The Mechanics of Malware’s Darkside

Who am I ? Yagneshwaran Prabagaran Student | QA Analyst Current Interest: ● Malware Analysis ● OSINT ● Threat Hunting Email : [email protected] Mechanics of Malware’s Darkside

Who am I ? Laura Harris Security Analyst Current Interest: ● Malware Analysis ● Defender → Offensive ● Forensics ● Wearable Technology Email : [email protected] Mechanics of Malware’s Darkside

• We are not an Expert at Reverse Engineering. • We are not analyzing any complex malware. • This is more or like getting started with Malware Analysis and understanding the process. Disclaimer:

Outline ❖ Intro to Malware ❖ Reasons for analyzing Malware? ❖ Creating a Sandbox environment ❖ Basic Static Analysis ❖ Basic Dynamic Analysis ❖ Writing Malware Signature Mechanics of Malware’s Darkside

Introduction about Malware A piece of code that performs malicious action to steal data, spy on someone and or gain unauthorized access. Example: ● Emotet ● Zeus ● ATMDtrack ● Sodinokibi ● NotPetya Mechanics of Malware’s Darkside

Malware Analysis? This is the process of understanding the origin, functionality and impact of any given malware sample. Mechanics of Malware’s Darkside

Why do we analyze malware? ● To determine the purpose ● To analyze the damage done ● To collect Indicators of Compromise (IOC) Mechanics of Malware’s Darkside

Why do we analyze malware? ● To classify the malware family ● To identify if any vulnerability was exploited and patch it ● To create detection signatures Mechanics of Malware’s Darkside

Creating a Safe Environment 1. Use virtualization to make things easy 2. Install Windows Image on VMware/VirtualBox etc 3. Install Linux image on Vmware/Virtualbox 4. Disable any shared folders. 5. Configure “host only” network. 6. Uncheck “Automatically connect USB devices” * *DO NOT RUN MALWARE ON YOUR OWN COMPUTER** Mechanics of Malware’s Darkside

Setting up - REMnux (Linux) https://remnux.org/docs/distro/get/ Launch Fakenet Change Ip address to static Import File into virtualization application Download REMnux OVA file Mechanics of Malware’s Darkside

Fakenet-NG ● Intercepts & redirects all or specific network traffic. ● Simulates legitimate network services. Mechanics of Malware’s Darkside

Setting up - Flare VM (windows) Modify DNS and Gateway to point to REMnux Execute “./install.ps1” in powershell. Run PowerShell and “Set-ExecutionPolicy Unrestricted” Download Flare-VM package from GitHub https://github.com/fireeye/flare-vm Mechanics of Malware’s Darkside

Mechanics of Malware’s Darkside

Structure of PE filetype Mechanics of Malware’s Darkside

Is a standard file format for • windows executables • Object code • DLLs • Font files and core dumps. Portable Executable Format (PE) Header (Technical details) Sections [contents of the executables] Mechanics of Malware’s Darkside

Used to display that this is a valid binary. The first field, e_magic will almost always be set to value to 0x54AD ( MZ). MZ= Mark Zbikowski **Magic byte is reliable but not always an indicator of a PE file**

No content

Defines what the rest of the file looks like -Location -size of code

Further info about the executable -Entry point location -OS version -Initial Stack size

Pointers to import, export and resource structures.

Important content of the file is found here : ● Code ● Data ● Resources ● Additional exe files

The executable code

Link between the executable and windows libraries

Information used by the executed code.

Predefined Sections .text Contains executable code .data read/write data and global variables .rdata Read-only data .idata Import table .edata Export information .rsrc Icons,dialogs,menus,strin gs etc **Some may not need all and some may need new ones to be created**

CFF Explorer Import Directory: 4 dll’s are imported and functions such as GetProcAddress and VirtualAlloc are used.

No content

Types of Analysis Mechanics of Malware’s Darkside

Static Analysis Is examining a file without executing it. Dissecting “dead” code. Benefits: It allows experts to quickly decide if a file is malicious. Provides insight into functionality Technical indicators can be used in detection signatures. Mechanics of Malware’s Darkside

Antivirus checks Scan new malware with up to date anti virus prior to analysis. 1. Have other people submitted? 2. Reduces time on analysis Note: Sample will be made publicly available once uploaded to VirusTotal Mechanics of Malware’s Darkside

Cryptors and Packers

Packers “Runtime Packer” Runtime Packers takes the malware compresses it, or otherwise transforms it, making the file harder to recognize. Reasons for Packing: 1. To make files smaller 2. To bypass detection or to counter analysis Mechanics of Malware’s Darkside

Crypters “Obfuscation” Reasons for using a Crypter: 1. Acts as the first layer of defense for the malware 2. Helps to defend malware against AV’s. Encrypts the uploaded malware, but in addition to encryption it offers additional options to make the executable as hard to detect as possible by security software. Mechanics of Malware’s Darkside

