Without further ado, let's get started.
First let's use RegShot to take a capture of the registry. Once we have completed running the executable, we will then take another snapshot of the registry. We will then compare the two to see what changes may have been made by the suspected malicious code.
Once we have taken the first snapshot of the registry we will next use Process Monitor from the sysinternals suite of tools to learn about the malware during it's execution. We will "Add" and "Apply" a filter to focus on the malware.exe file. We need to consider that any process spawned as a result of the "lab06-02.exe" may not be seen in this filter.
Once we run the "lab06-02.exe" file we can see the following in Process Monitor.
A snapshot of the output shows that once the process started, it performed a number of actions. Some of these include creating files in the "Windows\Prefetch" directory. It also Queried some Directories, etc.
At this point, we can take a second shot of the registry using regshot and compare the two shots.
If we remember, during the static analysis, it was identified that "lab06-02.exe" was using "WINNET.DLL". This suggest to me that some networking functionality is being used. Let's see if this is true.
To identify any networking functionality, we will run wireshark in the background on the windows system and tcpdump on the Kali System, while we also use INetSim. INetSim will be running on the Kali Box.
The windowsXP system, will be configured to use the kali box for DNS services.
So having started up INetSim, we see the following.
INetSim 1.2.4 (2013-08-15) by Matthias Eckert & Thomas Hungenberg
Using log directory: /usr/share/inetsim/log/
Using data directory: /usr/share/inetsim/data/
Using report directory: /usr/share/inetsim/report/
Using configuration file: /usr/share/inetsim/conf/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 3634) ===
Session ID: 3634
Listening on: 10.0.0.102
Real Date/Time: 2014-08-13 12:59:56
Fake Date/Time: 2014-08-13 12:59:56 (Delta: 0 seconds)
Forking services...
* finger_79_tcp - started (PID 3648)
* time_37_tcp - started (PID 3651)
* discard_9_tcp - started (PID 3657)
* ntp_123_udp - started (PID 3647)
* quotd_17_udp - started (PID 3660)
* daytime_13_udp - started (PID 3654)
* chargen_19_udp - started (PID 3662)
* dns_53_tcp_udp - started (PID 3636)
* tftp_69_udp - started (PID 3645)
* syslog_514_udp - started (PID 3650)
* echo_7_tcp - started (PID 3655)
* ident_113_tcp - started (PID 3649)
* irc_6667_tcp - started (PID 3646)
* echo_7_udp - started (PID 3656)
* chargen_19_tcp - started (PID 3661)
* time_37_udp - started (PID 3652)
* discard_9_udp - started (PID 3658)
* daytime_13_tcp - started (PID 3653)
* quotd_17_tcp - started (PID 3659)
* dummy_1_udp - started (PID 3664)
* dummy_1_tcp - started (PID 3663)
* ftps_990_tcp - started (PID 3644)
* smtps_465_tcp - started (PID 3640)
* smtp_25_tcp - started (PID 3639)
* pop3_110_tcp - started (PID 3641)
* ftp_21_tcp - started (PID 3643)
* pop3s_995_tcp - started (PID 3642)
* http_80_tcp - started (PID 3637)
* https_443_tcp - started (PID 3638)
done.
Simulation running.
Let's now take a look at our netstat output
root@securitynik:~# netstat -nltup | grep -i inetsim
tcp 0 0 10.0.0.102:1 0.0.0.0:* LISTEN 3663/inetsim_dummy_
tcp 0 0 10.0.0.102:995 0.0.0.0:* LISTEN 3642/inetsim_pop3s_
tcp 0 0 10.0.0.102:37 0.0.0.0:* LISTEN 3651/inetsim_time_3
tcp 0 0 10.0.0.102:7 0.0.0.0:* LISTEN 3655/inetsim_echo_7
tcp 0 0 10.0.0.102:9 0.0.0.0:* LISTEN 3657/inetsim_discar
tcp 0 0 10.0.0.102:6667 0.0.0.0:* LISTEN 3646/inetsim_irc_66
tcp 0 0 10.0.0.102:13 0.0.0.0:* LISTEN 3653/inetsim_daytim
tcp 0 0 10.0.0.102:110 0.0.0.0:* LISTEN 3641/inetsim_pop3_1
tcp 0 0 10.0.0.102:79 0.0.0.0:* LISTEN 3648/inetsim_finger
tcp 0 0 10.0.0.102:80 0.0.0.0:* LISTEN 3637/inetsim_http_8
tcp 0 0 10.0.0.102:465 0.0.0.0:* LISTEN 3640/inetsim_smtps_
tcp 0 0 10.0.0.102:17 0.0.0.0:* LISTEN 3659/inetsim_quotd_
tcp 0 0 10.0.0.102:113 0.0.0.0:* LISTEN 3649/inetsim_ident_
tcp 0 0 10.0.0.102:19 0.0.0.0:* LISTEN 3661/inetsim_charge
tcp 0 0 10.0.0.102:21 0.0.0.0:* LISTEN 3643/inetsim_ftp_21
tcp 0 0 10.0.0.102:53 0.0.0.0:* LISTEN 3636/inetsim_dns_53
tcp 0 0 10.0.0.102:25 0.0.0.0:* LISTEN 3639/inetsim_smtp_2
tcp 0 0 10.0.0.102:443 0.0.0.0:* LISTEN 3638/inetsim_https_
tcp 0 0 10.0.0.102:990 0.0.0.0:* LISTEN 3644/inetsim_ftps_9
udp 0 0 10.0.0.102:37 0.0.0.0:* 3652/inetsim_time_3
udp 0 0 10.0.0.102:53 0.0.0.0:* 3636/inetsim_dns_53
udp 0 0 10.0.0.102:69 0.0.0.0:* 3645/inetsim_tftp_6
udp 0 0 10.0.0.102:123 0.0.0.0:* 3647/inetsim_ntp_12
udp 0 0 10.0.0.102:1 0.0.0.0:* 3664/inetsim_dummy_
udp 0 0 10.0.0.102:514 0.0.0.0:* 3650/inetsim_syslog
udp 0 0 10.0.0.102:7 0.0.0.0:* 3656/inetsim_echo_7
udp 0 0 10.0.0.102:9 0.0.0.0:* 3658/inetsim_discar
udp 0 0 10.0.0.102:13 0.0.0.0:* 3654/inetsim_daytim
udp 0 0 10.0.0.102:17 0.0.0.0:* 3660/inetsim_quotd_
udp 0 0 10.0.0.102:19 0.0.0.0:* 3662/inetsim_charge
From the above it looks like INetSim is ready to accept connections. Let's now execute "lab06-02.exe" once again.
