Malware Analysis Part #2: Basic Dynamic Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so the automatic analysis in this case we assume that we already decided to run our automated analysis and we assume that our malware is not that something that is state-sponsored malware but it is that you know come and run malware that you can find on the Internet so obviously you can stop me to drive so though I'm not going to show that but I'm going to show you guys two malware analysis it's exactly the another version of kouko-san back that I wanted to show you guys and here is a good tool for that in Windows environment it is PE dot P Studio sorry so this is the analyzes of meta para to one executable so what it's doing it whenever you you know drag and drop a file it's obviously no you can't drag and drop a file and analysis so what is doing is collecting some of the possible indication that could be an unusual file or my gear and malware so for example this one it says the parabens are command-line utility it's just an really common name rate you can easily sign in a metaphorical file by default if you are using a massive venom and mice everyone will create a shadow copy of EDS effect benchmark command line utility and you will see the exactly the same thing and they're in a meta frezzer so here is indication we have 12 indications here out of service 23 and it says that authorization function has you know there's an authorization function memory means the functions I'm a live life like little I will punch yourself it doesn't mean that it's EPS malware but there is a chance okay and it contains that are coded IP address that's an indication right why why we concern about finding a hard-coded IP address in an executable file why did something bad well so if I was living at the Wayne name if you're using again a firewall into the block that domain name so there are a lot of DNS firewall they can block a domain name if it is under age of one month okay yeah one if it is one month and younger then it's going to be probably block which means it's recently registered which means it might be possible that this is used for a phishing attack or any kind of you know malware so that's why the content feels that they usually tend to block organifi roles they usually tend to block young domain name malware create malware created know that you know tackles that's why they use a heart for that IP address name malware so even if you had a DNF file it's not gonna work because it has a direct IP connection that's the thing status because it says the kind of certainly and blackest strings there are 30 those are also match so we can see them in here and also wireless total score is say 36 out of 45254 so if you see something he says lime soda it's a malware that means it's a Mallory it's more than two antivirus provided say that the malware that is Mallory if say no as I would say it is malware then it might be either malware or may not okay it's off it's not passing some if you don't know okay so if it is zero score alive so don't that means it doesn't mean that it says you know in nothing file and I can reduce a video file it's a malware but it's out of you know clean for everything so we're gonna see that exactly and yeah there are a lot here so let's take a look at them here for example a virus photo but I click on that I can easily see that it's a Trojan War II on see that so it's being caused by a lot of you know malware provided even Microsoft so if Microsoft called something as a malware that let's hopeless okay so let me see so we saw libraries actually these are not actually bad habit but these means that this thing is going to heaven you know so cut communication it's not usually bad but it's some of the indication if you have a you know a Snickers bar sort of score like that so this is a you know the windows api function names that is going to use so for example here create files a create file right so the other things that you should be aware of that and here's the Salif function make also an indication of interesting for us because we really don't want our applications too silly okay I want you have a good reason for that but it's rare and also freeze it is also another indication here and also I think this one another you know ransom way but if it was a ransomware you will see a lot of Cupra libraries here ransomware usually uses windows api crypto libraries so if you see it crystal libraries if that means a kind of it might be a kind of a plan ransomware as well so in the string section so we see a lot of free environments global free so suing some memory manipulation here and this is uncommon we usually don't use our memory manipulation bar so if you are not writing a seacoast ok so that's the interesting things so here is some mutex and also so these are the barriers that can be used for the shared objects and it's really uncommon for a normal application and let me see if these are not actually but so for example kernel32.dll it's not uncommon so this is also interesting for this yes for says perfect as with and okay yeah anyway so this is a kind of automated analysis of an application so you can see the wire sudo result as well but instead of getting only the wire so the result let's get some like this the beauty of this tool is it's not actually uploading your malware to drive so don't instead it's searching for the hash that's good thing because searching has is usually good idea to start with and then you can submit