Five awesome tools to perform behavioural analysis of a malware

Introduction 
This post explains about five awesome tools to perform behavioural analysis of a malware. These tools are really handy to perform a quick behavioural analysis to understand the characteristics of malware specimen. The main objective of behavioural analysis is to pull out indicators of compromise to defend and detect proactively.

Tools 

  1. Process Hacker (http://processhacker.sourceforge.net/)
  2. Process Monitor (ProcMon) (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx)
  3. CaptureBat (https://www.honeynet.org/node/315)
  4. Microsoft Network Monitor (https://blogs.technet.microsoft.com/netmon/p/downloads/)
  5. Autoruns (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Disclaimer
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Analysis 
A windows 7 virtual machine was setup with above mentioned tools. Ensured that a clean state of windows 7 with all tools was taken as a snapshot. The above mentioned tools were explained with various malware specimen. Find below hash values for malware used in this analysis and run all tools in background while executing malware 

Hash
846416b8b5d3c83e0191e62b7a123e9188b7e04095a559c6a1b2c22812d0f25e

Process hacker
The malware was executed while process hacker was running in the background. 

It was interesting to see the description for the malware. We could poke around the memory section of the malware later. 

The initial process was terminated and new process was created with some strange executable and the location of file could also be found by looking at the properties of the process. It's always suggested to dump the memory of the infected system so that all the terminated processes can be identified and also made a timeline analysis of all processes. Looking at the properties of the newly created process
 
We could see many interesting strings in process memory related to ransomware and also a help instructions file for decryption process. We could also identify an IP address within process memory strings  and it's recommended to filter using regular expression for IP addresses 

(?:(?:\d|[01]?\d\d|2[0-4]\d|25[0-5])\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d|\d)(?:\/\d{1,2})?

We can also dump entire process memory strings to a text file and search offline for IP addresses or anything of interest using filters. 

Process Monitor 
Upon running the process monitor in process create filter mode while the malware was executed. Using process monitor, we could identify all newly created processes and also all command line arguments for those processes 

It was identified that the malware stops all critical services and delete all volume shadow copies on the system and then ran the dropped binary to encrypt all files. The location of newly created process was also identified as Users Appdata folder. 
It was observed that notepad process was started to show the dropped help instructions file 

CaptureBat 
CaptureBat was used to capture all dropped files and also the network traffic. Easy to use tool that could also capture all modified and newly created files on disk.
The logs of CaptureBat 
Below were the dropped files on disk 
Further analysis (reverse engineering or dynamic analysis)of these files could bring better understanding of the malware. These file hashes could be used as IoC or signatures in malware detection

Adwind Sample Hash: 728f71096842b505ddaaa1b9084e8b1950d9eef6831f44a9a88ded61e5cdcab7

The below were the dropped files on disk by Adwind malware ( captured by CaptureBat) 
Dropped dll can be seen above screenshot 
Dropped VB scripts on disk 

Adwind Indicators of compromise ( hash value of all dropped files) 
  • 0b7b52302c8c5df59d960dd97e3abdaf
  • 781fb531354d6f291f1ccab48da6d39f
  • 781fb531354d6f291f1ccab48da6d39f
  • a4c133612fcb6e3e26564594661c3338
  • a32c109297ed1ca155598cd295c26611
  • 3bdfd33017806b85949b6faa7d4b98e4

Microsoft Network Monitor 
Microsoft Network Monitor should be run with admin privileges to capture all network traffic. The beauty of this tool is that it can identify which process is establishing connections with remote hosts. Wireshark can also be used but it's limited to network traffic and it can not associate a running process with it's network connection 
It was observed that newly created process connected to an external entity 
We could also dump and save entire traffic as pcap file for further analysis

Autoruns 
Microsoft windows has many Auto Start Execution Points (ASEPs) through which the persistence can be achieved. This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities.
As shown above, the malware made an entry into registry Run keys to maintain its persistence 
Leverage inbuilt virustotal scanning for executable images located in autostart locations. 

This is just an explanatory post to explain how to use these tools for quick and effective behavioural analysis of a malware :) 














Comments

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Memory dump analysis of Donny's System

Malicious document analysis Part - 1