To identify packed executable: 1.Exeinfo PE Mechanics of Malware’s Darkside

2.PEiD

3.UPX command line Example: upx -d sample1.exe -o unpack.exe

Difference in Virtual Size of the section and Raw Size can also be used as an indicator of packed file. Mechanics of Malware’s Darkside

Strings Strings are defined as sequence of printable characters found in the code. (ASCII and UNICODE) Mechanics of Malware’s Darkside

Strings Examining the malware for strings can contain references to • Filenames • URL’s • Domain Names • IP address • Attack commands • Registry keys and so on. Mechanics of Malware’s Darkside

Extracting Strings Tools to Extract Strings: ● String utility in command line ○ Example: Strings “sample1.exe” ● Right click file and select Strings utility for GUI method. ● FLOSS (FireEye Labs Obfuscated String Solver) tool Mechanics of Malware’s Darkside

String utility using Command Line Interface

Right click select Strings for Graphical User Interface

Limitations of Basic Static Analysis ● Encrypted malware samples cannot be analyzed without understanding the type of encryption. ● Strings found in the malware sample does not necessarily mean they are called during run-time. ● Malware writers insert irrelevant garbage code to confuse the analysts. Mechanics of Malware’s Darkside

Dynamic Analysis Allows experts to understand the behavioural indicators of the malware sample when executed in real time. ** Some functions may be embedded in the malware to counter analysis ** Mechanics of Malware’s Darkside

Runtime Analysis - Dynamic Note: It is important to perform dynamic analysis on a Sandbox environment to contain the effects of malware within the virtual machine. Snapshot Feature: ● Capture the state of memory, hard disk and configuration of the virtual machine. ● Post Analysis, can revert back to clean state of machine. ● Install new tools/update Flare VM packages and take a new snapshot when needed. Mechanics of Malware’s Darkside

Persistence Mechanics of Malware’s Darkside

Persistence For persistence, malware often install itself in various locations including: 1. Windows Logon Registry Entries 2. Image File Execution Options 3. Accessibility Programs 4. Startup Service and so on. Mechanics of Malware’s Darkside

Process Monitor Process Monitor is a monitoring tool from the Sysinternals suite that shows the real-time interaction of the processes with the filesystem, registry, and process activity. Preconfigured filters can be used before capturing events to reduce the load of Process Monitor on RAM. Mechanics of Malware’s Darkside

● Noriben is a python script that utilises Process Monitor program to filter out general events ● Helps in analyzing and collecting runtime indicators of the malware. Noriben Mechanics of Malware’s Darkside

Outputs .csv file with key indicators Mechanics of Malware’s Darkside

No content

Wireshark Wireshark is an open-source network packet capture and analyzer tool. It is run to capture any network traffic generated by the malware once executed. Mechanics of Malware’s Darkside

Mechanics of Malware’s Darkside

Wireshark We can identify the following information from the capture : 1. Host Name 2. IP address to Command & Control servers 3. Domain names 4. Download of additional payloads and programs Mechanics of Malware’s Darkside

Identification of Domain Name Mechanics of Malware’s Darkside

Identification of Host Name Mechanics of Malware’s Darkside

Extracting executables from PCAP files File -> Export Objects -> HTTP Mechanics of Malware’s Darkside

Disassembler Disassembler is a computer program that converts Machine Language (high-level) to Assembly Language (low-level language). Mechanics of Malware’s Darkside

Mechanics of Malware’s Darkside

IDA Pro as Disassembler Follow the code and look for XOR instructions. Mechanics of Malware’s Darkside

No content

Debugger Debugger is a computer program that is used to run an executable in a controlled manner and to halt when specific conditions are encountered. Mechanics of Malware’s Darkside

Ollydbg as Debugger Functions can be modified and patched live to avoid Anti-VM and Anti- Debugging conditions which can be a prerequisite for the malware to run. Mechanics of Malware’s Darkside

Creating Yara Rule YARA is a open source tool by which researchers identify and classify malware samples based on certain characteristics . Main purpose of YARA is to match attack patterns of malware with existing rule sets and trigger alerts to the IDS/IPS. Mechanics of Malware’s Darkside

Results from Basic Static Analysis Mechanics of Malware’s Darkside

Title: Malware_downloader status: Experimental Meta Description: ”Malicious downloader that downloads additional payload” Author: Laura and Yagnesh hash: AE4CA70697DF5506BC610172CFC288E7 SSDEEP: 48:a2SWLML7kulJknJmD+jtx7MBqc9xDsYjWHlJR:6Rj/kJs+jtx7MIc9xD1jWHj strings: $s0 = *wininet.dll* $s1 = *CreateService* $s2 = *InternetOpen* $s3 = *InternetOpenURL* $s4 = www.malwareanalysisbook.com $s5 = Malservice condition: 4 of ($s0, $s1, $s2 ,$s3, $s4 and $s5) Example: Mechanics of Malware’s Darkside

