Basic malware analysis
•Download as PPTX, PDF•
8 likes•3,740 views
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
Report
Share
Basic malware analysis
- 2. Monnappa Member of SecurityXploded Info Security Investigator @ Cisco Focus on Threat Intelligence Reverse Engineering, Malware Analysis, Memory Forensics Email: monnappa22@gmail.com Twitter: @monnappa22 Blog: http://malware-unplugged.blogspot.in Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
- 3. Why Malware Analysis? Types of Malware Analysis Static Analysis Dynamic Analysis Memory Analysis Demo www.SecurityXploded.com
- 4. To determine: the nature and purpose of the malware Interaction with the file system Interaction with the registry Interaction with the network Identifiable patterns www.SecurityXploded.com
- 5. Static Analysis - Analyzing without executing the malware Dynamic Analysis - Analyzing by executing the malware Memory Analysis - Analyzing the RAM for artifacts www.SecurityXploded.com
- 6. www.SecurityXploded.com Static Analysis Steps: Determine the file type tools: file utility on unix and windows (need to install) Determine the cryptographic hash tools: md5sum utility on unix and windows (part of unix utils for windows) Strings search tools: strings utility on unix and windows , Bintext File obfuscation (packers, cryptors and binders) detection tools: PEiD, RDG packer detector Submission to online antivirus scanners (virustotal, jotti, cymru) tools: browser and public api of Virustotal Determine the Imports tools: PEview, Dependency Walker Disassembly tools: IDA Pro, Ollydbg
- 7. Involves executing the malware in a controlled environment to determine its behaviour Steps: Determine the File system activity tools: process monitor, capturebat Determine the Process activity tools: process explorer, process monitor, capturebat Determine the Network activity tools: wireshark Detemine the Registry activity tools: regmon, process monitor, capturebat www.SecurityXploded.com
- 8. Finding and extracting artifacts from computer’s RAM Determine the process activity Determine the network connections Determine hidden artifacts Detemine the Registry activity Tools: Volatility (Advanced Memory Forensic Framework) Advantages: helps in rootkit detection helps in unpacking www.SecurityXploded.com
- 11. www.SecurityXploded.com The below screenshot shows the md5sum of the sample
- 12. www.SecurityXploded.com PEiD was unable determine the packer
- 13. www.SecurityXploded.com Dependency Walker shows the DLLs and API used by malicious executable
- 14. www.SecurityXploded.com VirusTotal results show that this sample is a zeus bot (zbot)
- 16. www.SecurityXploded.com Before executing the malware, montioring tools are run to capture the activities of the malware
- 17. www.SecurityXploded.com Internet services are simulated to give fake response to malware and also to prevent malware from talking out on the internet
- 19. www.SecurityXploded.com The below results show the process, registry and fileystem activity after executing the malware (edd94.exe), also explorer.exe performs lot of activity indicating code injection into explorer.exe
- 20. www.SecurityXploded.com The below results show the malware dropping a file raruo.exe and creating a process.
- 21. www.SecurityXploded.com The below output shows explorer.exe setting a value under run registry subkey as a persistence mechanism to survive the reboot.
- 22. www.SecurityXploded.com Packet capture shows dns query to users9.nofeehost.com and also response shows that the “A” record for the domain is pointed to the machine 192.168.1.2, which is simulating internet services.
- 23. www.SecurityXploded.com The below output shows zeus bot trying to download configuration file from C&C and also the fake response given by the inetsim server.
- 24. www.SecurityXploded.com ZueS Tracker shows that the domain was a ZeuS C&C server
- 26. www.SecurityXploded.com Suspending the VM creates a memory image of the infected machine, the below screenshot show the memory image (infected.vmem) of the infected machine
- 27. www.SecurityXploded.com Volatility’s pslist module shows the two process edd94.exe and raruo.exe
- 28. www.SecurityXploded.com Volatility’s connscan module shows pid 1748 making http connection, this pid 1748 is associated with explorer.exe
- 29. www.SecurityXploded.com The below output shows the inline api hooks and embedded executable in explorer.exe, and also the embedded executable is dumped into a directory (dump) by malfind plugin
- 30. www.SecurityXploded.com The virustotal submission confirms the dumped exe to be component of ZeuS bot
- 31. www.SecurityXploded.com Malware creates registry key to survive the reboot
- 32. www.SecurityXploded.com Finding malicious sample (raruo.exe) from infected host and virustotal submission confirms ZeuS(zbot) infection