decompile the halls | TryHackMe Advent of Cyber 2023 Day 9 [Malware Analysis]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

new camera just dropped hey everybody I'm husky hacks and we are back with tryck me's Advent of cyber 2023 day nine she sells CP shells by the se2 shore my goodness whoever came up with that title deserves a raise Mah chef's kiss well let's get started we're talking about malware analysis today this is one of my favorite subjects because I teach it professionally and I love to teach the newcomers of the field what it's all about so come along with me today and let's get started so let's read a little bit of the backstory while we wait for our machine to spin up having retrieved the deleted version of the malware that allows Tracy mcgreedy to control elves remotely forensic mcbl and his team have started investigating to stop the Mind Control incident they are now planning to take Revenge by analyzing the c2's backend infrastructure based on the malware's source code okay so this is pretty cool so C2 command and control so this happens a lot in real life I think we're going to take a malware sample and we're going to reverse engineer it and then make inferences on the adversaries infrastructure based on that source code and so it looks like we're talking about malware analysis and specifically the analysis ofet binaries and that makes me very happy and you'll see why here in a moment so to start off we talk a little bit about handling malware so this is these are our programs that are designed to do you and your computer's harm so we need to handle them correctly so that includes using an isolated sandbox in order to perform our analysis now interestingly we're going to do static analysis in this room which means that we are only looking at the sample as it resides on disk in other words we're not executing it to perform Dynamic analysis on it so we're not running the malware so in a lot of ways we don't need to worry about our Network isolation but it's still best practice to be handling and analyzing malware in an isolated secluded Network so that that you and your computers and your company's computers are safe so usually when you're analyzing malware you are given the end result right a compiled executable program or a script or some kind of sample and you have to Via inductive reasoning start with the specifics of that result and then draw the conclusions the general conclusions based on what you see about what the adversary is trying to do with that malware so to today's sample is a little bit different than a lot of other samples because we're working in theet framework we as humans like to write code in a high level language and computers can only really understand code at a lowlevel language so like way back in the day when computers were first built in order to get computers to do anything we basically had to work with ones and zeros and very primitive instructions that are better for computers to understand but are very hard for humans to work with and so over time over the years we've kind of evolved these computer languages to be more high level more abstracted and so today we have things like Python and c and these are like highlevel languages that are easier for humans to work in but we can't just give a computer the highlevel source code it's not going to know what to do with that so in order for a computer to use what we have written in those highle languages it has to compile them it has to translate it from the high level source code of the language that we choose into the lowlevel instructions that the computer can understand now The NET Framework is a little special because in between the high level of the language like C which is the one we'll work in today and the low level which is the machine code instructions that the computer can use there's something in the middle and that something in the middle in this case specifically is called the common language runtime but you can think of the common language runtime as kind of a broker in this case it's saying hey I'm going to understand the high level of the program that you're writing in and in this case there could be many of them uh C is one such language but there's vb.net and F and there are a few other languages in fact Powershell also lives inside of this kind of system of The NET Framework so the CLR the common language runtime says hey write in any of these languages I will take what you've written and I will translate it into a standard set of instructions that we can all understand and then I can have the computer execute instructions based on that that I have created and so that is the concept of Intermediate Language is this kind of in between between the high level of the C that we've composed as a programmer and the low-level machine instructions that a computer needs to be able to run there's like this in the-middle section right here and at this point you're probably wondering husky why are you going on this diet tribe about high level and lowlevel programming languages and what computers can understand Etc what's the point of all of this so the point of all of this is that as malware analysts if we get our hands on a malware sample that lives inside of the Net Framework it actually makes our job a lot easier and the reason is that that Intermediate Language is extremely easy to analyze because it's basically the original source code of the application and so instead of working at extremely low levels like you'd have to if you were analyzing a binary written in C or C++ the Intermediate Language is like readable near source code of how the binary was originally composed and so instead of like analyzing and deducing based on these extremely primitive instructions this now becomes less of malware analysis and more of code analysis so you'll see here in a moment so actually let's fire up the program that we'll use to extract this Intermediate Language called DN spy so we'll double click that and run DN spy and then in the artifacts folder here while that loads up we can take a look at the juicy tomato toore defang so this is our malware sample that we'll use today so we've got DN spy loaded up and right now there's nothing in DN spy but if we take our malware sample we can drag it and drop it right into DN spy and so what are we doing here we're taking the end result the compiled program and we're having DN spy recreate the source code from its intermediate Lang anguage or a rough approximation it's pretty close most of the time so if you go down the tree here we have