your executables awhile so dollars up so this is one thing the other thing is you can use the URL which is called malware calm it's actually pretty straightforward you can you know submit your file to hear the music and use malware's calm okay it's then cuckoo fun back at the addition of that you know analyzer so for example something is already submitted you can take a look at settle for t-cell log in and submit your request here so when you run this it's going to give you a lot of information but this time it's been running as you know in a virtual machine it's been analyzed by automated tools and the creator of malware is you know that's already you know often available for everybody so and they're also the static analysis also here so it affected bank mark transition and whenever I see if I spend my eyes you can see think that this is something a centum idea method protect so there's only one activity here and let me see as you see in network analysis here no only this one no other HTTP request one force only and there's nothing up no drop I I think this is clean there is nothing wrong with this file let's find something really bad and Elijah I usually slow but while it is being running let me show you something so you guys already heard before the kouko-san back so anyway let's let let's use this Google Health yeah this is it kouko-san back system added malware analysis this is another implementation of this manner kouko-san back so we can create exactly the same thing by using Foucault as I said this is usually you know slow or may get an error so what we can do is of course you know KooKoo have a lot of features but the installation is something really difficult it says download to go it sounds like I if you download and double click on that it's gonna run narrow subject so let me tell you the truth so this is how you can consult you know other thing you saw you need to prepare your host you need to prepare your yes in order to prepare your force unity in so a lot of things and in your yes unity so something so it's pretty complicated by the way it's not that easy but luckily let's say at the end you solve this problem then you finally come up with that you will see something like this is my machine ok and I have a bunch of tools that can be used for the you know malware analysis but remember if you setup you know create a lot of applications here the malware can easily understand that we are running in and back them item it doesn't look like a real you know application you know real environments let's not do anything here and let's you know act like as in legitimate application that's really common case but let me assume there's some stupid our developer say don't think that we are not going to use any mmm any sign a Meccano cysts so lets me first copy this photo executable it's really executed oh by the way it's really malware so what I'm going to do is I'm going I copied it in my file first and what I'm going to do is I'm going to drag this to my PE studio first and let's see what kind of results disc I have and also I'm going to use the ffs tool to analyze this thing it's just exactly the same thing that we are doing in our static analysis so it says Microsoft kept sta SFX what does that mean it's a cabinet file it's not a real executable it's a container it's going to self extract something you know so we need to run this thing in order to see that so you may be in a position that you're analyzing and self extracting secure table there is no way to see that what is inside without running these executables this is why you may need to run them dynamic analysis okay and probably you will still get the virus total results because whenever you submit them even except self extracting executable and devices are running that piece of code and then you know analyzing the behavior so we have a lot of things we already identified this is something bad but let's see how it's like an ass real environment so lets me copy this to here as well and the biggest mistake that you can do is just double clicking on the even if sandbox the environment don't click on that we need to do it in a controlled way okay we we will run this executable you don't have to worry about that but you've got to be get prepared for that first of all get your stuff ready I'm going to start my process hacker so see which processes are going to execute it here okay and also I'm going to start my appetite DNS here to trick what kind of DNS queries are going to be sent so these two tools usually good for starting you can start a lot of things of course you can start process monitoring Wireshark you know secrecy we and all of them but for now it's too complicated let's start with the easier one so let me explain a fatter DNS for a better idea that is actually a local DNS server it seems everything you know it intercepts every single DNA sequence and change the DNS answer to the here this is yours you want to use so for example if I use it look back I killed it the malware is not going to go anywhere and remember if there is an embedded IP added what's going to happen here it's going to connect okay this is why use your malware developers and use an IP address instead of something so luckily sis now we have only these domain name so what I'm going to do is I'm going to change that replying idea that through 127 that's 0.01 but we can change this IP address to our M Knox machine as well so this is the RAM max it's a malware analysis and forensic