Once we executed the "lab06-02.exe" file, communication occurs over the network. We then next stop INetSim to take a look at its report.
Simulation stopped.
Report written to '/usr/share/inetsim/report/report.3634.txt' (12 lines)
=== INetSim main process stopped (PID 3634) ===
root@securitynik:~# cat /usr/share/inetsim/report/report.3634.txt | more
root@securitynik:~# cat /usr/share/inetsim/report/report.3634.txt | more
=== Report for session '3634' ===
Real start date : 2014-08-13 12:59:56
Simulated start date : 2014-08-13 12:59:56
Time difference on startup : none
2014-08-13 13:01:58 First simulated date in log file
2014-08-13 13:01:58 DNS connection, type: A, class: IN, requested name: www.practicalmalwareanalysis.com
2014-08-13 13:01:58 HTTP connection, method: GET, URL: http://www.practicalmalwareanalysis.com/cc.htm, fil
e name: /usr/share/inetsim/data/http/fakefiles/sample.html
2014-08-13 13:01:58 Last simulated date in log file
As can be seen from above, the suspect file did a DNS lookup for "www.practicalmalwareanalysis.com". Once that was completed it then did a HTTP GET for "http://www.practicalmalwareanalysis.com/cc.htm".
Let's take a look at our packet capture to see if this is so.
Looking a the 12 packets capture showed as follows
root@securitynik:~# tshark -n -r lab06-02.pcap
1 0.000000 10.0.0.101 -> 10.0.0.102 DNS 94 Standard query 0xae4f A www.practicalmalwareanalysis.com
2 0.012583 10.0.0.102 -> 10.0.0.101 DNS 110 Standard query response 0xae4f A 10.0.0.102
3 0.013423 10.0.0.101 -> 10.0.0.102 TCP 64 1070 > 80 [SYN] Seq=1617531236 Win=64240 Len=0 MSS=1460 SACK_PERM=1
4 0.013456 10.0.0.102 -> 10.0.0.101 TCP 64 80 > 1070 [SYN, ACK] Seq=4292021235 Ack=1617531237 Win=29200 Len=0 MSS=1460 SACK_PERM=1
5 0.013720 10.0.0.101 -> 10.0.0.102 TCP 62 1070 > 80 [ACK] Seq=1617531237 Ack=4292021236 Win=64240 Len=0
6 0.014458 10.0.0.101 -> 10.0.0.102 HTTP 159 GET /cc.htm HTTP/1.1
7 0.014471 10.0.0.102 -> 10.0.0.101 TCP 56 80 > 1070 [ACK] Seq=4292021236 Ack=1617531340 Win=29200 Len=0
8 0.030540 10.0.0.102 -> 10.0.0.101 TCP 206 [TCP segment of a reassembled PDU]
9 0.033710 10.0.0.102 -> 10.0.0.101 HTTP 314 HTTP/1.1 200 OK (text/html)
10 0.034910 10.0.0.101 -> 10.0.0.102 TCP 62 1070 > 80 [ACK] Seq=1617531340 Ack=4292021645 Win=63832 Len=0
11 0.034938 10.0.0.101 -> 10.0.0.102 TCP 62 1070 > 80 [FIN, ACK] Seq=1617531340 Ack=4292021645 Win=63832 Len=0
12 0.034952 10.0.0.102 -> 10.0.0.101 TCP 56 80 > 1070 [ACK] Seq=4292021645 Ack=1617531341 Win=29200 Len=0
Let's peer into the HTTP Packets to see what's there.
root@securitynik:~# tshark -n -r lab06-02.pcap -z "follow,tcp,ascii,10.0.0.101:1070,10.0.0.102:80"
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.101 and tcp.srcport eq 1070) and (ip.dst eq 10.0.0.102 and tcp.dstport eq 80)) or ((ip.src eq 10.0.0.102 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.101 and tcp.dstport eq 1070))
Node 0: 10.0.0.101:1070
Node 1: 10.0.0.102:80
103
GET /cc.htm HTTP/1.1
User-Agent: Internet Explorer 7.5/pma
Host: www.practicalmalwareanalysis.com
150
HTTP/1.1 200 OK
Server: INetSim HTTP Server
Connection: Close
Content-Length: 258
Content-Type: text/html
Date: Wed, 13 Aug 2014 17:01:58 GMT
258
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
Awesome, from the above we see what the host requested and the server (INetSim) responded with a response to satisfy the request.
So now that's we've done some basic static and dynamic analysis & have learnt alot about the suspected malicious file, how do we use the knowledge we have gained? We will answer this question in the next post.
References:
https://tuts4you.com/download.php?view.3011
https://code.google.com/p/regshot/
http://technet.microsoft.com/en-ca/sysinternals/bb842062.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/aa385473(v=vs.85).aspx
http://www.inetsim.org/index.html
https://www.wireshark.org/docs/man-pages/tshark.html
No comments:
Post a Comment