-
DEF CON Demo Lab
-
Copyright ©2019 JPCERT/CC All rights reserved.1
Motivation
Sandbox
MalwareAnalyst
Perfect! That's not what I want…
Human
-
Copyright ©2019 JPCERT/CC All rights reserved.2
Motivation
Sandbox
MalwareAnalyst
I want configuration
data!
Human
Perfect!
-
Copyright ©2019 JPCERT/CC All rights reserved.3
Why do we need malware configuration data?
Many variants of malware code are almost unchanged, and only
configuration data is different.• If the configuration data is
known, there is no
need for static analysis.
Configuration data contains important information that cannot be
obtained by Sandbox analysis.
• Including campaign id, encryption key etc.
-
Copyright ©2019 JPCERT/CC All rights reserved.4
How to Extract Malware Configuration Data Manually
It's very simple.
-
Copyright ©2019 JPCERT/CC All rights reserved.
Malware Analysis• Understand encryption techniques• Understand
configuration
structures
5
How to Extract Malware Configuration Data Manually
Step 1
-
Copyright ©2019 JPCERT/CC All rights reserved.
Create tool
6
How to Extract Malware Configuration Data Manually
Step 2
That's all.
-
Copyright ©2019 JPCERT/CC All rights reserved.7
How to Extract PlugX Configuration
In PlugX data,PlugX main module and configuration are
encoded.
Code
Encoded Code&
PlugX&
Config
Code
LZNT1 CompressPlugX
Encoded + LZNT1Config
DecmpressPlugX
Config
Decoded Code
Injection Process
-
Copyright ©2019 JPCERT/CC All rights reserved.8
PlugX Encoding Method
PlugX uses a custom encoding method.
Config size 0x2540
Config size 0x36A4
-
Copyright ©2019 JPCERT/CC All rights reserved.9
PlugX Configuration Structure
-
Copyright ©2019 JPCERT/CC All rights reserved.10
How to Extract TSCookie Configuration
TSCookie uses only RC4 for encryption.
Code
Encrypted Resource
Decoded Code
TSCookie
RC4 Config
TSCookie
Config
-
Copyright ©2019 JPCERT/CC All rights reserved.11
TSCookie Configuration Structure
-
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan is a Volatility plugin that extracts configuration
data of known malware. Volatility is an open-source memory
forensics framework for incident response and malware
analysis.MalConfScan searches for malware in memory images and
dumps configuration data.
12
What is MalConfScan?
-
Copyright ©2019 JPCERT/CC All rights reserved.13
Example (RedLeaves configuration data)
-
Copyright ©2019 JPCERT/CC All rights reserved.14
Supported Malware FamiliesSupported Malware Families
Ursnif TSCookie AZORultEmotet TSC_Loader NanoCore RAT
Smoke Loader xxmm AgentTeslaPoisonIvy Datper FormBook
CobaltStrike Ramnit NodeRATNetWire HawkEye njRATPlugX Lokibot
TrickBot
RedLeaves Bebloh RemcosQuasarRAT AsyncRAT WellMessELF_PLEAD
-
Copyright ©2019 JPCERT/CC All rights reserved.
Supported Malware FamiliesUrsnif TSCookie AZORultEmotet
TSC_Loader NanoCore RAT
Smoke Loader xxmm AgentTeslaPoisonIvy Datper FormBook
CobaltStrike Ramnit NodeRATNetWire HawkEye njRATPlugX Lokibot
TrickBot
RedLeaves Bebloh RemcosQuasarRAT AsyncRAT WellMessELF_PLEAD
15
Supported Malware Families
-
Copyright ©2019 JPCERT/CC All rights reserved.16
Question
Why use Volatility?
-
Copyright ©2019 JPCERT/CC All rights reserved.17
Advantages of Dumping Configuration Data from Memory
• Unpacking malware is not necessary when extracting
configuration data.
No Need to Unpack
• Configuration data may be already decoded.
