Danielle Eve’s Guide to Reverse Engineering Malware – Day 4: Looking at Behavioral Data (RegShot, ProcDot, Wireshark)

procdot-snippet

danieve

 

Notes from the Girl

Well it’s been a bit of a long haul these past couple of months.  After the recent round of layoffs at my employer, I’m currently acting as Director of application ops for our corporate systems (accounting and HR) rather than doing IR.  If this continues long term, my skills will get seriously rusty.  I am starting to see accounting ledger sheets in my sleep.

In any event, on the more personal side of things, I’ve gone back to Blonde hair rather than the darker color I had switched to in March (the darker shown in the picture).  My wife, Reg (short for Regina), has made it clear that the color was too dark for me.  I’m just happy that she expressed an opinion.  We’re still rocking and rolling.  It’s always awesome to see love take a front seat to fear.  Speaking of which, what’s up with these bathroom laws people?  I just wanna pee.  Like a woman.  I don’t want to be in the men’s room.  This crap is silly.  Well, I hope the good people of North Carolina and Mississippi (as of this writing) are prepared to have men like Buck Angel in the women’s restroom.  If you don’t know who Buck Angel is, google it.

If “peeping Tom’s” are your concern, make it a crime to peek at someone in the restroom. Oh, wait, that’s already a crime in both North Carolina and Mississippi (GSNC § 14-202, MSC § 97-29-61).  If rape is your concern, I have to tell you, any transwoman who has been on HRT for more than a month hasn’t a hope in hell of being able to rape anyone.  Wait, rape is illegal too, in North Carolina and Mississippi even.  So what were these bathroom bills supposed to prevent?  Nothing that wasn’t already illegal.  The reality is that they are designed to make transition as uncomfortable as possible for transwomen.  Not for transmen mind you.  Again, go look at Buck Angel.  Who is going to challenge him in the men’s room?

All in all, the last two months have been a little depressing.  But, I am surviving.  As my mother and step-mother have both told me many times, this, too, shall pass.

Oh, one other thing, my Faerie Lanterns turned out great.  My daughter stole them for her room.  Grrr. . . .

On with this week’s discussion. Interpreting ProcDot, RegShot, and Wireshark data from our behavioral capture.

Looking at ProcDot, RegShot, and Wireshark Data

Last week, we launched brbbot.exe in order to get some data.  Unfortunately, this didn’t result in any real information on the network, but we did see some behaviors associated in our Process Monitor capture that showed up in ProcDot when we analyzed the results.  Part of this information showed some registry changes, new files, and a few other things.  Unfortunately, we didn’t do a careful registry capture that would allow us to see the changes clearly.  However, not to worry, this week, we’re going to make that happen.  So, go ahead, if you haven’t already, revert your Windows Reverse Engineering VM to the known good state.  Next, you’ll want to change your network properties as follows (I’m using Argon Network Switcher for convenience, but you can set these values in the control panel just as easily).

argon

Now, start your Remnux installation as well and make sure it’s reverted to the most recent known good snapshot.  Now, in Remnux, open a terminal window and type myip.  You should see something like the screenshot below.

myip

If you don’t have 192.168.244.129 as your IP on your remnux workstation, then make sure you change it.  You can do so with the following command:
sudo ifconfig eth0 192.168.244.129 netmask 255.255.255.0

Right, now, like last time (Day 4), go back to your windows reversing workstation and start process hacker, wireshark.  Your screen should look something like this:

ph-ws-screen-cap

Now fire up regshot and click 1st shot and select Shot.  Regshot creates a lot of noise in procmon and the number of entries will likely crash procmon on our VM given our limited resources.

regshot1

Now, start your wireshark capture and procmon like we did last time and right click brbbot.exe and click Run As Administrator.  We’ll let that run for about 3 minutes and then we’ll kill it by right clicking in Process Hacker and selecting Terminate.

Now, let’s stop our captures and save our procmon and wireshark data.  Don’t forget to save the procmon data as a csv and not PML.  Close Procmon and Wireshark.  Once you’ve verified that brbbot.exe is no longer executing, close Process Hacker.  Now, in RegShot, click 2nd shot.  Then click copare.  This will open up notepad and give you a listing of changed registry keys since the 1st shot.  Minimize this and keep it handy, we’ll be referring to it soon.  Go ahead and load up your brbbot captures in procdot and we’ll see what we get.  You should see something like what is below.

brbbot-procdot

 

You’ll notice a few things.  Indicated in the upper right corner of our procdot screen, right after it started, BRBBot created a new file in C:\Windows\System32 called brbbot.exe.  This is actually a copy of the program itself to be used for later purposes.  This is good to know as it can be used as an IOC (Indicator of Compromise).

Also, it added itself to the HKLM\Microsoft\Widnows\CurrentVersion\Run registry key.  This gives it an autostart.  It also created C:\Windows\System32\config\SOFTWARE.LOG2.  This is an indication of the modifications to the software hive.  The registry system creates backups when the registry is modified.

We can also see that it created brbconfig.tmp and modified several other registry entries.  We’ll come back to brbconfig.tmp, but let’s look at the registry changes.  Lucky for us, we actually have registry captures to see the changes.

