AoC 2022 Day 12: Malware Analysis

Posted on by

Malware, a common term in cybersecurity, is software designed to harm a computer or a network as a whole. Threat actors create malware to accomplish particular objectives, such as breaking into networks, stealing sensitive data, or interfering with operational services.

If you were to examine numerous malware samples found in the wild, a common pattern would emerge, making it simpler to analyze additional samples as you gain experience.

Knowing these common behaviours gives us an idea of what to look for on the defensive side, such as:

  • Network connections – Malware tends to establish either external network connections or internal connections. External connections allow remote access or for downloading staged payloads from a threat actors’ infrastructure. Meanwhile, internal connections allow for lateral movement, a technique used to extend access to other hosts or applications within the network.
  • Registry key modifications – Malware typically uses registry keys to establish persistence, a technique used by threat actors to discreetly maintain long-term access to a system despite disruptions. A good example is Registry Run Keys, which allows binaries to be automatically executed when a user logs in or the machine boots up.
  • File manipulations –  Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.

Given this knowledge, we can expect the possible behaviour of malware during an investigation.

Dangers of Analysing Malware Samples

WARNINGHandling a malware sample is dangerous. Always consider precautions while analysing it. 

With this, here are some helpful tips when handling live malware:

  • Always assume that malware samples will infect your device; hence executing it is not always the first and only step in analysing it.
  • Only run the malware sample in a controlled environment that prevents potential compromise of unwanted assets.
  • It is always recommended to have your sandbox, which allows you have a worry-free execution of malware samples.

A sandbox is a regulated testing setting that resembles an actual end-user workspace. It provides analysts with a secure setting in which to run malware samples and observe their behavior. Finally, analysts are prevented from running malware samples on their workstations, which is extremely risky and impractical due to the likelihood of unintended consequences, by having a ready sandbox.

In a typical setup, sandboxes also provide automated analysis at the disposal of Security Analysts to determine if a binary from a set of malware samples requires further manual investigation.

Static and Dynamic Analysis

We have understood the prerequisites needed to handle the malware safely from the previous section. Now, let’s have a quick refresher on the two methods of malware analysis.

A malware sample can be examined using static analysis without running the code. With the help of readable information from the binary, such as its attributes, program flow, and strings, this method primarily focuses on profiling the binary. Given the limitation of not executing it, sometimes this method gives insufficient information, which is why we resort to Dynamic Analysis.

Meanwhile, Dynamic Analysis primarily focuses on comprehending the virus by running it in a secure setting, such as a Sandbox. This will allow you to observe the malware in real-time, along with its precise behavior and mode of environment infection.

Profiling Executables through Static Analysis

We mainly use the following tools: Detect It Easy and CAPA.

Detect It Easy

Right-click the sample and execute Detect It Easy (DIE). This tool provides information about the file, such as its architecture, significant headers, packer used, and strings.

Detect It Easy.

Upon opening, we will immediately discover the binary’s architecture, and the executable packer used.

Packing malware is a common technique used by malware developers to compress, obfuscate or encrypt the binary. With this, contents such as significant strings and headers will not be immediately visible to Static Analysis Tools.

You may test this information by doing the following:

  • View the strings from Detect It Easy, which shows an overwhelming number of strings that are not that significant for investigation.
  • Note: Strings are pieces of text inside a binary, often containing information such as IP addresses, URLs, or file names used by the malicious program.

Detect it Easy (2).

  • Run CAPA, which shows that the binary mostly hides its logic and analysis is affected due to a packer.

CAPA

CAPA detects capabilities in executable files. Such as the installation of a service, invocation of network connections, registry modifications, etc.

Deep-dive into Dynamic Malware Analysis

Before renaming and executing the binary, let’s prepare the tool we need for analysing its behaviour – ProcMon. ProcMon, or Process Monitor, is a Windows tool that shows real-time registry, file system, and process/thread activity.

Taskbar tools.

Once opened, you will be prompted by  Process Monitor Filter –  a feature that allows us to filter the results logged by ProcMon.

ProcMon Filters.

We are now ready to pop the malware. Navigate to the Malware Sample folder, double-click the binary and observe the results generated by ProcMon. It might be overwhelming at first but let’s utilise its functionalities to only show the information we want.

ProcMon has a panel that can filter the following, as highlighted in the image below (in sequence):

  • Show Registry Activity
  • Show File System Activity
  • Show Network Activity
  • Show Process and Thread Activity
  • Show Profiling Events

ProcMon Filter Panel.

With these filters, we will focus on the first three; Registry, File System and Network. As discussed above, malware tends to do the following; Registry Modification, File Modification and Network Connections. Let’s start investigating them one by one.

Registry Modification

First, we want to determine if any significant Registry Modifications are executed by the binary, which is one of the expected behaviours introduced in this task.

To do this, unclick all filters and only choose Show Registry Activity. The results still give several results so let’s add a filter by finding all Registry Key Creations and Modifications. Remove the following Operations by right-clicking an entry from the Operation column and choosing Exclude ‘<operation (e.g. RegQueryKey)>’ similar to the image below:

  • RegOpenKey
  • RegQueryValue
  • RegQueryKey
  • RegCloseKey

Exclude Filter.

The view from ProcMon should yield fewer results, similar to the image below.

ProcMon Registry Filter.

You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.

File Modification

Now, let’s also determine if the malware sample executes File Creations. It may indicate that the malware drops prerequisite files for its successful execution.

Unclick all filters and choose the second filter – Show File System Activity. Again, the results are still numerous so let’s add extra filters by focusing only on File Write events. Remove the following Operations again by right-clicking an entry from the Operation column and choosing Exclude ‘<operation (e.g. CreateFile)>’:

  • CreateFile
  • CreateFileMapping
  • QuerySecurityFile
  • QueryNameInformationFile
  • QueryBasicInformationFile
  • CloseFile
  • ReadFile

The view from ProcMon should yield fewer results, similar to the image below.

ProcMon File System Filter.

You may observe that two files are written under the C:\Users\Administrator directory. The first file is located in the user’s TEMP directory, which is commonly used by malware to drop another file for its disposal. The other file is written in the STARTUP directory, also used for persistence via Startup Folders.

Network Connections

Lastly, let’s confirm if the malware sample attempts to make a network connection. It may indicate that the malware communicates with external resources to download or establish remote access.

Unclick all filters and choose the third filter – Show Network Activity. Unlike the previous filters, the results are few and can be easily interpreted.

ProcMon Network Filter.

Please take note of these domains, as we can use this information to investigate the rabbit hole further.

For a quick summary, we have learned the following:

  • Key behaviours of malware aid in having an overview of what to expect in examining malware samples.
  • The precautions needed to consider while handling malware samples and the importance of sandboxes.
  • Conduct a Static Analysis and profile the nature of the binary without executing it.
  • Perform a manual Dynamic Analysis and observe the interactions of the malware sample in the RegistryFile System and Network.
~ Source: Tryhackme.

Challenge Solution