) 
  • 0b7b52302c8c5df59d960dd97e3abdaf
  • 781fb531354d6f291f1ccab48da6d39f
  • 781fb531354d6f291f1ccab48da6d39f
  • a4c133612fcb6e3e26564594661c3338
  • a32c109297ed1ca155598cd295c26611
  • 3bdfd33017806b85949b6faa7d4b98e4

Microsoft Network Monitor 
Microsoft Network Monitor should be run with admin privileges to capture all network traffic. The beauty of this tool is that it can identify which process is establishing connections with remote hosts. Wireshark can also be used but it's limited to network traffic and it can not associate a running process with it's network connection 
It was observed that newly created process connected to an external entity 
We could also dump and save entire traffic as pcap file for further analysis

Autoruns 
Microsoft windows has many Auto Start Execution Points (ASEPs) through which the persistence can be achieved. This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
As shown above, the malware made an entry into registry Run keys to maintain its persistence 
Leverage inbuilt virustotal scanning for executable images located in autostart locations. 

This is just an explanatory post to explain how to use these tools for quick and effective behavioural analysis of a malware :) 














Comments

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction 
This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC) 


WannaCry 
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Discalimer
You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environme…

Memory dump analysis of Donny's System

Introduction 

This post solves the mystery of Donny's System  and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps

Tools: Volatility, Yara  & Windows Powershell

Analysis

Six-step investigative methodology by SANS

Identify rogue processes Analyze process DLLs and handles  Review network artifacts Look for evidence of code injection Check for signs of rootkitDump suspicious processes and drivers  Run volatility imageinfo plugin  to identify profile  PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo
Run Volatility pslist plugin to see active running processes
PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist
Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence
game.exe clearly looks suspicious as it ran and exit in a short span of time. The most interesting part was explor…

Malicious document analysis Part - 1

Introduction 
A basic and quick approach to analyse phishing documents to identify indicators of maliciousness. FYI this post doesn't cover complete & in depth analysis of malicious documents

Tools 
Didier Stevens Suite sudo pip install oletools Yara - A pattern matching Swiss knife Analysis  All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 
Hash 1: e07c84f98332b07ae40a22f15c32cbf794586e26576a7539def667881e15beae

Download above mentioned sample and check the integrity
Check the file properties using native Linux file command which gives quick idea about sample
Download Didier Stevens Suite and check for yara rules.
Run various rules against the sample document to identify any sort of maliciousness
The below rule can identify an executable file embedded in OLE objects
 Run above yara rule against the downloaded document
Observe the below mald…