Malware Analysis Bootcamp - Analyzing The PE Header

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys welcome back to the malwa analysis boot camp in this video we're going to be looking at analyzing the pe header and we're just going to start off with understanding what information we're interested in when we're analyzing the pe header so as mentioned in the previous video the pe header contains in information that the operating system requires to run the executable now this information is very very useful as it gives us information about uh the origins of the of of the malware or of the executable and it also sheds some light on its functionality and this can all be done or this information cannot be extracted uh you know through static analysis now when we talk about static analysis we are primarily looking for information about the executable that again gives us a glimpse of its functionality and origin and so far during the series we've been able to get quite a bit of information from our sample that we were using so let's take a look at what we're interested in finding or what information is most important to us when analyzing the pe header first of all we are looking for the compiler stamp which tells us when and sometimes where the malware was compiled now you may not get this information because again malware authors or attackers usually know that analysts are going to be looking at this so they try and throw them off by using different uh older dates and this is something you'll come across so again we if we are lucky enough to get the compiler stamp or an accurate enough compiler stamp that's a great information about how old the malware is and when it was last compiled right secondly we're trying to look for which subsystem is being used uh primarily you will find many of the pieces of malware many of these malware samples using a gui subsystem so and really not that important information but it gives you an idea of what subsystem is being used by the executable and its functionality therefore uh we move on to these sections and in regards to the sections we are looking whether we're looking for information uh you know in regards to whether or not the executable or the malware sample has been packed and whether or not there are any in inconsistent permissions for the various sections and i'll be demonstrating this shortly we finally look at the libraries and imports which are extremely important because uh once we find out what libraries and imports are being used we'll then understand uh this some of the functionality of the malware because we'll understand that you know these libraries are being used and then if we take a look at the imports we can see all right so these imports are being used and from then we can deduce the functionality of the malware in at a very basic level however all of the uh the functionality will will be put into test you know in dynamic analysis and behavioral analysis so let's take a look at the tools we'll be using uh for this video we'll be using pe studio and the reason being is pretty much one of the best and most efficient tools for static analysis especially when it comes down to analyzing the pe header so let's get started all right so we are back in flair vm and we can get started with analyzing the pe header so i'm just going to open up my samples folder and we'll be using the standard sample that we've been using so far the download link is in the description but you know be aware uh when actually handling the malware so uh i have the packed version and the unpacked version and i'll be using them both in this video to demonstrate some very important uh aspects of static analysis so uh i'm just gonna drag this into pe studio so that we can get started uh you know straight away so right over here you can see that we when we open up pe studio we are given a beautiful tree here or a very well designed and structured tree that contains all the various important categories or important piece of information that we that will help us you know uh understand more about this malware and its functionality so the first of we have indicators now i'll get back to indicators in a second and why it's uh there's a very important aspect of an of analysis especially with you when using a tool like pe studio it's a very important section and it's a great addition to this tool uh so we have already talked about the dos header and the dos stub the the main uh pieces of information can be found within the file header the optional header uh the directories which again give us the sections uh the libraries uh the imports if you also have exports in your sample you can also use them resources and strings so let's start off with the file header now as i mentioned we are we are primarily looking for the compiler stamp now if you were to use a tool like uh cff explorer so let me just open up the folder again and i'll show you this right now you can see that pe studio does it automatically converts this for us in the sense that it gives us the actual compilation time or the compiler stamp so let me just drag this into cff explorer you can see uh that if we go to the file header here the date the time date stamp is not converted for us which that's primarily why i wanted to use pe studio first but again cff explorer is also a great tool however i just wanted to explain why pe studio you know just does everything for you and that's a great starting point as a beginner so it gives us the compiler stamp right over here so you can see uh monday october 17th uh 4 48 uh 2016. so again i this is uh going to be uh 4 48 a.m i believe so that was when it was compiled now i do need to give you some important information about this now when dealing with the compilers as i mentioned sometimes attackers may use you know incorrect compiler stamps or you may also find various other malware samples being automatically come that will give you an idea of the age of the malware and of course judging by this compiler stamp i can safely assume that someone else has already analyzed this malware or it is already detected which means that my analysis can be made even easier so you know quite important information right over here but again you shouldn't go by this alone in regards to uh you know getting a final assumption of the compiler stamp or when it was compiled next off we have our optional header which gives us important information like the subsystem and as you can see immediately it tells us in the brackets just as it did for the file header the date was given there and in the optional header that gives us the subsystem immediately which it tells us it's the it's using a gui or the graphical user interface now you might be saying uh why is this important well again it just gives us information in regards to what the malware what subsystem is being used and given that information we then can make