As you can see the below registry key was created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Windows\system32\brbbot.exe"

This is to survive reboot.

There were several other keys touched.  Go through each one in your registry and your regshot data and see if you can find out what was changed on each one, if anything.  Also, at the end of the regshot data is a listing of files that were modified or created.  A couple of things to note, brbbot.exe looks at the ProxyEnable and the ProxyBypass settings.  It’s probably a good bet that it will set a bypass if ProxyEnable is set to 1.  That’s just hypothetical, but if you want to find out, restore your initial known good snapshot, set an internet proxy in your internet options and re-run the same test.  Let me know how it turns out.

Okay, so you can also look at brbconfig.tmp.  Unfortunately, opening it in notepad or in Notepad++ yields very little value.  Looks like it may be encrypted.  You may want to save that file on a thumb drive or something because we’ll be coming back to it in a later adventure.

Next time, we’ll look at gathering network data that actually means something and how to use our REMnux tools to “feed” malware what it thinks is good network traffic.

Danielle Eve’s Guide to Malware Reverse Engineering:  Using ProcDot, Process Monitor, and Wireshark to Analyze Malware Behavior

 

 

Prologue from the Girl

me-newWell, this week was interesting.  I managed to pick up some good stuff from Ikea, specifically some counter space in the form of a Stenstorp kitchen cart.  I used the heck out of it too.  This weekend alone I’ve made two pork roasts and some killer garlic mashed potatoes (honorable mention to my Kitchen Aid Mixer).

A couple of weeks ago, I started pricing out my surgeries and getting my consultations done.  Good grief fixing nature’s screw up is turning out to be mighty expensive.  Oh, and I bought some new hair, yay for me.  With any luck, by my next post it will be here.

I bought a new plant, a money tree and friend for Yoda, my Cycad Palm.  I’m naming her Rey, in honor of Daisy Ridley’s Star Wars character.  Ahhh. . . Rey.  I’m also working on some fairy lanterns using a tutorial on Pixie Hill blog by Nichola (link below).

 

http://blog.pixiehill.com/2015/12/fairy-lantern-with-tutorial.html

If I have pictures in April for these, then it went well with my nonexistent art skills. Otherwise, forget I mentioned it. 🙂

 

Using ProcDot, Process Monitor, and Wireshark to Analyze Malware Behavior

Today we’ll be working exclusively in our Windows Reverse Engineering VM.  The VM has pretty much everything we need.

So, today’s malware specimen is an easy one.  Brbbot.exe

I chose this one because the behavioral analysis is pretty straightforward and it’s a well-known malware binary.  Also, it happens to be one of the best ones picked for educational purposes in the SANS GREM course.

This particular malware is available on the Cuckoo project page malwr.com.  You will need to sign up for a login in order to download it.

https://malwr.com/analysis/NjQ4MGZiMzBiNWYzNDJjYmJmNjcyZTg2OGQ3NmVhZTM/

Once you’ve downloaded the binary, we can begin.

NOTE:  If you don’t have procmon from sysinternals, please download and unzip it from the following location.

https://download.sysinternals.com/files/ProcessMonitor.zip

 

Make sure that your Windows Reversing VM is connected to the host only network.  Also, if you just installed process monitor, you might want to refresh your initial clean snapshot with it actually on the system.

Okay, first order of business, we need a runnable executable.  While cuckoo does download the file in its original PE format, you’ll need to rename it.  For this exercise, we’re going to use the name brbbot.exe.  So rename b9cfd5f89bd282452f82cc8d323f39c6932e55cab98065bb3c2cf97bb585dc2d.bin to brbbot.exe.  It should be in your downloads folder, and that’s fine for this exercise.  Normally you’ll want to store it in a malware directory.  Just makes it easier to identify log entry data.

Next, launch process hacker.  We want to be able to see brbbot run and kill it as needed.

3 - process hacker startup

Start procmon.exe (wherever you decided to unzip it).  You’ll want to run procmon in administrator mode.  Procmon will automatically start capturing, but we really want a clean capture, so hit the capture button procmoncapture and clear button procmonclear to turn off and clear the buffer.  Make certain that you configure procmon to present the data into the export file the way that procdot needs it.  Basically you’ll need to present it as follows.

  • Make sure that the show resolved addresses is disabled under the options menu.

1 - procmon - Show Resolved NA

  • Make certain that the thread id is turned on and the sequence number is off under options->Select columns.  The following screenshot shows what columns to use.

2 - procmon column set

Next, fire up WireShark.

Go ahead and start the wireshark capture by clicking on your Ethernet interface.  Then start the procmon capture by clicking the capture button.

Wireshark-Startup

Right click on brbbot.exe in your Downloads folder and choose “Run As Administrator.”

It will show up as below in your process hacker window.  Let it run for a minute or so.  This should give us good data in our buffers.

proc-hacker-brbbot-run

After it’s been running for a while, go ahead and right click on brbbot.exe in process hacker and select terminate.

brbbot-terminate

Stop the wireshark capture and the procmon capture once brbbot.exe no longer appears in process hacker.

