[EN] Dynamic Malware Analysis | Part 2

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
203
Tepkime puanı
10
Puanları
18
written by wakeup

[EN] Dynamic Malware Analysis​


Hello everyone, in previous part we created a lab environment for analyzing malwares. Now, It is time for analyzing a malware using dynamic analysis techniques. I will share the malware sample with you but don’t execute this sample on your personal device.

Malware Sample Download Link

As you remember, I showed INetSim configurations and usage of FakeDNS in the previous part. Let’s run these tools in remnux distro again.

FakeDNS ve INetSim çalıştırma

Running INetSim & Fake DNS

After running these tools, let’s open windows 7 machine and run Process Explorer, Process Monitor and Wireshark programs.

Procmon ve Process Çalıştırma

Running Procmon & Process Explorer

Process Monitor​


Using the filtering feature of Process Monitor(procmon), we can easily analyze malware’s activities . You can watch out these steps for filtering; Filter > Filter or CTRL + L in procmon.

Procmon Filtreleme

Filtering feature of procmon

Architecture is used to indicate the architect of the operating system. Operation shows the procedure and the PID indicates processes ID value. Process Name is used for pointing out the name of the process. In addition Process is named to applications running on your machine. For instance when we run a executable or another file, in background other processes starts. Threads are structures that runs under processes. All process should have an id number because of the communication between operating system and processes.

Procmon Filtre Contains

Procmon Filter Options

When you click the button near filtering option you will see a combobox. Let’s mention features in this combobox. It will list the same option(s) that is selected after when we use is condition. Contains condition will list the option(s) that is selected after choosing this condition. For begin with case, It will list the condition(s) that is starting with options after this case. Lastly ends with lists the options that finishes with option that comes after itself.

Wireshark​


Using this software, we could monitor any network that device send and receive packets. It sniffs the requests and shows to user momentarily. In addition, user could analyze these network connections after with saving these connections.

Dynamic Analysis -1​


Before executing malware, make sure that you opened programs for malware analysis. We should filter shell.exe using Procmon to monitor what executable file(malware) do.

shell.exe Procmon filtreleme

Filtering shell.exe using procmon

From the image above, you could see that malware creates a connection using FTP protocol(port:21).

Malware FTP bağlantısı

Malware FTP connection

We should follow these steps; Filter Operation – contains – TCP Disconnect for analyzing other connections that malware creates.

Procmon Operation ve Contains Filtreleme

Procmon operation & contains filtering

You can see the connections that malware creates from the image below. Malware sends connection requests but these requests are timing out. It use FTP, HTTP and HTTPS protocols.

Malware FTP, HTTP ve HTTPS bağlantısı

Malware FTP, HTTP, HTTPS connection

Let’s have a look using Wireshark. We should write ftp in filterbox for filtering FTP connections.

Wireshark FTP filtreleme

Wireshark FTP filtering

Using Procmon and Process Explorer, we learned how to filter connections. While analyzing FTP connections, we could find username and password of ftp server with > Follow > TCP stream.

Wireshark FTP follow ile inceleme

Wireshark following TCP stream

As you can see from the image, username and pass of this ftp server are pwnlab.me:we_are_starting

Wireshark FTP Bilgiler

Wireshark FTP credentials

Let’s move with Remnux. Using Fake DNS we could find malware’s c&c(command and control center).

FakeDNS sunucu bilgileri

FakeDNS server info

When we look at INetSim after executing malware, we could see FTP server’s login details.

Remnux INetSim inceleme-1

Remnux INetSim report -1
Remnux INetSim inceleme-2

Remnux INetSim report -2

It’s Finised!

We created a fake server and forwarded all requests to that server(Remnux) but malware stopped working after a while because malware couldn’t got all requests correctly. You can also analyze this malware from the download link above but do not forget to delete Remnux machine’s ip adress from DNS configuration of malware sample.

Thank you for your attention, take care!

Source material: SOME’ler İçin Ağ ve Malware Analizi (Book)

Translated from; https://pwnlab.me/tr-malware-dinamik-analizi-part-2/
 
Moderatör tarafında düzenlendi:
Geri
Üst