Sunday, 25 February 2018

Just another Malware Analysis Guide (5) - Reverse Engineering (x32dbg/cutter/radare2)

Tools for disassembly and debugging malicious file:
  1. The IDA Pro (Free/ Commercial)
  2. Ollydbg (Free)
  3. Immunity Debugger (Free)
  4. Radare2 (Free)
  5. x32/64dbg (Free)
  6. Binary Ninja (Free/ Commercial)
  7. Windbg (Free)
This post is using x32dbg, cutter and radare2.
Using the sample executable files.
  1. Create File
  2. Write Registry
  3. Network Access

x32dbg


Open x32dbg:


Open sample create file executable into x32dbg:




Using F9 key to run once the program:


The entry point for the main function:


Right click on the disassembly then search for string references on current module:


The string references will appear in References Tab, double click on the disassembly will jump to the offset:


The arguments required by CreateFile function as shown:


The explanation of the CreateFile function can refer back to MSDN:


In order to patch the filename, follow the address in dump:


Notice the filename in dump, right click and modify the value:




After successful patch the filename, use F9 to continue run.
Note that the new created filename has changed.





Cutter

Cutter is GUI of radare2.



Open cutter:


Open the sample executable file to analyze:




Search for the main function then double click on it, it will takes you to the disassembly of the main function:


Click on Strings then double click on suspicious strings:


Upon double click, it will jump to the offset of the strings:


Right click on the address and select Show X-Refs:


A X-Refs windows will pop up then double click on the founded:


It will jumps to the address in disassembly view:



Select Graph to view it in Graph mode:


Radare2


Use rabin2 and -z argument to display the strings in executable file:



Use the address obtained from rabin2 in radare2:


Use 'aaa' command to auto analyze the executable file, 'px' command to print the hexdump of the address and 'axt' command to find the code references of the address:


Use 's' command to directly jump to the address and 'pdf' command to print the function in disassembly:


Use 'VV' command to change to graph mode. Use 'q' command to quit visual or graph mode.


Adding the '-w' argument enable the write mode. Patching the binary can use 'w' command.
Note: radare2 will save the patched binary once quit.

Use '-d' argument to debug the program. Use 'dc' command to execute the program. The following will execute the program to the end.



End of Just another Malware Analysis Guide (5) - Reverse Engineering (x32dbg/cutter/radare2)
Posted by at 1 comment:
Labels: , ,

Friday, 16 February 2018

Just another Malware Analysis Guide (4) - Fileless Malware (PowerShell)

Let's take a look on most common arguments used by malicious PowerShell scripts (sources: Palo Alto).


====(NoProfile) Prevents from loading profile scripts====
-nop
-NoP
-noprofile
-NoProfile
-noP

====(NonInteractive) Prevent create prompt====
-noni
-NonI
-noninteractive
-NonInteractive
-nonI

====(WindowStyle Hidden) Prevent Windows Display====
-window hidden
-W Hidden
-w hidden
-windowstyle hidden
-win hidden
-WindowStyle Hidden
-win Hidden
-wind hidden
-WindowStyle hidden
-WindowStyle hiddeN
-windows hidden
-Win Hidden
-win hid
-Window hidden
-Wind Hidden
-Win hidden

====(EncodedCommand) Decode base64 encoded strings====
-enc
-Enc
-EncodedCommand
-encodedcommand
-encodedCommand
-ec
-en
-ENC

====Execution Policy Bypass====
-ep bypass
-exec bypass
-executionpolicy bypass
-Exec Bypass
-ExecutionPolicy ByPass
-ExecutionPolicy bypass
-Exec ByPass
-ExecutionPolicy Bypass
-ExecuTionPolicy ByPasS
-exe byPass
-ep Bypass
-ExecutionPolicy BypasS
-Exe ByPass

====(NoLogo) Hides the copyright banner====
-Nol
-NoL
-nologo
-nol


Tools that could help during static and dynamic analysis:
  1. Windows PowerShell ISE
    • Debugger for PowerShell script
  2. Wireshark
    • Capture network traffic
  3. Sysmon
    • Advanced system monitor tool
  4. Sysmon Configuration File (using SwiftOnSecurity)
    • Configuration file for Sysmon
  5. Process Monitor
    • Capture details running processes
  6. Windows Event Logs
    • Event logs for Windows
First example for the PowerShell script can be found at here.

Static Analysis

Malicious Powershell script at Notepad++:


Open Powershell ISE:
Start > Type "powershell" > Right click Windows PowerShell ISE > Run as Administrator
*Note* Need to set Set-ExecutionPolicy Bypass




Copy the highlighted base64 encoded strings and perform decoding:



It is binary file. Refer back to the PowerShell , notice that it is compressed by GZIP.
Let PowerShell ISE decode the base64 strings and decompress the GZIP for us.
Edit the PowerShell and paste it into PowerShell ISE as below. (There is two quotes '' change it to single quote ')


Write the decoded and decompressed malicious script into a text file using Write-Output then hit F5 to Run.


Below is the malicious script will download a text file from Dropbox and


Open the Dropbox content at Browser. Notice that it is another malicious script with base64 encoded.



Copy the encoded strings then decode it at ConEMU. Notice it connects back to malicious C2 server. It is malicious script generated by Empire.


Dynamic Analysis 


 Open Windows PowerShell ISE.
 


The malicious PowerShell script.


Open Wireshark.


Run CMD as Administrator.


Install Sysmon Configuration File.


Open Windows Event Viewer.


Notice the Sysmon in Event Viewer.


Copy the PowerShell script in purple highlighted into PowerShell ISE.



Start capture the network traffic in Wireshark.


Clear Sysmon Event Logs.


Run the PowerShell ISE by hitting F5.



Notice the network traffic in Wireshark contain Dropbox and C2 server.



Notice the logs captured in Sysmon contain PowerShell process and network connection.




Save the Wireshark traffic and Sysmon Logs then revert the virtual machine.

End of Just another Malware Analysis Guide (4) - Fileless Malware (PowerShell)

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)