![Page 1: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/1.jpg)
Basic Dynamic Analysis What happens to our file system and registry if we run the malware. Can we detect any network traffic? Keywords: Registry, files, network
Part2
![Page 2: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/2.jpg)
2
Warning Caution! Caution! Live Malware! Caution! Caution!
![Page 3: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/3.jpg)
3
Basic Dynamic Analysis
Lets run the malware and see what happens!
• Also known as: Behavioral Analysis • Interact with malware • Help to find more IoC’s
![Page 4: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/4.jpg)
4
Why Dynamic Analysis?
• Basic Static Analysis may have reached a dead-end: – Obfuscation – Packing – Tried all static analysis techniqies
• Basic Dynamic Analysis – Efficient way to identify malware functionality – What does it (malware) do?
![Page 5: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/5.jpg)
5
Generic Procedure
5 Step Procedure:
1. Activate monitoring tools 2. Run malware 3. Terminate malware 4. Pause monitoring tools 5. Examine logs
NB!Startandfinishwithcleanimage
![Page 6: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/6.jpg)
6
Challenge 2
Use information available through basic dynamic analysis techniques to strengthen/reject your hypothesis about the purpose/functionality of the sample, based upon IoC’s in registry, file and network activity
![Page 7: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/7.jpg)
7
Basic Dynamic Analysis
• Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process Monitor) – Network Activity (e.g. wireshark)
1) Regshot 2) Process Monitor 3) Wireshark
![Page 8: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/8.jpg)
8
Regshot Follow my demo
![Page 9: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/9.jpg)
9
Regshot suggested approach
• Clean img • Open Process hacker and Regshot • Unpack malware (pw – infected) • Regshot: first shot (NB! Scan dir) • Run spybot.exe as administrator • wuaumqr.exe should start up • After ”some time” terminate wuaumqr.exe • Regshot: 2 shot • Regshot: Compare
• Variations: – Include Keyboard activity (look at keylog.txt) – Start twice, look at name
![Page 10: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/10.jpg)
10
Regshot results
Files added • C:\windows\system32\kazaabackupfiles\... (x14) • C:\windows\system32\keylog.txt • C:\windows\system32\wuaumqr.exe Folders added: • C:\windows\system32\kazaabackupfiles Keys added (not easy to detect until you see folder name added) • …\KAZAA • …\KAZAA\LocalContent
![Page 11: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/11.jpg)
11
Registry
![Page 12: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/12.jpg)
12
Files
![Page 13: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/13.jpg)
![Page 14: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/14.jpg)
![Page 15: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/15.jpg)
15
Keylog.txt
![Page 16: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/16.jpg)
16
Changes filename
![Page 17: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/17.jpg)
![Page 18: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/18.jpg)
18
Process Monitor Follow my demo
![Page 19: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/19.jpg)
19
Process Monitor suggested approach
• Clean img (unpack malware) • Open Process Hacker • Open Process Monitor, pause and clear • Start Process monitor • Run spybot.exe as administrator • wuaumqr.exe should start up (check Process Hacker) • After ”some time” stop Process Monitor first
(avoid some noise) • terminate wuaumqr.exe
• Variations: – Include Keyboard activity (look at keylog.txt) – Start twice, look at name
![Page 20: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/20.jpg)
20
Making sense of ProcMon
• Suggested filters: • Process Name is
– wuaumqr.exe – spybot.exe
• Operation is – WriteFile, (Create File)
• Same as regedit – RegCreateKey, RegSetValue
• Some activity – Process create, Process start, Process exit
• Spybot starts from desktop, creates wuaumqr.exe cmd line and starts it, then exits itself
– Thread Creat, Thread exit • Spybot starts and exits 7 threads • Wuaumqr starts 4 treads
![Page 21: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/21.jpg)
21
WriteFile
![Page 22: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/22.jpg)
22
Registry
![Page 23: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/23.jpg)
23
Process
![Page 24: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/24.jpg)
24
Threads
![Page 25: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/25.jpg)
25
Write while Keylogger is active
![Page 26: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/26.jpg)
26
Wireshark Follow my demo
![Page 27: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/27.jpg)
27
Wireshark suggested approach
• Open remnux, – cd /etc/inetsim/ – sudo leafpad inetsim.conf (setup) – Ping – sudo inetsim (start) – wireshark (start) and start capture
• On win7: – Clean img – Open cmd: ping remnux – Start Process Hacker – Run spybot.exe as administrator – wuaumqr.exe should start up (check Process Hacker) – After ”some time” (> 60s) terminate wuaumqr.exe
• On remnux – Analyse wireshark pcap
![Page 28: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/28.jpg)
28
result • TCP SYN to 209.126.201.20 port 6667
– Retransmit twice
• TCP SYN to 209.126.201.22 port 6666 – Retransmit twice – Repeat
• Guess: IRC • Future work: Simulate the other end, test the
protocol
![Page 29: Part 2 Basic Dynamic Analysis - dfrws.github.io · Basic Dynamic Analysis • Look for IoC in – Registry (e.g. Regshot and/or Process Monitor) – File (e.g. Regshot and/or Process](https://reader035.vdocuments.net/reader035/viewer/2022063015/5fd3d6a140b0744a8f373154/html5/thumbnails/29.jpg)
29
Summary
• Registry – Activity, keys and values added and changed – Closer look, we could probably learn more
• Files – Files created and accessed – Wuaumqr.exe, keylog.txt, 14 .exe
• Processes and Threads – Created and started
• Network – IRC channel? Two IP adr