Danielle Eve’s Guide to Malware Reverse Engineering:  Using ProcDot, Process Monitor, and Wireshark to Analyze Malware Behavior

 

 

Prologue from the Girl

me-newWell, this week was interesting.  I managed to pick up some good stuff from Ikea, specifically some counter space in the form of a Stenstorp kitchen cart.  I used the heck out of it too.  This weekend alone I’ve made two pork roasts and some killer garlic mashed potatoes (honorable mention to my Kitchen Aid Mixer).

A couple of weeks ago, I started pricing out my surgeries and getting my consultations done.  Good grief fixing nature’s screw up is turning out to be mighty expensive.  Oh, and I bought some new hair, yay for me.  With any luck, by my next post it will be here.

I bought a new plant, a money tree and friend for Yoda, my Cycad Palm.  I’m naming her Rey, in honor of Daisy Ridley’s Star Wars character.  Ahhh. . . Rey.  I’m also working on some fairy lanterns using a tutorial on Pixie Hill blog by Nichola (link below).

 

http://blog.pixiehill.com/2015/12/fairy-lantern-with-tutorial.html

If I have pictures in April for these, then it went well with my nonexistent art skills. Otherwise, forget I mentioned it. 🙂

 

Using ProcDot, Process Monitor, and Wireshark to Analyze Malware Behavior

Today we’ll be working exclusively in our Windows Reverse Engineering VM.  The VM has pretty much everything we need.

So, today’s malware specimen is an easy one.  Brbbot.exe

I chose this one because the behavioral analysis is pretty straightforward and it’s a well-known malware binary.  Also, it happens to be one of the best ones picked for educational purposes in the SANS GREM course.

This particular malware is available on the Cuckoo project page malwr.com.  You will need to sign up for a login in order to download it.

https://malwr.com/analysis/NjQ4MGZiMzBiNWYzNDJjYmJmNjcyZTg2OGQ3NmVhZTM/

Once you’ve downloaded the binary, we can begin.

NOTE:  If you don’t have procmon from sysinternals, please download and unzip it from the following location.

https://download.sysinternals.com/files/ProcessMonitor.zip

 

Make sure that your Windows Reversing VM is connected to the host only network.  Also, if you just installed process monitor, you might want to refresh your initial clean snapshot with it actually on the system.

Okay, first order of business, we need a runnable executable.  While cuckoo does download the file in its original PE format, you’ll need to rename it.  For this exercise, we’re going to use the name brbbot.exe.  So rename b9cfd5f89bd282452f82cc8d323f39c6932e55cab98065bb3c2cf97bb585dc2d.bin to brbbot.exe.  It should be in your downloads folder, and that’s fine for this exercise.  Normally you’ll want to store it in a malware directory.  Just makes it easier to identify log entry data.

Next, launch process hacker.  We want to be able to see brbbot run and kill it as needed.

3 - process hacker startup

Start procmon.exe (wherever you decided to unzip it).  You’ll want to run procmon in administrator mode.  Procmon will automatically start capturing, but we really want a clean capture, so hit the capture button procmoncapture and clear button procmonclear to turn off and clear the buffer.  Make certain that you configure procmon to present the data into the export file the way that procdot needs it.  Basically you’ll need to present it as follows.

  • Make sure that the show resolved addresses is disabled under the options menu.

1 - procmon - Show Resolved NA

  • Make certain that the thread id is turned on and the sequence number is off under options->Select columns.  The following screenshot shows what columns to use.

2 - procmon column set

Next, fire up WireShark.

Go ahead and start the wireshark capture by clicking on your Ethernet interface.  Then start the procmon capture by clicking the capture button.

Wireshark-Startup

Right click on brbbot.exe in your Downloads folder and choose “Run As Administrator.”

It will show up as below in your process hacker window.  Let it run for a minute or so.  This should give us good data in our buffers.

proc-hacker-brbbot-run

After it’s been running for a while, go ahead and right click on brbbot.exe in process hacker and select terminate.

brbbot-terminate

Stop the wireshark capture and the procmon capture once brbbot.exe no longer appears in process hacker.

Now, click on File->Save in Wireshark and save the resulting file as a tcpcump (pcap) file to your documents folder.

wireshark-save

Save the procmon file as a csv file using the filters, as shown below.

procmon-save

Next, fire up ProcDot and let’s see what we get.  Select the CSV File and the PCAP files we just saved in the procdot interface, then click the ellipsis button for the Launcher.  Procdot will analyze the procmon csv and present some executables.  Select brbbot.exe.

procdot-process-select

Now, hit the refresh button to the right and watch the magic happen.  You should get something like this.  As  you can see, it shows you the different activities and artifacts that brbbot executes and creates in a nice graphical perspective.

Screenshot from 2016-02-29 12_59_36

Next time we’ll start the analysis of the data and look at our next steps of improving our behavioral analysis of this executable.

See you next time, same bat time, same bat channel.

Advertisements

3 thoughts on “Danielle Eve’s Guide to Malware Reverse Engineering:  Using ProcDot, Process Monitor, and Wireshark to Analyze Malware Behavior

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s