Introduction
This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.
Tools
This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.
Tools
- Process Hacker (http://processhacker.sourceforge.net/)
- Process Monitor (ProcMon) (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx)
- CaptureBat (https://www.honeynet.org/node/315)
- Microsoft Network Monitor (https://blogs.technet.microsoft.com/netmon/p/downloads/)
- Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Disclaimer
- You are dealing with real malware samples
- Don’t expose them to internal networks or internet
- Analyze them in a controlled environments (sandboxes)
- We are not responsible for any consequences of damage if you fail to obey the rules
Analysis
A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot. The above mentioned tools were explained with various malware specimen. Find below hash values for malware used in this analysis and run all tools in background while executing malware
Hash
846416b8b5d3c83e0191e62b7a123e9188b7e04095a559c6a1b2c22812d0f25e
Process hacker
The malware was executed while process hacker was running in the background.
It was interesting to see the description for the malware. We could poke around the memory section of the malware later.
The initial process was terminated and new process was created with some strange executable and the location of file could also be found by looking at the properties of the process. It's always suggested to dump the memory of the infected system so that all the terminated processes can be identified and also made a timeline analysis of all processes. Looking at the properties of the newly created process
We could see many interesting strings in process memory related to ransomware and also a help instructions file for decryption process. We could also identify an IP address within process memory strings and it's recommended to filter using regular expression for IP addresses
(?:(?:\d|[01]?\d\d|2[0-4]\d|25[0-5])\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d|\d)(?:\/\d{1,2})?
We can also dump entire process memory strings to a text file and search offline for IP addresses or anything of interest using filters.
Process Monitor
Upon running the process monitor in process create filter mode while the malware was executed. Using process monitor, we could identify all newly created processes and also all command line arguments for those processes
It was identified that the malware stops all critical services and delete all volume shadow copies on the system and then ran the dropped binary to encrypt all files. The location of newly created process was also identified as Users Appdata folder.
It was observed that notepad process was started to show the dropped help instructions file
CaptureBat
CaptureBat was used to capture all dropped files and also the network traffic. Easy to use tool that could also capture all modified and newly created files on disk.
Below were the dropped files on disk
Further analysis (reverse engineering or dynamic analysis)of these files could bring better understanding of the malware. These file hashes could be used as IoC or signatures in malware detection
Adwind Sample Hash: 728f71096842b505ddaaa1b9084e8b1950d9eef6831f44a9a88ded61e5cdcab7
The below were the dropped files on disk by Adwind malware ( captured by CaptureBat)
Dropped dll can be seen above screenshot
Adwind Indicators of compromise ( hash value of all dropped files)
- 0b7b52302c8c5df59d960dd97e3abdaf
- 781fb531354d6f291f1ccab48da6d39f
- 781fb531354d6f291f1ccab48da6d39f
- a4c133612fcb6e3e26564594661c3338
- a32c109297ed1ca155598cd295c26611
- 3bdfd33017806b85949b6faa7d4b98e4
Microsoft Network Monitor
Microsoft Network Monitor should be run with admin privileges to capture all network traffic. The beauty of this tool is that it can identify which process is establishing connections with remote hosts. Wireshark can also be used but it's limited to network traffic and it can not associate a running process with it's network connection
It was observed that newly created process connected to an external entity
We could also dump and save entire traffic as pcap file for further analysis
Autoruns
Microsoft windows has many Auto Start Execution Points (ASEPs) through which the persistence can be achieved. This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
As shown above, the malware made an entry into registry Run keys to maintain its persistence
Leverage inbuilt virustotal scanning for executable images located in autostart locations.
This is just an explanatory post to explain how to use these tools for quick and effective behavioural analysis of a malware :)
Mohegan Sun Pocono - JT Hub
ReplyDeleteHotel Details. The property offers 3,590 춘천 출장마사지 rooms and suites. The property is located in Wilkes-Barre, 구리 출장안마 PA. The 경상남도 출장샵 hotel has a 서울특별 출장샵 number of amenities including a casino, 동두천 출장샵
I enjoyed reading this, thanks for the effort. Access this profile Browser games. CPS browser games offer quick bursts of stimulating click test entertainment.
ReplyDelete