the executable it understands that this is an executable and it has the uh PE file format the portable executable file format but we're not really interested in that part we are interested in this right here which is the recreation of the source code of this program so if we click on the program right here it will decompile this back into its approximate source code code and so now this is when we start our malware analysis because now we've got all of the source code to be able to comb through and figure out what this thing is doing and we can do this all statically we don't even have to run the malware in order to figure out what it's doing so this room also briefly covers the command and control architecture and so very briefly what command and control is is that you will drop something into a Target environment that you have positive control over this is often times known as a beacon or an agent and it's called a beacon because every now and then at some pre-specified interval it will Beacon out and so running it on the victim computer it will Beacon out back to your server that you control which is your C2 server and it will say hey C2 server I'm alive do you have any instructions for me now you as the attacker can feed instructions to this agent so that every time at check-in it will ask if there are any instructions for it and when it downloads those instructions it can execute actions on your behalf you stay out of the environment all you have is your agent running in the environment in that case so super common for cyber criminals and adversaries and red teamers to use a C2 framework command in control so after we have loaded our program into DN spy we are brought here in this program class right here we have the main method if you're not familiar with programming the main method or main function is normally the function from which all other functions are called so in an executable program this is your entry point into the program and so Maine is a good place to start to analyze this C2 agent and now this really becomes read the source code and understand what is going on so there's a lot going on in the main function right but we also have a bunch of other functions here we have decryptor encryptor execute command get it implant post it and sleeper right so there are reusable blocks of code set up elsewhere in this program that this program is going to use and so so it might help to kind of jump around a little bit and kind of understand what's going on so why don't we do that why don't we jump around a little bit and go to the get it function if we double click on this right here it'll bring us right to the get it function uh based on the source code the get it function uses the web request class from systems.net namespace and is initialized by the functions URL argument all right so that's that's kind of wordy but basically what that means is that we are setting up a web request and so we're using a library in the NET Framework to reach out to a remote website and get something from that website we also can specify our user agent as part of this web request and it looks like we're reading whatever is at that endpoint and returning it into a memory stream okay fantastic we could also go take a look at the Post-it method here so Post-it looks like it does something kind of similar but in this case instead of a get request it's it's posting information to a web server that we specify here in this program and so we take in the argument of the URL so you give it a place to go post this information and it sets up the required code that's necessary to actually make that post request sleeper as well another method that we have in here and so we're taking in as an argument we're taking in a count which is an integer and all this does is it sleeps so sleep if you hover over this we can see that it sleeps for the number of milliseconds that we provide it and that just means that the program stops and pauses for that number of milliseconds so that's that's pretty simple and straightforward now this one's kind of interesting execute command so already we're kind of getting a sense of what this thing can do so it can talk to web servers it can get and post to web servers it sleeps for some specified number of seconds and also in this one execute command it sets up a way to run command shell cmd.exe the command prompt and give it a command that we specify and we actually specify that as the argument as well so every time we call invoke this execute command function we can tell it with an argument exactly what to execute and then there's also two methods here for encryptor and decrypter and so roughly speaking these are going to do similar functions except that one encrypts and one decrypts obviously it looks like we've found a hardcoded value in here called bytes and we're not totally sure what this is doing yet I have you know an idea of what that might be but it looks like we set up the code necessary to build an AES encryption and probably corresponding decryption routine here as well and so where are we using the bytes so if you click on one of these variables right here so we see B array bytes equals en code. asky doget bytes of you can't hack this super secure C2 keys if you click on this once it'll highlight elsewhere where it's used and yes we do have the create encryptor which passes in the bite array right here and the initialization Vector so this is all kind of just cryptography so we we pass in a key and an IV and initialization vector and we are able to encrypt or decrypt bytes and the decryptor is probably going to be pretty similar and it does look like that all right so what have we gone over so far so by the specifics here by inductive reasoning we can tell that we have encryption and decryption capabilities we have the capability to execute commands which we see an execute command get it and post it our methods of interacting with a web server a remote web server somewhere sleeper is going to be the way that our C2 agent sleeps and then wakes up at a specified interval and then checks to see if it has any new commands to run and finally there's also implant here and so this will get something from a URL and it will convert whatever it found there from base 64 into a bite array and so it'll write those bytes into the application data folder which we see right here as spy kit. exex it writes all bytes and then it returns so if we go back to main we kind of get the sense of what this is doing so we start with a string that goes to http mcgreedy secret C2 tthm we then