Monday, September 1, 2014

Beginning Dynamic Malware Analysis

In the previous post, we performed some basic static analysis to learn about a suspect file. In this post we will perform so basic dynamic analysis.

Without further ado, let's get started.

First let's use RegShot to take a capture of the registry. Once we have completed running the executable, we will then take another snapshot of the registry. We will then compare the two to see what changes may have been made by the suspected malicious code.



Once we have taken the first snapshot of the registry we will next use Process Monitor from the sysinternals suite of tools to learn about the malware during it's execution. We will "Add" and "Apply" a filter to focus on the malware.exe file. We need to consider that any process spawned as a result of the "lab06-02.exe" may not be seen in this filter. 


Once we run the "lab06-02.exe" file we can see the following in Process Monitor.

















A snapshot of the output shows that once the process started, it performed a number of actions. Some of these include creating files in the "Windows\Prefetch" directory. It also Queried some Directories, etc.


At this point, we can take a second shot of the registry using regshot and compare the two shots.

If we remember, during the static analysis, it was identified that "lab06-02.exe" was using "WINNET.DLL". This suggest to me that some networking functionality is being used. Let's see if this is true.

To identify any networking functionality, we will run wireshark in the background on the windows system and tcpdump on the Kali System, while we also use INetSim. INetSim will be running on the Kali Box.

The windowsXP system, will be configured to use the  kali box for DNS services.

So having started up INetSim, we see the following.
INetSim 1.2.4 (2013-08-15) by Matthias Eckert & Thomas Hungenberg
Using log directory:      /usr/share/inetsim/log/
Using data directory:     /usr/share/inetsim/data/
Using report directory:   /usr/share/inetsim/report/
Using configuration file: /usr/share/inetsim/conf/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 3634) ===
Session ID:     3634
Listening on:   10.0.0.102
Real Date/Time: 2014-08-13 12:59:56
Fake Date/Time: 2014-08-13 12:59:56 (Delta: 0 seconds)
 Forking services...
  * finger_79_tcp - started (PID 3648)
  * time_37_tcp - started (PID 3651)
  * discard_9_tcp - started (PID 3657)
  * ntp_123_udp - started (PID 3647)
  * quotd_17_udp - started (PID 3660)
  * daytime_13_udp - started (PID 3654)
  * chargen_19_udp - started (PID 3662)
  * dns_53_tcp_udp - started (PID 3636)
  * tftp_69_udp - started (PID 3645)
  * syslog_514_udp - started (PID 3650)
  * echo_7_tcp - started (PID 3655)
  * ident_113_tcp - started (PID 3649)
  * irc_6667_tcp - started (PID 3646)
  * echo_7_udp - started (PID 3656)
  * chargen_19_tcp - started (PID 3661)
  * time_37_udp - started (PID 3652)
  * discard_9_udp - started (PID 3658)
  * daytime_13_tcp - started (PID 3653)
  * quotd_17_tcp - started (PID 3659)
  * dummy_1_udp - started (PID 3664)
  * dummy_1_tcp - started (PID 3663)
  * ftps_990_tcp - started (PID 3644)
  * smtps_465_tcp - started (PID 3640)
  * smtp_25_tcp - started (PID 3639)
  * pop3_110_tcp - started (PID 3641)
  * ftp_21_tcp - started (PID 3643)
  * pop3s_995_tcp - started (PID 3642)
  * http_80_tcp - started (PID 3637)
  * https_443_tcp - started (PID 3638)
 done.
Simulation running.

