Task 17, Day 12, Malware Analysis Forensic McBlue to the REVscue

Malware has typical patterns allowing easier identification and providing insight for defenses.

  • Network connections - malware tends to establish external or internal network connections. External allows remote access or downloading staged payloads from attacker infrastructure. Internal allows lateral movement to extend access to other hosts/applications.
  • Registry key modifications - malware typically uses reg keys to establish persistence. I.e. Registry Run Keys allows binaries to be auto executed at login or boot.
  • File manipulations - malware tends to download or create new files needed for successful execution.

Dangers of Analysing Malware Samples

ALWAYS CONSIDER PRECAUTIONS WHEN ANALYSING IT! With live malware:

  • Always assume samples will infect your device; executing it is not always first and only step in analysing it
  • Only run it in a controlled environment that prevents potential compromise of unwanted assets
  • Always recommended to have your sandbox, allows worry-free execution of samples

Sandboxes can also provide automated analysis so the Security Analyst can determine if a binary requires further manual investigation.

Beginning Analysis

Use FlareVM for the steps of the task.

Static Analysis is analyzing without without execution. Focuses on profiling the binary with readble information (properties, flow, and strings). Sometime insufficient.

Dynamic Analysis focuses on understanding through execution in a safe environment. See malware in action, its exact behavior, how it infects the environment.

Static tools used:

Detect It Easy (DIE)

Provides information like architecture, significant headers, packer used, and strings.

Packing malware is common technique to compress, obfuscate, or encrypt the binary. Prevents signifacant strings and headers from being shown immediately.

CAPA

Detects capabilities in executable files. I.e. installation of service, opening network connections, registry mods, etc. CLI utility. Since CAPA confirms being packed and DIE provided packer, unpack and reanalyze. CAPA caches results in filename.viv, so del filename.viv before rerunning CAPA. Reveals nice listing of all sorts of info, including ATT&CK notes.

Dynamic tools used:

ProcMon

Shows real-time registry, file-system, and process/thread activity. Set filter by process name and execute malware. Filter log by buttons at top right:

  • Registry Activity
  • File System Activity
  • Network Activity
  • Process and Thread Activity
  • Profiling Events

In this case start with registry mods. Right-click line to exclude similar lines to focus on creating keys and setting values.

Something isn’t right because I’m not getting the same results as the video. I guess the post will be finished tomorrow.

Update: It appears restarting the VM solved the problem. Instead of the program blipping a cmd window and disappearing right away it stayed active and I could find all the details the video showed should be there.

Progressing through the rest, the filtering process is the same when looking at file manipulations, network connections, etc.

The Task

Gain all the details of the malware sample from last task.

After two attempts all info was gathered.