concatenate that URL together by adding SL regge and then it will take the host name which it determined right here and then post that as a parameter to that location and we see that we have the post it method call as well which takes an URL and data and again click once on a variable and it'll show where else it's used in the program and in that case it's posted right there it then sets the count as 15,000 remember that for the sleeper method it takes in specified number of milliseconds and so if we count for 15,000 milliseconds would be 15 seconds it looks like this is going to be on a 15 second clock for its sleep interval and we also set a Boolean flag right here to false we're not totally sure what that's going to do when we enter on line 12 this for Loop right here this will and this is kind of just weird shorthand syntax but this basically means do this forever do this until something else intervenes and you have to stop so from a high level what we're doing here is the C2 agent will sleep for 15 seconds after the 15 seconds is done it wakes up it then makes a request to our specified C2 server which we get right here the mcgrey secret C2 tthm at a special endpoint at the tasks endpoint so it basically says do you have any tasks for me to do so it gets that task that's living at that end point so if you think like the attacker can stage instructions at their remote web server and then the C2 agent will periodically wake up and check to see if there are any new tasks for it so if the string is not null or empty it will do a little bit of string parsing and then it will check to see the value of that string and here we have the core Logic for dispatching commands to this C2 agent so in other words the attacker can stage sleep shell implant or quit to our C2 agents and every time the C2 agent checks in if there's a new command and it falls into one of these categories it will act accordingly so to recap after setting up a little bit of information up here when we enter our sleeping cycle we sleep for 15 seconds we wake up we reach out to our remote C2 server and we say hello I'm awake do you have any tasks for me we grab the result whatever is at that end point and then we decrypt it using the decryptor method and then we will take a look at what that result is if it's not empty and so there are four possible outputs here we could sleep we can shell we can implant or we can quit right and that determines what the program is actually doing and so notice that the attacker can issue different things and have the C2 agent perform different things as a result and so all of this is the quintessential structure of a simple C2 agent so I think we can start to answer some of the questions here so what HTTP user agent was used by the malware for its connection requests to the C2 server so if we go back over into our Post-it or get it methods let's see if we have a user agent and we do here so that's Mozilla 5.0 Macintosh Intel Mac so this is a common user agent and the idea here is that you would want your malware to kind of blend into the environment that you're trying to infect so we can post that in I think probably without the quotation marks here and we will submit that and that is correct next question what is the HTTP method used to submit the command execution output so the method to submit the output so instead of using the get method to reach out to the server and see if there are any tasks for us to execute after we've done our task we are posting we are using the post method to send the information back to our C2 server all right so what key is used by the malware to encrypt or decrypt the C2 data in either one of the encryption or the decryption routines because this is a yes so it uses the same key here we are using the bytes of this string right here which is you can't hack the super secure C2 keys so we'll copy that and there we go so this next question is what is the first HTTP URL used by the malware back in the main method we go and find the St Str value and so the first thing it does is that it takes the host name and posts that back to the slash regge which probably stands for register URL if I had to Hazard a guess so that is correct how many seconds is the hard-coded value used by the sleep function we can check the sleeper takes in the count argument count in this case is 15,000 but remember that sleeper all that really does under the hood is call sleep and sleep takes in milliseconds 15,000 milliseconds is 15 seconds the next question here what is the C2 command the attacker uses to execute commands via cmd.exe well if we go back to our main method here if our Command is shell we will drop down into this block right here and that becomes the Str str4 equals the encrypted output of the execute command method and so execute command will take in the command that it wants to execute and run CMD and return the results and then that will be posted back to the C2 server and so the way we instruct the C2 agent to do that is by calling the shell command and looks good what is the domain used by the malware to download another binary if we think back to our implant method that installs itself as persistent so we need to find when that is called in the program it takes in the string of a URL so let's go back into the main method here and let's find our implant and so that is at http st. MCG grey. thms spyit so it's only looking for the domain this time not the full URL so we'll submit stash mc. THM and that should be correct all right and that was everything for this room so that was a little primer on malware analysis really static analysis of a malware binary that was written in The NET Framework we got to do basically just code analysis on it and so we started with the program that we didn't know anything about and then through reading the decompiled netod code we learned what the program was doing well hackers and gentle hackers that's it for me that was my second try hackme Advent of cyber room this year so thank you again for watching for all of you and thank you to try hack me for having me back I always have fun with these I always enjoy doing the Advent of cyber rooms uh I hope you all have a fantastic holiday season I hope you all get some rest over this holiday season and reflect on what kind of year you've had be good to yourselves be good to each other and I will see you around

Info

Channel: HuskyHacks

Views: 14,977

Rating: undefined out of 5

Keywords:

Id: aHKTfJJ3I5k

Channel Id: undefined

Length: 19min 58sec (1198 seconds)

Published: Sat Dec 09 2023