Let's now take a look at our netstat output 
root@securitynik:~# netstat -nltup | grep -i inetsim
tcp        0      0 10.0.0.102:1            0.0.0.0:*               LISTEN      3663/inetsim_dummy_
tcp        0      0 10.0.0.102:995          0.0.0.0:*               LISTEN      3642/inetsim_pop3s_
tcp        0      0 10.0.0.102:37           0.0.0.0:*               LISTEN      3651/inetsim_time_3
tcp        0      0 10.0.0.102:7            0.0.0.0:*               LISTEN      3655/inetsim_echo_7
tcp        0      0 10.0.0.102:9            0.0.0.0:*               LISTEN      3657/inetsim_discar
tcp        0      0 10.0.0.102:6667         0.0.0.0:*               LISTEN      3646/inetsim_irc_66
tcp        0      0 10.0.0.102:13           0.0.0.0:*               LISTEN      3653/inetsim_daytim
tcp        0      0 10.0.0.102:110          0.0.0.0:*               LISTEN      3641/inetsim_pop3_1
tcp        0      0 10.0.0.102:79           0.0.0.0:*               LISTEN      3648/inetsim_finger
tcp        0      0 10.0.0.102:80           0.0.0.0:*               LISTEN      3637/inetsim_http_8
tcp        0      0 10.0.0.102:465          0.0.0.0:*               LISTEN      3640/inetsim_smtps_
tcp        0      0 10.0.0.102:17           0.0.0.0:*               LISTEN      3659/inetsim_quotd_
tcp        0      0 10.0.0.102:113          0.0.0.0:*               LISTEN      3649/inetsim_ident_
tcp        0      0 10.0.0.102:19           0.0.0.0:*               LISTEN      3661/inetsim_charge
tcp        0      0 10.0.0.102:21           0.0.0.0:*               LISTEN      3643/inetsim_ftp_21
tcp        0      0 10.0.0.102:53           0.0.0.0:*               LISTEN      3636/inetsim_dns_53
tcp        0      0 10.0.0.102:25           0.0.0.0:*               LISTEN      3639/inetsim_smtp_2
tcp        0      0 10.0.0.102:443          0.0.0.0:*               LISTEN      3638/inetsim_https_
tcp        0      0 10.0.0.102:990          0.0.0.0:*               LISTEN      3644/inetsim_ftps_9
udp        0      0 10.0.0.102:37           0.0.0.0:*                           3652/inetsim_time_3
udp        0      0 10.0.0.102:53           0.0.0.0:*                           3636/inetsim_dns_53
udp        0      0 10.0.0.102:69           0.0.0.0:*                           3645/inetsim_tftp_6
udp        0      0 10.0.0.102:123          0.0.0.0:*                           3647/inetsim_ntp_12
udp        0      0 10.0.0.102:1            0.0.0.0:*                           3664/inetsim_dummy_
udp        0      0 10.0.0.102:514          0.0.0.0:*                           3650/inetsim_syslog
udp        0      0 10.0.0.102:7            0.0.0.0:*                           3656/inetsim_echo_7
udp        0      0 10.0.0.102:9            0.0.0.0:*                           3658/inetsim_discar
udp        0      0 10.0.0.102:13           0.0.0.0:*                           3654/inetsim_daytim
udp        0      0 10.0.0.102:17           0.0.0.0:*                           3660/inetsim_quotd_
udp        0      0 10.0.0.102:19           0.0.0.0:*                           3662/inetsim_charge

From the above it looks like INetSim is ready to accept connections. Let's now execute "lab06-02.exe" once again.

Once we executed the "lab06-02.exe" file, communication occurs over the network. We then next stop INetSim to take a look at its report.

Simulation stopped.
 Report written to '/usr/share/inetsim/report/report.3634.txt' (12 lines)
=== INetSim main process stopped (PID 3634) ===

root@securitynik:~# cat /usr/share/inetsim/report/report.3634.txt | more
root@securitynik:~# cat /usr/share/inetsim/report/report.3634.txt | more
=== Report for session '3634' ===

Real start date            : 2014-08-13 12:59:56
Simulated start date       : 2014-08-13 12:59:56
Time difference on startup : none

2014-08-13 13:01:58  First simulated date in log file
2014-08-13 13:01:58  DNS connection, type: A, class: IN, requested name: www.practicalmalwareanalysis.com
2014-08-13 13:01:58  HTTP connection, method: GET, URL: http://www.practicalmalwareanalysis.com/cc.htm, fil
e name: /usr/share/inetsim/data/http/fakefiles/sample.html
2014-08-13 13:01:58  Last simulated date in log file


As can be seen from above, the suspect file did a DNS lookup for "www.practicalmalwareanalysis.com". Once that was completed it then did a HTTP GET for "http://www.practicalmalwareanalysis.com/cc.htm".