investigation Linux distribution and I can start the IANA theme here in quite one date it's an Internet simulator we can resolve any hangout services and reply to any services that's our piece of applications try to connect but unfortunately I don't know what kind of fortress is going to connect that's why it may not be useful if you are running in the very person so that's why I'm going to I prefer to resolve look back IP address for the first time and then try with the other IP address after identify their port numbers okay so let's start with you know this apply to DNS and let's try something here so for example in my command line I'm going to ping dub dub dub that google.com see whatever it is 127 that's good so that means our DN asuka is going to be intercepted and it's going to be redirected soon you know to look back and also well you guys are notices so when I click on that just take a look at the process hackers behind the scene okay so when I close that see that resting right right here brothers I could give you enough time and saying oh hey guys somebody killed these protests and it's going to be disappear in ten seconds okay so you can have enough time to what kind of processes are created and watch which you want to look them are set you know so that is another thing that I'm going to look at it so if series new process is created it's going to be green okay so we know the idea and we know our our application is working so put it here and let me put this here and let me put this one here as well so this is just a real application by the way we found a nun hospital it came from an email let's say that this is this is something stupid you show my crew you know hospital record in a public way so it's just shocking and send it to the one of the secretary and she comes on that you know picture it says your photo when you click on that it's just show you something so let's click on that and let's run this thing ok I click on the executable and we have a no picture that is really pictures ok we see two pictures see behind the scenes yell out house and see that something's are disappearing here this is did you guys notice sense so these are going and be dot exe is actually the new face disappears see that this is the one that left recently ok so we see that this is something new and also when I look at to my DNS record I see that somebody's every speck of asking for seldom CDNs not net I don't see honest by the way you can get a free DNS record for everything ok you don't have to register any domain name this is something interesting ok and luckily our you know application is not resolved anything but I am really worried about the P dot exe what it's going to do and why it is trying to connect to Serfdom that d DN a-- subnet and let's take a look at the little bit properties of this application first and you can choose for the string I'm going to search for 10 drink ok 10 pack that string is sort of find three thousand strings let's see yes I'll - that's the next point that we are going to do but yeah so ah let's take a look at the summer thing here okay when I look at that I see that it has a handler that says documents are autogas let's play about exe as something interesting I don't have a flashlight Exe in My Documents folder obviously it came from somewhere else it has come from somewhere else let's drill down that directory here you can see that a'dope and slash that exe hmm that's interesting and let's scroll down here and let's see what else we are looking at here the digital actually let me show that because some of them are really good out I think a lot of funny stories and forget about that ok so these are the things that could be for some other purposes okay come on farms and that a lot actually it may take a lot of fun to analyze all these things so luckily we have a better tool panel so it's obviously doing something connected to some command and control center so we need to identify here what port is going to be what course are going to be used and what is this flashlight access and what else this executable is trying to do so actually I can take a look at the handler here and what I'm going to do is I'm going to look at only for the file handler so instead of event let's take a file handler see of July this year that is 500 look okay yes this one see that there is an application though it's a local Tampa not temp on the temp directory there's something here okay so there are the things that we are going to focus on but obviously this is something that takes a lot of time let's - let's use a better tool so what I'm going to do it we need to find these things we need to find there all the creators and related files we need to find what kind of force is being connected so in this case I'm going to use a little bit advanced tool and that is going to be my capture box okay luckily I have it capture a snapshot here so let's go back to our snapshot don't save right this is really normal whenever your one arising a malware you can restore your virtual machine may be 10 times even that's fine let's say cancel and I will paste my thing again here thanks Microsoft settings and display there we go so this is my executable again but this time I wanted to use capture box so capture bots is a free tool again it should be in my list this is actually one of my favorite and southern the list well I will add that promise ok so let me let me change that activity to my what is it under my programs it's not on my less