• No need to know how to decrypt configuration data.
No Need to Decode
-
Copyright ©2019 JPCERT/CC All rights reserved.
This tool also dumps more than configuration data if needed.
18
In Addition
Configuration Data
Decoded Strings
DGA Domains
-
Copyright ©2019 JPCERT/CC All rights reserved.19
Example (Bebloh configuration data and DGAs)
-
Copyright ©2019 JPCERT/CC All rights reserved.20
Example (FormBook decoded strings)
-
Copyright ©2019 JPCERT/CC All rights reserved.
malstrscan function can list strings to which the hollowed
process refers.
21
Additional Feature
Configuration data is usually encoded by malware.
Most of malwares writes decoded configuration data on
memory.
This feature list decoded configuration data when possible.
-
Copyright ©2019 JPCERT/CC All rights reserved.22
Example
-
Copyright ©2019 JPCERT/CC All rights reserved.
linux_malconfscan searches for malware in Linux OS memory images
and dumps configuration data.
Few malware supported.WellMessELF_PLEAD
23
More Additional Feature
-
Copyright ©2019 JPCERT/CC All rights reserved.
D E M O N S T R A T I O N
24
-
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan Wiki
https://github.com/JPCERTCC/MalConfScan/wiki
25
How to Use
https://github.com/JPCERTCC/MalConfScan/wiki
-
Copyright ©2019 JPCERT/CC All rights reserved.
Automation!
26
Next Stage
-
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan-with-Cuckoo is Cuckoo Sandbox plugin for
MalConfScan.
The plugin adds the function to extract known malware's
configuration data from memory dump and add the MalConfScan report
to Cuckoo Sandbox.
27
What is MalConfScan-with-Cuckoo?
-
Copyright ©2019 JPCERT/CC All rights reserved.
This tool uses Cuckoo's memory dump function to extract
configuration data of executed malware from memory dumps.
28
How it Works
-
Copyright ©2019 JPCERT/CC All rights reserved.
Overv i ew
29
-
Copyright ©2019 JPCERT/CC All rights reserved.30
GUI
-
Copyright ©2019 JPCERT/CC All rights reserved.
Anti-Analysis functions disturbs the analysis in sandboxSome of
the malware have these functions
Ursnif variants (targeting Japan) etc.
31
Anti-Analysis
-
Copyright ©2019 JPCERT/CC All rights reserved.
GenericLanguage settingsExecution after rebootTotal physical
memoryCount of processors etc.
VirtualizationCPUID (CPU brand, virtualization setting,
etc.)Device info (Device name, MAC address, etc.) Registry keys
etc.
ProcessesProcess name (wireshark, OllyDbg, Process Monitor,
etc.)
32
Anti-analysis techniques
-
Copyright ©2019 JPCERT/CC All rights reserved.33
How to bypass anti-analysis
Configure your VM.
-
Copyright ©2019 JPCERT/CC All rights reserved.34
How to configure you VM
Ursnif have some anti-analysis functions.
CPU Brand Detection
Device Name Detection
Debugger Detection
Boot-time Detection
-
Copyright ©2019 JPCERT/CC All rights reserved.35
Anti-Analysis : CPU Brand Name Detection
Call CPUID opcode to dump the CPU brand name.
Check the CPU brand name if it includes “XEON”.
