Setting Up the VM
I made a virtual machine in VirtualBox already.
I decided to install VirtualBox Guest Additions and then rebooted the machine. We did this to try to make the machine run smoother and improve performance.
Next we went to Services and disabled Windows Update to prevent any kind of interference with our malware testing.
Next we turned off all protection settings.
Next we clicked “Show hidden files, folders, and drives” and unchecked “Hide extensions for known file types”.
Next we want to open Windows Group Policy Editor. I couldn’t open it, so I went and found the correct commands to install the packages on my machine.
This helped: How To Enable Group Policy Editor (gpedit.msc) In Windows 10 Home
After pressing Windows + R and typing “gpedit.msc” we open Local Group Policy Editor and then we go to the Real Time Protection folder and enable “Turn off real-time protection”.
Then we go to the Microsoft Defender Antivirus folder and enable “Turn off Microsoft Defender Antivirus”.
By doing these actions we ensure that the malware will face no interference from antivirus software.
Then we restart the machine to fully integrate the changes.
Then after we took a snapshot of the machine.
Flare-VM Installation
Make sure you adjust the VM settings to look like how it is above.
After rebooting the machine, we install Google Chrome.
Next we begin the Flare-VM installation process.
Next, we want to open the “install.ps1” file in PowerShell.
Flare-VM will take 5-10 minutes to install. After installation, your machine will automatically restart.
Above, is the reason why we installed Flare-VM. It is really good for malware analysis.
After restarting, installation will still continue.
The installation will continue and then restart again.
After the next restart, the tools get installed.
Flare-VM has been fully installed. We now have dozens of programs and tools that will help us perform malware analysis.
Static Malware Analysis Fundamentals
I found a malware sample from MalwareBazaar that looked interesting and downloaded it.
SHA256:f8d907099731ba448fef98c4b100265ac37dc57ff26917ff3699fc0060f91cab
I took a snapshot and then turned off the virtual machine and changed the network adapter to “Not attached”. This is so that when I run the malware the malware can’t leak over to my host machine and get C2 access.
I extracted the ZIP.
Next, I dragged and dropped the malware file into HxD to verify the filetype.
The indicators for a “.exe” file is “4D 5A” (File Signatures) in the top left corner and “MZ” and “This program cannot be run in DOS mode” in the decoded text.
* It is important to check the file in HxD because it will reveal the true filetype. A file can appear to be a .jpg but really it is a .exe file. HxD will reveal the true filetype.
Cmder verifies that this malware is a .exe file.
You can find the MD5 or SHA256 hash using HashMyFile and then look it up using VirusTotal, to get threat intelligence related to the file. We see the original filename is “FlatChestWare.exe”.
We can use the strings command in Cmder to see the strings of our malware file.
We can put the strings into a .txt file.
Next we dragged and dropped our malware file into BinText.
By looking at BinText we see clear evidence that this malware is ransomware.
Next we use Xorsearch in Cmder to search for C2 evidence, looking to see if the malware contains an http address.
Next, we used Floss. It is good for finding hidden strings that are obfuscated in a complex way.
We then dragged and dropped the malware file into pestudio. This tool tells us a lot of detailed information about the malware.
Dynamic Malware Analysis Fundamentals
For Dynamic Analysis I chose to use a less dangerous malware type, adware, as I still consider myself a beginner and want to minimize the risk of the malware making a C2 connection to my host machine.
SHA256: c012acaed2cb360b52cfb7d44691b5221e8ba174a3fb0930b16ad959362a07d0
First we open Wireshark.
If you want to capture traffic without being connected to the host machine network or the internet, set your VM to “internal network”. You can still view network traffic without the risk of the malware leaking onto your host.
Then we opened Process Hacker.
Lastly we opened Regshot.
After all the tools were opened we did the first shot in Regshot.
After that, Process Monitor was opened.
We ran the malware file and it turned out to be an installation file, so I went along with it and downloaded the program.
Next, we go to Process Monitor and open up the process tree and locate our malware file. We can see the malware file has a parent process and a child process. (This is adware so it is pretty benign. We aren’t seeing any strange child processes that some malware has scheduled tasks.)
This is a more dangerous malware that generates a scheduled task.
If your malware file generates scheduled tasks you can open Task Scheduler to get more information about this process.
This scheduled task generated by the malware “starts a program” at logon.
We opened up WireShark to see if we could find the malware producing any suspicious network traffic. There were no DNS or HTTP protocols in the log.
It looks like all of the network traffic is pretty standard. If you want to you can look up any suspicious IPs on VirusTotal or AbuseIPDB.
Now it’s a good time to open up RegShot again and take the 2nd shot.
After the 2nd shot is taken, we click the compare button and then click output.
The malware will often enable itself to run at startup. So we will check the RegShot output to see if the malware did anything in that regard.
The key words to look for in the RegShot output are: Keys Added, Values Added, Values Modified, Files Added
After doing Ctrl + F we found something interesting with our malware file in the Values Added section.
We see the same value added in VirusTotal.
This is suspicious behavior. It is common for adware to create temporary files during installation that can hide malicious payloads or executables.
Next, we went back to Procmon and right clicked the malware in the process tree and clicked add child process event filter.
Using both Procmon and Regshot can help us find Persistence Mechanisms of the malware.
After creating that event filter now we only see the processes of the malware.
Next we type WINDOWS + R and type “%TEMP%” to look in the Temp directory, where malware often hides itself.
Next we do the same, still searching for persistence. Now we type “shell:startup”. Then we should also try “shell:common startup”.
No comments:
Post a Comment