processing photo files yes right here ok now I have a chapter but dot exe and if I run with top command here it's not self commands let's say that H ok there we go so it has a bunch of parameters but sis is there the beauty of this thing is it's writing behind the scene it's capturing all the network traffic it's capturing all the DNS requests it's capturing all the file accesses and it's going to give me a nice you know text file and also the knife folder that also includes the deleted files as well so what I'm going to do is I wanted to run this in my machine as well file is going to be the photo that let's say look ok the log file and also I wanted to copy the old files if it is created or deleted or modified during this execution and also I wanted to capture the network traffic ok these are the three things but remember while doing this you shouldn't you know do a lot of things on this machine ok do only the malware analysis nothing else effects because if you create nose noise you may you know mess up your malware analysis that's why I you know make sure that nothing is running other than the malware ok let's run this by yourself it's going to create a little traffic as well so if I run this ok I get my picture again I get my picture again here uh I assume that my executable already run that behind it in the deck you know communication let's use the you know computer in a regular way let's say I am looking for my not set so choose an application that those are not going to create a lot of noise so for example most that is a good one okay because it doesn't create an in connection so let's say my name say username John Don and my password is my super secret password luckily nobody see that and let's close this unsafe ok I didn't write anything it was on the memory I think we get enough chapter here let's stop this one and also I need to stop the executable because remember it's still running behind the scene ok let's get rid of this thing because this is our thing and also we're going to take a look at another thing but let's see what kind of files is created by capture bus and here it's unlock file and this is the things that it solves a network communication let's see what what kind of things exist here so for example the DNS already we know that these are the DNS servers DNS communication so not know responds now because malware is not you know doing anything if we were responding anything probably we would see the connection that's why you may need to use affected DNS to redirect it somewhere to see the ports we're going to do that as well ok this is something you know meaningful and let's see the deleted file that's interesting on the C user John lands up application data local yes it's the same file remember this file so if you being created and V dot exe is right here and also another one it's again be that exe you can analyze them as well so B dot exe so it's creating itself multiple times well probably then kind of extraction ok it is something that I wanted to see as well and let's see the log file ok so follow that log and I'm going to use the not sets lots less analyze this log file okay so uh photo dot exe is risk you know created by explore this is where I started out my process as you can see guys this just run the B dot exe and then B that we X photo dot exe created peace at the X underscore and here again so let's see something here what is that it's an extraction it's just stepping on some and you know register it so here again exe file we actually some PNG file see that this is a PNG file that we see okay it just shows a picture because it's a photo it has to show something to you to trick okay alright so we see something again here again picture again so there it is let's see let's scroll down a little more okay zone manager internet photo it might be a kind of connection okay okay TIF files a txt file that we exceed a swing-off so flash player hmm so run current version intranet exe that that's an interesting file that I don't have so flash flood that exe is also running on my machine and those auto detector here so these are flashed fire flash player again scroll on a lot of flash players Here I am looking for special for something so that was interesting I want to succeed and I wanted to show you guys ticket is no no no okay okay yeah tada so the exit be dot exe file there is a there is a loose you know DC log here that's an interesting on let's let's go to this side okay okay let's take a look at this what is look like okay okay there is a DC file it says tax paid file and when I open that see what's here key logger submenu notepad untitled document not fat my name and started backspace backspace backspace John Don and my two password and then I ran for cmd.exe icon you know jump back to here so it just takes it you know the title of the window and it's also locked here so it is taking the screenshot is taking these locks like he logs and things like that so it's the key logger kind of key logger and that is also available in this log file as well so this is good for capture but you can see that that's what's going on here of course you can drill down the hold of single detail so it's kind of log file analysis now I'm not going to drill down every single detail so that's also within here and one last thing that I want to do it what kind of port is this guy is using okay I want to identify but unfortunately the host is not available now how can I identify I can't tweak that okay so this is