Prologue from the Girl
Well, this week was interesting. I managed to pick up some good stuff from Ikea, specifically some counter space in the form of a Stenstorp kitchen cart. I used the heck out of it too. This weekend alone I’ve made two pork roasts and some killer garlic mashed potatoes (honorable mention to my Kitchen Aid Mixer).
A couple of weeks ago, I started pricing out my surgeries and getting my consultations done. Good grief fixing nature’s screw up is turning out to be mighty expensive. Oh, and I bought some new hair, yay for me. With any luck, by my next post it will be here.
I bought a new plant, a money tree and friend for Yoda, my Cycad Palm. I’m naming her Rey, in honor of Daisy Ridley’s Star Wars character. Ahhh. . . Rey. I’m also working on some fairy lanterns using a tutorial on Pixie Hill blog by Nichola (link below).
If I have pictures in April for these, then it went well with my nonexistent art skills. Otherwise, forget I mentioned it. 🙂
Using ProcDot, Process Monitor, and Wireshark to Analyze Malware Behavior
Today we’ll be working exclusively in our Windows Reverse Engineering VM. The VM has pretty much everything we need.
So, today’s malware specimen is an easy one. Brbbot.exe
I chose this one because the behavioral analysis is pretty straightforward and it’s a well-known malware binary. Also, it happens to be one of the best ones picked for educational purposes in the SANS GREM course.
This particular malware is available on the Cuckoo project page malwr.com. You will need to sign up for a login in order to download it.
Once you’ve downloaded the binary, we can begin.
NOTE: If you don’t have procmon from sysinternals, please download and unzip it from the following location.
Make sure that your Windows Reversing VM is connected to the host only network. Also, if you just installed process monitor, you might want to refresh your initial clean snapshot with it actually on the system.
Okay, first order of business, we need a runnable executable. While cuckoo does download the file in its original PE format, you’ll need to rename it. For this exercise, we’re going to use the name brbbot.exe. So rename b9cfd5f89bd282452f82cc8d323f39c6932e55cab98065bb3c2cf97bb585dc2d.bin to brbbot.exe. It should be in your downloads folder, and that’s fine for this exercise. Normally you’ll want to store it in a malware directory. Just makes it easier to identify log entry data.
Next, launch process hacker. We want to be able to see brbbot run and kill it as needed.
Start procmon.exe (wherever you decided to unzip it). You’ll want to run procmon in administrator mode. Procmon will automatically start capturing, but we really want a clean capture, so hit the capture button and clear button to turn off and clear the buffer. Make certain that you configure procmon to present the data into the export file the way that procdot needs it. Basically you’ll need to present it as follows.
- Make sure that the show resolved addresses is disabled under the options menu.
- Make certain that the thread id is turned on and the sequence number is off under options->Select columns. The following screenshot shows what columns to use.
Next, fire up WireShark.
Go ahead and start the wireshark capture by clicking on your Ethernet interface. Then start the procmon capture by clicking the capture button.
Right click on brbbot.exe in your Downloads folder and choose “Run As Administrator.”
It will show up as below in your process hacker window. Let it run for a minute or so. This should give us good data in our buffers.
After it’s been running for a while, go ahead and right click on brbbot.exe in process hacker and select terminate.
Stop the wireshark capture and the procmon capture once brbbot.exe no longer appears in process hacker.
Now, click on File->Save in Wireshark and save the resulting file as a tcpcump (pcap) file to your documents folder.
Save the procmon file as a csv file using the filters, as shown below.
Next, fire up ProcDot and let’s see what we get. Select the CSV File and the PCAP files we just saved in the procdot interface, then click the ellipsis button for the Launcher. Procdot will analyze the procmon csv and present some executables. Select brbbot.exe.
Now, hit the refresh button to the right and watch the magic happen. You should get something like this. As you can see, it shows you the different activities and artifacts that brbbot executes and creates in a nice graphical perspective.
Next time we’ll start the analysis of the data and look at our next steps of improving our behavioral analysis of this executable.
See you next time, same bat time, same bat channel.