Creating SNORT Rules Snort is an open source Intrusion Detection system that will be used to create rules to detect our malware communication in the network. Mechanics of Malware’s Darkside

Syntax: rule protocol source ip source port -> dest ip dest port (Rule options) Example of Petya Ransomware downloading perfc.dat file alert smb any any -> $HOME_NET any (msg: "Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "SMB";content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;) Mechanics of Malware’s Darkside

Resources • Reverse Engineering Workshop - https://malwareunicorn.org/workshops/re101.html • Malware Traffic Analysis Exercises - https://malware-traffic- analysis.net/index.html • Book - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. - Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware Mechanics of Malware’s Darkside

Tools Used ● Virus Total ● PEiD ● Exeinfo PE ● CFF Explorer ● UPX Packer ● Strings ● Process Monitor v3.52 **Minimum Requirements: Windows 7 Service Pack 1 ● FLOSS ● Noriben ● Wireshark ● IDA Pro ● Ollydbg ● YARA ● SNORT Mechanics of Malware’s Darkside

Future Steps.. Mechanics of Malware’s Darkside

Obfuscated Malware Obfuscation is the process of making the files more difficult to analyze or detect. Mechanics of Malware’s Darkside

chmod command is selected through a complex process to avoid obvious detection Mechanics of Malware’s Darkside

Android Malware Targets the users with Adwares, Cryptomining and also Ransomware. Example: ● Advertising dropper in CamScanner → https://securelist.com/dropper-in-google-play/92496/ ● 42 Adware Apps with 8 Million Downloads → https://thehackernews.com/2019/10/42-adware-apps-with-8-million-downloads.html Mechanics of Malware’s Darkside

Resources to get started: ● Android App fundamentals and ReverseEngineering exercises → https://maddiestone.github.io/AndroidAppRE/ ● AndroL4b is an android security virtual machine which has tools and labs for reverse engineering and android malware analysis. → https://github.com/sh4hin/Androl4b Mechanics of Malware’s Darkside

Linux Malware Common targets are IoT devices and Linux Servers. Example: ● Mirai Evolves From IoT Devices to Linux Servers →https://www.darkreading.com/attacks-breaches/ mirai-evolves-from-iot-devices-to-linux-servers/d/d-id/1333329 ● Sophisticated HiddenWasp Malware Targets Linux →https://www.securityweek.com/sophisticated-hiddenwasp- malware-targets-linux Mechanics of Malware’s Darkside

Resources to get started: • Linux ELF Basics and Binary Analysis → https://linux-audit.com/elf-binaries-on-linux-understanding-and- analysis/ • Linux Malware Samples → https://github.com/ytisf/theZoo/tree/master/malwares/Binaries • Linux Sandbox (LISA) → https://github.com/danieluhricek/LiSa#get-started Mechanics of Malware’s Darkside

Interesting… Smallest PE file that downloads file from internet and executes it. The size of the PE file with UNC import is still only 133 bytes. https://twitter.com/cyb3rops/status/1187037377560272897 Mechanics of Malware’s Darkside

yarGen - Automatic Yara rule generator. The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. https://github.com/Neo23x0/yarGen Mechanics of Malware’s Darkside

No content

1. https://blog.comodo.com/different-techniques-for-malware-analysis/ 2. https://github.com/fireeye/flare-vm 3. https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf 4. https://www.sciencedirect.com/science/article/pii/S1877050915002136 5. https://medium.com/practical-malware-analysis-lab-solutions/practical-malware-analysis-lab- solutions-static-analysis-4f892cbae9d 6. https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis- environment.html 7. https://resources.infosecinstitute.com/snort-rules-workshop-part-one/ 8. https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/ 9. https://isc.sans.edu/forums/diary/Developing+YARA+Rules+a+Practical+Example/24158/ 10. http://www.cs.utsa.edu/~shxu/Moustafa-PhD- Dissertation_Detection_and_Classification_of_Obfuscated_Malware.pdf 11. https://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation- techniques-in-malware/ 12. https://www.reddit.com/r/MalwareAnalysis/comments/bxvw1j/analysis_of_simple_obfuscated_ office_malware/ 13. https://www.imperva.com/blog/backdoor-malware-analysis-obfuscation-techniques/ References Mechanics of Malware’s Darkside

Demo Mechanics of Malware’s Darkside

Contact Laura Harris [email protected] Yagneshwaran Prabagaran [email protected] @Angry_orcha @Black_3nergy