my ram Max and let me see the IP address is config so 192 168 8.1 70 okay let's go back to my previous state and I wanted to show you the last thing that I wanted to analyze this thing so research snapshot okay don't say here so another thing that I wanted to see is whether it's persistently embedding itself to this sort of many or somewhere else so let's see that Wow there already but lacks lack one say cancel let's change the settings here okay let me copy this thing again to my virtual machine okay let's do two things together so in my opinion is I'm going to forward through this 192 168 dot a dot 170 which is my REM max machine okay let's start this one and the other one that I wanted to do is the auto run okay so alterans is that system internal switch utility so this is my virtual machine that has no value a in it right I know that this machine is clean and this is its initial state and it's sort of look like okay so all the runs help you to take its natural starting things at the startup and those are updated malware I'm going to run this again and compare the results okay so I can identify what it's changed so because in order to be persistent in a machine there are a lot of ways to do and you can track them all one by hand so I'm going to save this in my desktop as let's say in its initial okay oh this is it lets you know now we're here and I'm going to start why shark here let's start this and I don't need a look for that so nobody is creating any kind of traffic now so if I run my photo exit now sexy wife shot I have to see something why shot come on there we go okay something is going on behind the scenes and ma'am my malware is already run that so I always identified it it's that you know Flash Player or P dot exe so let's kill that and let's see how it is going so I don't want to you know survive in fact my machine anymore so first of all we identify that the REM max machine we resolve remember 192 168 8.1 72 and one of my process is trying to connect with 66 50 ports okay this is the port that this malware is trying to connect and as you can see guys so um the push acts because it sends to there and also reset is somewhere because the port is not available or okay yet update dot PHP so it's trying to connect but it's I think I think it's process yeah perfect actually it's not realizes that this is the thing this is there my man is trying to connect okay that's say one how we can identify the port event malware by tricking the DNS as you can see this I'm one DNS record only and it's resolved by this IP address we identify that it's trying to connect with this port okay and the second thing is in my author on let's refresh this thing okay so remember we already say for the initial state now I'm going to compare that with this yes compare here and in my desktop is say initial these are three changes so system dot C file chick with multiple tracking flash player in my current version run and also a few local machine software Microsoft Windows here where you user logon in logon it's been attacked so it is modify three slices to make itself for system malware so this is how we can also identify how this malware is trying to do so it's a combination of wireshark capture box process hacker and also author on CBF and fighter dns combination so I know it's a little bit hard to track but so this is how we can do the dynamic analysis hey guys so we can use the you know two tools you know together to identify that but remember if you use that in a virtual machine it means that it doesn't mean that your malware can not know that so let me show you last thing and then let's close this session so I have my this is a file this is a hospice community okay that's right that's right it's now that I work okay it's this one work so he says that somehow the debugger time was tricks it's analyzing Windows version this view is debugger detections know debugger using you know ah there it it long list but okay he taking his routine since it ACOG is so very but here's the thing VM it's been sacrifice running on a virtual machine another 1 hypervisor expense rate it's again the second set is running on a virtual machine so now little house can use that and also instance you know identified the debuggers as well so we will see that these techniques can be used in a advanced dynamic analysis whenever you see a you put a breakpoint somewhere it can be detected by the malware itself so you got to identify that section as well you're going to get 0 status and those are miles activities no mass activity you just want I don't see any malefactor with it that means this is something interesting because in reality some map activity again checking some work to back things so you'd identify the VirtualBox and let's see what else here yeah we have a your mouth really a CFS or which means is a kind of virtual machine whenever it detects is a virtual machines may decide to not to do anything actually this is a challenge we are trying to make it application run in a virtual machine while the bucket is attached okay so you got to take down at least 62 different checks in order to run the application to see the results if you do that that means that you can convince the malware to run on your beginners off

Info

Channel: Candan BOLUKBAS

Views: 13,507

Rating: 5 out of 5

Keywords: vmware, remnux, apatedns, capturebat, process hacker, wireshark

Id: FpcDdlL0Y1E

Channel Id: undefined

Length: 35min 36sec (2136 seconds)

Published: Wed Jun 07 2017