Let's take a look at our packet capture to see if this is so.
Looking a the 12 packets capture showed as follows

root@securitynik:~# tshark -n -r lab06-02.pcap 

  1   0.000000   10.0.0.101 -> 10.0.0.102   DNS 94 Standard query 0xae4f  A www.practicalmalwareanalysis.com
  2   0.012583   10.0.0.102 -> 10.0.0.101   DNS 110 Standard query response 0xae4f  A 10.0.0.102
  3   0.013423   10.0.0.101 -> 10.0.0.102   TCP 64 1070 > 80 [SYN] Seq=1617531236 Win=64240 Len=0 MSS=1460 SACK_PERM=1
  4   0.013456   10.0.0.102 -> 10.0.0.101   TCP 64 80 > 1070 [SYN, ACK] Seq=4292021235 Ack=1617531237 Win=29200 Len=0 MSS=1460 SACK_PERM=1
  5   0.013720   10.0.0.101 -> 10.0.0.102   TCP 62 1070 > 80 [ACK] Seq=1617531237 Ack=4292021236 Win=64240 Len=0
  6   0.014458   10.0.0.101 -> 10.0.0.102   HTTP 159 GET /cc.htm HTTP/1.1 
  7   0.014471   10.0.0.102 -> 10.0.0.101   TCP 56 80 > 1070 [ACK] Seq=4292021236 Ack=1617531340 Win=29200 Len=0
  8   0.030540   10.0.0.102 -> 10.0.0.101   TCP 206 [TCP segment of a reassembled PDU]
  9   0.033710   10.0.0.102 -> 10.0.0.101   HTTP 314 HTTP/1.1 200 OK  (text/html)
 10   0.034910   10.0.0.101 -> 10.0.0.102   TCP 62 1070 > 80 [ACK] Seq=1617531340 Ack=4292021645 Win=63832 Len=0
 11   0.034938   10.0.0.101 -> 10.0.0.102   TCP 62 1070 > 80 [FIN, ACK] Seq=1617531340 Ack=4292021645 Win=63832 Len=0
 12   0.034952   10.0.0.102 -> 10.0.0.101   TCP 56 80 > 1070 [ACK] Seq=4292021645 Ack=1617531341 Win=29200 Len=0


Let's peer into the HTTP Packets to see what's there.
root@securitynik:~# tshark -n -r lab06-02.pcap  -z "follow,tcp,ascii,10.0.0.101:1070,10.0.0.102:80"

===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.101 and tcp.srcport eq 1070) and (ip.dst eq 10.0.0.102 and tcp.dstport eq 80)) or ((ip.src eq 10.0.0.102 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.101 and tcp.dstport eq 1070))
Node 0: 10.0.0.101:1070
Node 1: 10.0.0.102:80
103
GET /cc.htm HTTP/1.1
User-Agent: Internet Explorer 7.5/pma
Host: www.practicalmalwareanalysis.com


150
HTTP/1.1 200 OK
Server: INetSim HTTP Server
Connection: Close
Content-Length: 258
Content-Type: text/html
Date: Wed, 13 Aug 2014 17:01:58 GMT


258
<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>

Awesome, from the above we see what the host requested and the server (INetSim) responded with a response to satisfy the request.

So now that's we've done some basic static and dynamic analysis & have learnt alot about the suspected malicious file, how do we use the knowledge we have gained? We will answer this question in the next post.

References:
https://tuts4you.com/download.php?view.3011
https://code.google.com/p/regshot/
http://technet.microsoft.com/en-ca/sysinternals/bb842062.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa385473(v=vs.85).aspx
http://www.inetsim.org/index.html
https://www.wireshark.org/docs/man-pages/tshark.html

No comments:

Post a Comment