Embed Size (px)
Citation preview
Malware Analysis
Jeramy KopackoSecurity Engineer, Western PA & WV
May 17th, 2019
Steel City Information SecurityPittsburgh Information Technology
Pittsburgh Sophos User Group
4
Purpose
Analysis
Tools
Case Study
Malware Analyst
GOALS
7
• How did it get there?o Root Cause Analysis
•What is it doing?o Interactions with the system
File Formats
8
• File extensiono Windows associates with an application
• File headero Contains the actual file typeo Usually at the beginning of a file
• PE files (Portable Executable)o Typical programso EXE, DLL – or .ANYTHING
Software Packing
• Packers compress or encrypt executables
• Legitimate applications also pack files, and they should be signed
• .netshrink• Armadillo• ASPack• ASPR (ASProtect)• BoxedApp Packer• CExe• dotBundle• Enigma Protector
• EXE Bundle• EXE Stealth• eXPressor• FSG• kkrunchy src• MEW•MPRESS• Obsidium
• PELock• PESpin• Petite• RLPack Basic• Smart Packer Pro X• Themida• UPX• VMProtect
10
Persistence
11
• 64-bit o HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runo HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceo HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runo HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
• 32-bito HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runo HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceo HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runo HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• File Systemo C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupo C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
• Task Managero Check out the “Startup” tab
Interesting Locations
12
• %appdata%• %localappdata%• %userprofile%• %programdata%• %temp%• C:\Windows• C:\Windows\temp• C:\Windows\System32• C:\windows\system32\drivers\etc\hosts
Static AnalysisUtilizing tools to analyze code
VirusTotal
14
• www.virustotal.com• Launched in 2004, Google acquired in 2012, Alphabet Inc. in 2018• File and URL analyzer• Aggregates AV and scan engines for true/false positives• All data is shared with the AV community• Free – use it
15
Tools – Detect It Easy
16
• Awesome tool, awesome acronym – “DIE”
• Detect It Easy is a packer identifier.
• How to use it…o Open it and load up an executable type file
17
Tools – Bintext
18
• Old Foundstone utility before McAfee acquired and ruined them.
• Bintext is a powerful text extractor to view asci and unicode strings (readable text in a binary file)
• How to use it…o Open ito Load up a PE fileo Observe and search
19
Tools - Regshot
• Regshoto Open source tool that provides a registry and file system comparison that allows you
to quickly take a snapshot of your system and then compare it with a second one.
• How to use it…o Take a snapshot of the file system and registryo “Infect” the systemo Take another snapshot and displays all changes
21
Behavior AnalysisObserving interactions in the environment
Tools – OllyDumpEx
23
• OllyDumpEx works better than any other tool like it.o Standaloneo OllyDbg plugin
• OllyDumpEx is a PE memory dumper.
• How to use it…o Infect your systemo Run it to list all running processo Select a process and dump it
24
Tools - Process Monitor (Procmon)
25
• Filemon + Regmon = Procmon
• Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
• How to use it…o Start captureo “Infect” the systemo Stop captureo Leverage filters and specific search queries
26
Case StudyUnderstanding Emotet
Emotet’s Goals
28
Spread across network
Skim email addresses and
names
Send spam to infect other
organizations
Download anymalware
payload(s)
Be a smokescreen for targeted ransomware
Steal browser histories,
usernames and passwords
Data breach
Security breach
Reputation damage
Primary infection
Secondary infection
High Impact
Usually Starts with Spam
Social engineering and brand spoofing
An Emotet Attack
30
Your Network
C & C Servers Target1. Infiltrate
CyberCriminal
Spam email 2. Call Home Register SuccessGet Instructionsand Payload
B. Bot AttackSend spamto infect other orgs
A. Steal DataUpload email addresses, user names and passwords
3. Spread Spread to other systems on the network
C. PayloadInstall banking TrojanInstall ransomware
EMOTET
31
2014Banking Trojan
“Amongst the most costly and destructive threats to U.S. businesses right now”
U.S. Department for Homeland Security, 2018
2019Crimeware-as-a-Service
Constant evolution
QakbotDridex IcedID
RyukSandbox Evasion
FirstSeen
Upgraded Evasion ZBotTrickBot
Occasional Attacks
Emotet payloads change constantly
375 388343
414
208
393
338
270
179214
125
248
751
119 129
0
100
200
300
400
500
600
700
800
1/17/2
019
1/18/2
019
1/19/2
019
1/20/2
019
1/21/2
019
1/22/2
019
1/23/2
019
1/24/2
019
1/25/2
019
1/26/2
019
1/27/2
019
1/28/2
019
1/29/2
019
1/30/2
019
1/31/2
019
# of unique Emotet payload executables seen by SophosLabs
300 new payload executables every day
Anatomy of anEmotet Attack
STAGE 1
User received a malicious email (malspam)
STAGE 2
User clicks on a malicious attachmentA document called ‘rgnr-avr111205-85.doc”
33
write
readread
parent toparent to
write
parent to
parent to
parent to
parent to
connect
Outlook
75 registry keys
1 IPAddress
386 files
rgnr-avr111205-85.doc
Word
cmd.exe9 files
PowerShell
45 registry keys
PrinterDriver Host
431.exe
cmd.exe
431.exe
image for
read
write
14 registry keys
2 files
89 files
parent to431.exe
image fo
r
write
write
write
STAGE 3
User enables malicious macros in the document
STAGE 4
The macro uses cmd.exe (Command Prompt) to execute malicious, obfuscated code
STAGE 5
cmd.exe launches a second copy of cmd.exe
STAGE 6
This new instance of cmd.exe launches and executes PowerShell
STAGE 7
PowerShell connects to an IP address and downloads a file called 431.exe
STAGE 8
PowerShell executes 431.exe which, in turn, executes a second copy of itself
execute
Intercept X detects PowerShell connecting to a suspect IP address and downloading an exe with
unknown reputation, and blocks this behavior and identifies the root cause (Outlook).