the assumption that it can uh it can utilize the graphical user interface for a majority of its functionality so again now we know that it was compiled in 2016 it is a graphical user interface it utilizes the gui and let's take a look at the directories now so the directory now give us these sections libraries imports exports and also uh various things like the strings but we've taken a look at string so starting off with these sections you can see if you watched the previous video that everything is standard here we have the text section uh which again gives us our code our data data and a relock now don't worry about what the relock section is you may encounter other other sections of you know with different malware samples but what you're looking for primarily is for the standardized sections that are pretty much guaranteed to exist if this is a portable executable the next thing you want to take a look at is the permission so right over here you have the permissions and they are denoted by an x or a cross right so you can see that we are looking for the correct permissions for this section so as i mentioned in the previous video the text or the code section should be executable and should also be readable so all of these sections here are readable and uh in regards to the r data you can see that it is initialized data uh it is also readable which is great it's not writable or executable which is also correct as for the data you can see that it is writable and it also is readable so it's read and writeable both uh which is also correct as well and for the relock section you can see that we have uh it is not writable nor is it executable but it's still readable so that is very interesting it's something we'll be coming back to later on in this series uh as for the library so when we talk about libraries we are essentially talking about the dlls that are being used by the executable and of course this gave us a basic overview of the functionality so let me explain something over here so uh let's start off with the sorting of these libraries and how pe studio does it so by default you can sort out the libraries alphabetically then you then have the blacklist option which again is a great feature integrated in by pe studio which essentially blacklists the common dlls or the dynamically libraries that are most associated with malware or malicious intent now they may not be malicious in nature but they're just flagged as such you have the imports the amount of imports each dll is using all the functions that that each is using we'll get to the imports in a second so let's take a look at uh let me explain some of the most important ones so kernel32.dll is something you will find used by almost all executables because it essentially allows you to interact with the system so kernel 32.dll is pretty standard advappy 32.dll is primarily used for essentially modifying or interacting with the registry so now we've we've figured out our first piece of functionality so we understand we can see that indeed it is uh playing around with the registry we'll conf we'll confirm that in a second uh we then have a we then have win inet dot dll and the win sock 32 dot dll which are both used for socket connections and internet all for establishing internet connection so we have established just by looking at the libraries what functionality this malware has so we can see it does interact with the internet or it is sending data back and we were able to establish that when we were talking about strings because we did find the url to the command and control center for this particular malware sample so i'll be explaining all of these libraries as we move along but if you want to do if you want to research them on yourself pe studio does it for you you can right click and for example if i right click over here you can copy these library names and of course you can search for them in the microsoft developer network i'll put the link in the description and of course this is also extended into the import section here so for example let me just load this alphabetically if i right click on the close handle import you can see that it belongs to a group the type the blacklist whether or not it's been blacklisted by pe studio in regards to its association with malicious intent if you want to look at it that way you then have the library that it belongs to which is uh great so we can we can look for advapi for example if we start off with that we can see i was correct that uh the advappy dll or library is responsible for um for interacting with the the registry so you can see registry close key create key uh enum value right over here so we can see it is interacting with the registry which again is quite dangerous and quite malicious so what i was getting to if you don't know what a particular import or a function is used for you can right click on it you can copy the import name the library name or you can search the microsoft developer network and that will give you an idea of its functionality and from then you can then uh sort of build an a picture or a clear understanding of the functionality of the malware so let's try and analyze what's going on here so we've already taken a look at the at the registry functionality let's take a look at um at some other imports here so we can see immediately we have the create file create file mapping which belong to kernel32.dll they might not necessarily be malicious but again we can see that this malware it has the permissions or the ability to create a file delete files i can also exit processes uh we can also find files find next files so it can interact with the file system it can create a file it can delete a file it can find various files it can get the files attributes the file size which is it's pretty much expected because this is a generic credential harvester so again it its primary functionality should allow it to you know find files create files delete files etc uh it can also get a system info but again that is pretty standard let's look for others here it can interact with the processes or that currently exists so it look for any 32-bit processors it can interact with them it can also open another process this is something we'll be taking a look at i can also read files so the contents of files which again is expected because it is supposed to steal credentials let's take a look at some of the other imports here i remember seeing the wind sock let's see if we can find it yeah there we are we can see we have the socket uh the socket imports here so there definitely is a connection being made through a socket uh so we have the socket set socket uh send receive select the inet address so it is definitely has the ability to connect to a particular address and send data it also connects here um internet crack url and create url these are used to pass url uh urls so again we we already