written by wakeup
Hello everyone, in previous part we created a lab environment for analyzing malwares. Now, It is time for analyzing a malware using dynamic analysis techniques. I will share the malware sample with you but don’t execute this sample on your personal device.
Malware Sample Download Link
As you remember, I showed INetSim configurations and usage of FakeDNS in the previous part. Let’s run these tools in remnux distro again.
Running INetSim & Fake DNS
After running these tools, let’s open windows 7 machine and run Process Explorer, Process Monitor and Wireshark programs.
Running Procmon & Process Explorer
Using the filtering feature of Process Monitor(procmon), we can easily analyze malware’s activities . You can watch out these steps for filtering; Filter > Filter or CTRL + L in procmon.
Filtering feature of procmon
Architecture is used to indicate the architect of the operating system. Operation shows the procedure and the PID indicates processes ID value. Process Name is used for pointing out the name of the process. In addition Process is named to applications running on your machine. For instance when we run a executable or another file, in background other processes starts. Threads are structures that runs under processes. All process should have an id number because of the communication between operating system and processes.
Procmon Filter Options
When you click the button near filtering option you will see a combobox. Let’s mention features in this combobox. It will list the same option(s) that is selected after when we use is condition. Contains condition will list the option(s) that is selected after choosing this condition. For begin with case, It will list the condition(s) that is starting with options after this case. Lastly ends with lists the options that finishes with option that comes after itself.
Using this software, we could monitor any network that device send and receive packets. It sniffs the requests and shows to user momentarily. In addition, user could analyze these network connections after with saving these connections.
Before executing malware, make sure that you opened programs for malware analysis. We should filter shell.exe using Procmon to monitor what executable file(malware) do.
Filtering shell.exe using procmon
From the image above, you could see that malware creates a connection using FTP protocol(port:21).
Malware FTP connection
We should follow these steps; Filter Operation – contains – TCP Disconnect for analyzing other connections that malware creates.
Procmon operation & contains filtering
You can see the connections that malware creates from the image below. Malware sends connection requests but these requests are timing out. It use FTP, HTTP and HTTPS protocols.
Malware FTP, HTTP, HTTPS connection
Let’s have a look using Wireshark. We should write ftp in filterbox for filtering FTP connections.
Wireshark FTP filtering
Using Procmon and Process Explorer, we learned how to filter connections. While analyzing FTP connections, we could find username and password of ftp server with > Follow > TCP stream.
Wireshark following TCP stream
As you can see from the image, username and pass of this ftp server are pwnlab.me:we_are_starting
Wireshark FTP credentials
Let’s move with Remnux. Using Fake DNS we could find malware’s c&c(command and control center).
FakeDNS server info
When we look at INetSim after executing malware, we could see FTP server’s login details.
Remnux INetSim report -1
Remnux INetSim report -2
It’s Finised!
We created a fake server and forwarded all requests to that server(Remnux) but malware stopped working after a while because malware couldn’t got all requests correctly. You can also analyze this malware from the download link above but do not forget to delete Remnux machine’s ip adress from DNS configuration of malware sample.
Thank you for your attention, take care!
Source material: SOME’ler İçin Ağ ve Malware Analizi (Book)
Translated from; https://pwnlab.me/tr-malware-dinamik-analizi-part-2/
[EN] Dynamic Malware Analysis
Hello everyone, in previous part we created a lab environment for analyzing malwares. Now, It is time for analyzing a malware using dynamic analysis techniques. I will share the malware sample with you but don’t execute this sample on your personal device.
Malware Sample Download Link
As you remember, I showed INetSim configurations and usage of FakeDNS in the previous part. Let’s run these tools in remnux distro again.
Running INetSim & Fake DNS
After running these tools, let’s open windows 7 machine and run Process Explorer, Process Monitor and Wireshark programs.
Running Procmon & Process Explorer
Process Monitor
Using the filtering feature of Process Monitor(procmon), we can easily analyze malware’s activities . You can watch out these steps for filtering; Filter > Filter or CTRL + L in procmon.
Filtering feature of procmon
Architecture is used to indicate the architect of the operating system. Operation shows the procedure and the PID indicates processes ID value. Process Name is used for pointing out the name of the process. In addition Process is named to applications running on your machine. For instance when we run a executable or another file, in background other processes starts. Threads are structures that runs under processes. All process should have an id number because of the communication between operating system and processes.
Procmon Filter Options
When you click the button near filtering option you will see a combobox. Let’s mention features in this combobox. It will list the same option(s) that is selected after when we use is condition. Contains condition will list the option(s) that is selected after choosing this condition. For begin with case, It will list the condition(s) that is starting with options after this case. Lastly ends with lists the options that finishes with option that comes after itself.
Wireshark
Using this software, we could monitor any network that device send and receive packets. It sniffs the requests and shows to user momentarily. In addition, user could analyze these network connections after with saving these connections.
Dynamic Analysis -1
Before executing malware, make sure that you opened programs for malware analysis. We should filter shell.exe using Procmon to monitor what executable file(malware) do.
Filtering shell.exe using procmon
From the image above, you could see that malware creates a connection using FTP protocol(port:21).
Malware FTP connection
We should follow these steps; Filter Operation – contains – TCP Disconnect for analyzing other connections that malware creates.
Procmon operation & contains filtering
You can see the connections that malware creates from the image below. Malware sends connection requests but these requests are timing out. It use FTP, HTTP and HTTPS protocols.
Malware FTP, HTTP, HTTPS connection
Let’s have a look using Wireshark. We should write ftp in filterbox for filtering FTP connections.
Wireshark FTP filtering
Using Procmon and Process Explorer, we learned how to filter connections. While analyzing FTP connections, we could find username and password of ftp server with > Follow > TCP stream.
Wireshark following TCP stream
As you can see from the image, username and pass of this ftp server are pwnlab.me:we_are_starting
Wireshark FTP credentials
Let’s move with Remnux. Using Fake DNS we could find malware’s c&c(command and control center).
FakeDNS server info
When we look at INetSim after executing malware, we could see FTP server’s login details.
Remnux INetSim report -1
Remnux INetSim report -2
It’s Finised!
We created a fake server and forwarded all requests to that server(Remnux) but malware stopped working after a while because malware couldn’t got all requests correctly. You can also analyze this malware from the download link above but do not forget to delete Remnux machine’s ip adress from DNS configuration of malware sample.
Thank you for your attention, take care!
Source material: SOME’ler İçin Ağ ve Malware Analizi (Book)
Translated from; https://pwnlab.me/tr-malware-dinamik-analizi-part-2/
Moderatör tarafında düzenlendi: