62
SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) Malware Analysis Reverse Engineering Workshop (44Con 2013)

44Con Malware Workshop

Embed Size (px)

DESCRIPTION

Dynamic analysis malware workshop I did for 44Con 2013

Citation preview

Page 1: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON)

Malware Analysis Reverse Engineering Workshop(44Con 2013)

Page 2: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 2

• Thumb drives being passed around– Disclaimer about new malware of your own

• Wifi– SSID hbn– PSK ILoveTheSmellOfHackInTheMorning

– www http://192.168.252.5/

Grab a copy of the files

Page 3: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 3

1. Basic Concepts

2. Behaviors Analysis

3. Memory Analysis

4. Static Analysis

Agenda

Page 4: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 4

• Any piece of software that performs malicious activities.– Executable– Documents– Flash– Java– …

What is Malware

Page 5: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 5

• Some examples of categories

Types of Malware

Worm Trojan

Spyware Adware

Ransomware Rootkit

Keyloggers Stealers

Virus Backdoor

Page 6: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 6

• An executable under the hood• Structure:

• Imported Functions• Exported Functions• Sections• Code• Data• Relocation information• Certificate

•PE File

Windows Executable

Page 7: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 7

Binary Content

Page 8: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 8

Interpreted Content

Page 9: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 9

The BIG picture

Page 10: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 10

• Examining the content of a Windows executable (exe, cpl, ocx, dll, …)

• Editor, disassembler, resource editor.

PE Explorer

General Info

Data Directories

Sections Resource Editor

Imports Dependencies

Page 11: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 11

• Use PE Explorer over installer.exe and pafish.exe

• Questions– Could you enumerate some notable

differences?– Could you find something interesting in

installer.exe?

LAB – 1

Page 12: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 12

LAB – 1

Page 13: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 13

LAB – 1

Page 14: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 14

LAB – 1

Page 15: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 15

• From File to Process

From File to Process

Loader

Read Header

Place Executable in Memory

Create Process Object

Page 16: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 16

Monitoring Behavior

Process

DLL

Fun1Fun2Fun 3

DLL DLL

Fun1Fun2Fun 3

Fun1Fun2Fun 3

• Interaction with the Operating System

• File Activity• Network flows• Registry monitor• Api Calls

Page 17: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 17

• Execution in a controlled environment.• Not as time consuming as static analysis.• Focused on results.• VM and Snapshots.• MSDN – Api calls

Behavior Analysis

Page 18: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 18

• New processes• Code injection• Downloads• File activity• Persistence mechanism• Registry changes• C&C Communication• Network activity (LAN)

What are we looking for

Page 19: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 19

• Included in the Sysinternals Suite with many other interesting tools.

Process Monitor

Filter Search Event

Filter by Event

Page 20: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 20

Process Monitor

Page 21: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 21

Lab – 2 (File Activities)• Open Process Explorer• Execute installer.exe• Filter the results• Questions

– Which file was created?– Where?– Why has the installer.exe vanished?

Page 22: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 22

LAB – 2 (Answers)

Page 23: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 23

LAB – 2 (Answers)

Page 24: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 24

Lab – 3 (Process Activities)• Use the previous capture• Questions

– How many processes were spawned?– Could you identify who deleted the original

installer.exe file?

Page 25: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 25

Lab – 3 (Answers)

Page 26: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 26

Lab – 3 (Answers)

Page 27: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 27

Regshot

• Takes Registry Snapshots• Compare Snapshots

Page 28: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 28

Regshot Report

Page 29: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 29

Lab – 4 (Registry)• Restore the Snapshot• Execute Regshot and take a first

snapshot.• Execute Process Explorer.• Execute installer.exe.• Sleep 1m • Take a second snapshot and compare.

Page 30: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 30

Lab – 4 (Registry)• Questions

– Could you identify the persistence mechanism using RegShot?

– And with Process Monitor?– Could you find any new service added by the

malware?

Page 31: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 31

Lab – 4 (Answer)

Page 32: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 32

Lab – 4 (Answer)

Page 33: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 33

Network Activity• Wireshark is a well known network sniffer.• Many protocol decoders• Drawback: Secure connections

Capture Options

Start

Stop

Restart

Page 34: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 34

Lab – 5 • Network Activity – Wireshark• Questions

– Did the malware contact with a C&C?– Was it successful?– What was the IP/domain name?– Could you find information about the C&C?

• DNS redirection (*)

Page 35: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 35

Lab – 5 (Answers)

Page 36: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 36

Lab – 5 (Answers)

Page 37: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 37

Lab – 5 (Answers)

Page 38: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 38

Sysanalyzer• Logs some interesting APIs• Sniffer• Less noisy• Less information

Page 39: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 39

Lab – 7 • Run installer.exe and compare the results

from previous tools.

Page 40: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 40

• Logs a set of Windows APIs from a large set of them

• Low-level information• Don’t try to log all

API Monitor

Page 41: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 41

API Monitor

Start new process

Filters

Page 42: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 42

WinApiOverride32

Page 43: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 43

• Log the network and file activity• Monitor newly created processes on

demand.• Questions

– Could you find the C&C?– Could you find when the file is deleted?

Lab – 8

Page 44: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 44

LAB – 8 (Answers)

Page 45: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 45

LAB – 8 (Answers)• Were you able to find the C&C?• Why?

Page 46: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 46

• Why not automation?• Cuckoo Sandbox executes the malware

inside a VM for us.• Analyzer and reporting system all in one

solution.• Extensible• Must be installed on Linux

Sandbox

Page 47: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 47

• Web interface

• Command Line

Submit Samples

Page 48: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 48

Cuckoo Architecture

Agent.py

Cuckoomon.dll

malware

Analyzer.py

Cuckoo.py

Processors

Signatures

Reports

Virtual MachineHost

Page 49: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 49

• Upload a sample to the Sandbox• Meanwhile, check the report for sample

a6ff0e175acc7aaa3c2a855e44b11e3b.• Question

– Could you identify the same indicators of compromise from extracted from previous tools?

– Could you find the C&C? – And the function call?

Lab – 9

Page 50: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 50

Lab – 9 (Answers)

Page 51: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 51

Lab – 9 (Answers)

Page 52: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 52

• Volatility can extract information from a memory dump.

• Hidden process, handles, connections, …• Malfind• Dump memory from Cuckoo, Winpmem,

Post Mortem Analysis

Page 53: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 53

Dumping Memory

Page 54: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 54

Dumping Memory

Page 55: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 55

Dumping Memory

Cuckoo

VirtualBox

Page 56: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 56

• Offline Memory analysis tool• Search for

– Open handles– Hooked Apis– New Dlls– Hidden processes– Registry values

• No diff tool (Anyone?)

Volatility

Page 57: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 57

• Dump memory from a clean system• List process list• Find explorer.exe and list its dlls• Store this information in a file and repeat

all the process with the malware running

LAB – 10

Page 58: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 58

• Question– Could you find anything suspicious?

LAB – 10

Page 59: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 59

LAB – 10 (Answers)

Page 60: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 60

LAB – 10 (Answers)

Page 61: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 61

LAB – 10 (Answers)

Page 62: 44Con Malware Workshop

SIAVOSH ZARRASVAND & INAKI RODRIGUEZ (44CON) 62

• Iñaki Rodriguez– @virtualminds_es– [email protected]

CONTACT ME