mov eax, 8000000[2-4]h__cpuid
-
Copyright ©2019 JPCERT/CC All rights reserved.36
Anti-Anti-Analysis: Fake the CPU Brand Name (VMware)
Fake the return value of CPUID with VM configuration
cpuid.80000002.0.eax =
"0110:0101:0111:0100:0110:1110:0100:1001"cpuid.80000002.0.ebx =
"0010:1001:0101:0010:0010:1000:0110:1100"cpuid.80000002.0.ecx =
"0111:0010:0110:1111:0100:0011:0010:0000"cpuid.80000002.0.edx =
"0100:1101:0101:0100:0010:1000:0110:0101"cpuid.80000003.0.eax =
"0011:0101:0110:1001:0010:0000:0010:1001"cpuid.80000003.0.ebx =
"0011:0101:0101:1001:0011:0111:0010:1101"cpuid.80000003.0.ecx =
"0101:0000:0100:0011:0010:0000:0011:0100"cpuid.80000003.0.edx =
"0010:0000:0100:0000:0010:0000:0101:0101"cpuid.80000004.0.eax =
"0011:0000:0011:0010:0010:1110:0011:0001"cpuid.80000004.0.ebx =
"0000:0000:0111:1010:0100:1000:0100:0111"cpuid.80000004.0.ecx =
"0000:0000:0000:0000:0000:0000:0000:0000"cpuid.80000004.0.edx =
"0000:0000:0000:0000:0000:0000:0000:0000"
Insert following settings to your .vmx file
-
Copyright ©2019 JPCERT/CC All rights reserved.37
Before After
-
Copyright ©2019 JPCERT/CC All rights reserved.38
Anti-Analysis : Device Name Detection
Call Win32API to get the device name
Check the device name includes specific strings
-
Copyright ©2019 JPCERT/CC All rights reserved.39
Anti-Anti-Analysis: Modify the Device Name (VMware)
Modify the device name.
scsi0:0.productID = "Toshiba SSD"scsi0:0.vendorID =
"Toshiba"scsi1:0.productID = "Toshiba SSD"scsi1:0.vendorID =
"Toshiba"
Insert following settings to your .vmx file
-
Copyright ©2019 JPCERT/CC All rights reserved.
Do NOT use VMware tools or VirtualBox guest additions.Use local
language OS for VMModify the CPUID responseModify the Device
nameModify the NIC (MAC address)
40
Recommended setting for Anti-Anti-Analysis
-
Copyright ©2019 JPCERT/CC All rights reserved.
D E M O N S T R A T I O N
41
-
Copyright ©2019 JPCERT/CC All rights reserved.
MalConfScan with Cuckoo wiki
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki
42
How to Use
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki
-
Copyright ©2019 JPCERT/CC All rights reserved.43
We are going to Volatility3!
MalConfScan will support Volatility3.
https://github.com/JPCERTCC/MalConfScan/tree/Volatility3
-
@jpcert_en [email protected]
https://www.jpcert.or.jp/english/pgp/
Contact
https://github.com/JPCERTCC/MalConfScan
https://github.com/JPCERTCC/MalConfScan-with-Cuckoo
スライド番号 1MotivationMotivationWhy do we need malware configuration
data?How to Extract Malware Configuration Data ManuallyHow to
Extract Malware Configuration Data ManuallyHow to Extract Malware
Configuration Data ManuallyHow to Extract PlugX ConfigurationPlugX
Encoding MethodPlugX Configuration StructureHow to Extract TSCookie
ConfigurationTSCookie Configuration StructureWhat is
MalConfScan?Example (RedLeaves configuration data)Supported Malware
FamiliesSupported Malware FamiliesQuestionAdvantages of Dumping
Configuration Data from MemoryIn Addition Example (Bebloh
configuration data and DGAs)Example (FormBook decoded
strings)Additional FeatureExample More Additional Featureスライド番号
25How to UseNext StageWhat is MalConfScan-with-Cuckoo?How it
Worksスライド番号 30GUIAnti-AnalysisAnti-analysis techniquesHow to bypass
anti-analysisHow to configure you VMAnti-Analysis : CPU Brand Name
DetectionAnti-Anti-Analysis: Fake the CPU Brand Name (VMware)Before
AfterAnti-Analysis : Device Name DetectionAnti-Anti-Analysis:
Modify the Device Name (VMware)Recommended setting for
Anti-Anti-Analysisスライド番号 42How to UseWe are going to
Volatility3!Thank you!