analyzed this when taking a look at these strings we were able to see that we had a post request so it is sending data back to a url in the form of a post request we'll be analyzing this as well so again we are finding out more about the functionality here it also has the ability to make the computer sleep or to initialize a sleep as an event um let's see i won't be covering some of the more um some of the more complicated pieces of functionality based on the imports because i want to keep it really simple at the moment uh so there was one here uh load library that's the one i wanted to explain so load library is something that is it's it's an import that is quite uh popular with pieces of malware that dynamically load other libraries which means that this might not be the the entire extent of the functionality of the malware so we've established a few things here first of all the malware can interact with the registry so it can it can delete registry keys it can modify it can create new ones possibly for persistence secondly it can interact with the file system it can find files delete files create files check information about the files it can also get the content of the files which is where things get quite malicious you know really it can also get system information as we already saw it can get system information uh and that's pretty much all that we've been able to find so far now we also got other pieces of uh or other hints and and those primarily came for this from the strings so uh we're not going to fully analyze this right now we'll be taking a look at at it as we move along into our final lab for this section um this particular malware sample doesn't have any resources so i'll be making an independent video covering this in the next video uh let's take a look at these strings as you as we already saw we can sort of navigate or we can browse through the strings that currently exist by their type so we have ascii and a unicode we also have the hint or the blacklist availability here so the blacklist gives us the most important strings here that uh possibly could have malicious intent and immediately you can see that we have the various command and control centers here or the urls that i believe are command and control center so you can see that we have a very interesting uh we have a very interesting domain here so if we go back to the indicators the indicators is a great section that pe studio has and this gives us an idea of all it gives us indicators in regards to things that we want to keep our eyes uh you know we want to keep our eyes peeled for so you can see first of all it tells us that the dos tub is missing so nothing important here uh file references uh yeah nothing much there in terms of the severity although it does give it a severity level of one so it gives us it gives it a severity level of one to ten one being the highest severity ten being the lowest uh and then we finally have the urls that we were looking here that we were looking at in a second so it looks like this piece of malware connects back to these three command and control centers that uh two of which have a russian uh that have russian domains here that are russian domain sorry uh and that also can give us an idea of the malware's origin so now that we have a basic understanding of where it might come from we can now analyze this a little bit more and we talk about dynamic analysis and behavioral analysis so the indicator section is a great place to start now when i was talking about sections i also uh made the point to to also try and explain uh the impact of packers on the sections uh during analysis so if i just drag this right over here and let me just give it enough space here and i'll open up the samples again and i'll go to the packed version of this same sample and i'll open this up in pe studio you can see that we'll give it a few seconds to load up here so i'll just drag it right over here and we'll give it a few seconds so let me just go back into sections here now in sections you can see a very big difference from when it is packed and when it isn't packed so for example in the in the packed version the sections names have now been replaced by upx 0 1 and 2. now i mentioned this in the previous video most of the packers usually have the prefix set as the section name and this is the quickest way of under of analyzing or coming to the conclusion that this malware has been packed now you may not come across you know open source package like upx that's a given upx is just an example i've been using uh but again this gives us an idea of of of the fact that uh this malware has been packed or it's been modified and that we're not getting the the the entire or the full picture here so let me just show you the the impacts of uh of packing on this so if i go back to the indicators you can see that this has now been uh changed quite a bit so first of all the great thing that pe studio does it already tells you that upx has been blacklisted which means uh you need to check this out and you need to analyze this a bit more well let's take a look at the file header the file header again gives us the compiler stamp which again not not important information here if we take a look at the libraries we now see that we have the same libraries that we're working with uh you know nothing more again it will give us the basic idea of the functionality but if we were to take a look at the imports we now have such or so few imports that it'll be very hard to deduce the functionality you know just by looking at the packed at the packed sample so you can see for example uh we are extremely limited to the imports that we are able to see in the fact that we only have things like send a registry import here or an import from the advapi 32.dll library so from this we cannot deduce any real functionality so i just wanted to use this to explain to you the impact that packers can have on the pe header as well so that's pretty much all i wanted to cover in this video thank you very much for watching if you have any questions or suggestions let me know in the comments section or on my social networks and i'll be seeing you in the next video
Info
Channel: HackerSploit
Views: 24,028
Rating: 4.9536424 out of 5
Keywords: hackersploit, malware analysis lab, malware analysis and reverse engineering, malware analysis tools, malware analysis course, malware analysis with ghidra, malware analysis wireshark, malware analysis live, malware analysis tutorial playlist, malware analysis assembly, malware analysis and reversing, malware analysis and reverse engineering course, malware, reverse engineering, ransomware, reverse engineering malware, hacking tutorial, how to hack, exploit tutorial, hacking, packers
Id: z0e306Jod5A
Channel Id: undefined
Length: 20min 20sec (1220 seconds)
Published: Sat Aug 24 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.