Now, click on File->Save in Wireshark and save the resulting file as a tcpcump (pcap) file to your documents folder.

wireshark-save

Save the procmon file as a csv file using the filters, as shown below.

procmon-save

Next, fire up ProcDot and let’s see what we get.  Select the CSV File and the PCAP files we just saved in the procdot interface, then click the ellipsis button for the Launcher.  Procdot will analyze the procmon csv and present some executables.  Select brbbot.exe.

procdot-process-select

Now, hit the refresh button to the right and watch the magic happen.  You should get something like this.  As  you can see, it shows you the different activities and artifacts that brbbot executes and creates in a nice graphical perspective.

Screenshot from 2016-02-29 12_59_36

Next time we’ll start the analysis of the data and look at our next steps of improving our behavioral analysis of this executable.

See you next time, same bat time, same bat channel.

Danielle Eve’s Guide to Malware Reverse Engineering Day 3: Installing Windows for REM

Prologue from the Girl

withbadge

The Holiday break is over and we are now on with mighty joint!  Sigh, no one makes movies like Mel Brooks.

Anyway, in deference to my wife and daughter who just weren’t ready for the social stress of me presenting female at the family gathering, I spent 6 miserable days in Atlanta as “the reluctant drag king.”  I will NEVER do that again.  I have come way too far.  It’s hard on them I know, but the reality is that we have all resolved to stay together through this.  We all have a lot of adjusting to do.  That being said, they are the greatest just for trying to make this work and I love them with all of my heart.  My boys too.

On the lighter side, our CIO and HR department sent me flowers about a week after I started transitioning in the workplace.  It really was amazing.

We have gone to see The Force Awakens twice since my last post.  Yay!!! Rey is cool.  I think I’m in love with Daisy Ridley, in a movie star kind of way.  I think she put Finn in the friend zone at the end, so there may be hope. Ha ha. . . I’m pretty sure she’s straight.  Not to mention I’m married and I like having a head on my shoulders.

 

Moving on to our topic at hand, Installing Windows on our system for reverse engineering.

Installing Windows on our Virtual Box Setup

A couple of items of note.  When we create this windows virtual machine we need to start the process using NAT networking.  This is important for a few reasons.  First and foremost, we need to activate windows.  Secondly, we have some tools that we need to download and install.  Patching the system isn’t my primary concern as we will be using generally “off-line” anyway.  The scope of these tutorials is to focus on malicious binary analysis.  Web based exploits like cross-site scripting (XSS) and JavaScript obfuscation will wait for a later date.

Go ahead and create a new virtual machine in VirtualBox.  I call mine REM Windows 8.  I chose Windows 8 (64-bit).  We’ll assume that you are using Windows 8 64-bit for the purposes of this tutorial.  The same essential approach applies to Windows 10 as well in terms of Machine set up.  Obviously, you would choose Windows 10 in that case.

windows-8-vm-create-1

I have a copy of the Windows 8.1 Pro ISO as I purchased that from Microsoft.  If you haven’t had a chance to create a Windows 8.1 ISO, you’ll need to do so from a Microsoft Windows machine.  If you don’t have one, go to a friend’s house.  You can use the Windows Media created located at the following address to create your ISO.

http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media

Go ahead and give the VM 2 GB of RAM.  You shouldn’t need much more than that to do effective reverse engineering.  If so, you can always increase it later.  If you don’t have much RAM in your reversing workstation, then there will be performance degradation as the host system will swap your VM processes to disk in order to accommodate larger RAM settings.

windows-8-vm-create-2.png

For the hard disk, choose Create virtual hard disk now.  Don’t worry about where it says 25.00GB, we’ll be setting the hard disk size later.

windows-8-vm-create-3.png

I choose VDI format for the disk.  This is the native image format for VirtualBox.  I typically choose it in this instance to make sure that any future releases that may have new goodies we can do with the disk are compatible.  You can choose VMDK if you want a VMWare compatible disk, but I don’t see any value in this instance.  If you want to move the VM, you can export it to an OVA.

windows-8-vm-create-4

I typically choose dynamically allocated for the disk, this incurs a minor performance hit during processing, but allows us to create the disk quickly and for our purposes, the performance hit is negligible.

windows-8-vm-create-5

Finally, I am going to select 100GB in this instance for the disk size.  Mind you virtual box will only allocate what is needed as it is used because we selected dynamic allocation.

windows-8-vm-create-6

And Click Create.

Now, before we start up the vm, we need to open the settings and make two changes.

  • Change the Networking to NAT. windows-8-vm-create-7
  • Attach the Windows 8 ISO to the virtual machine so it boots and installs windows 8.windows-8-vm-create-8windows-8-vm-create-9

Installing Windows 7/8/10

I will NOT go through the details of the windows installation for two reasons.  One, this is a vanilla installation, it shouldn’t require rocket science.  Two, if you can’t handle a basic windows installation inside of Virtual Box, then these guides probably aren’t for you.  We’re going to get into advanced topics in these guides like assembly, code obfuscation, and data/code encryption.  You really need to have a solid background in computing to do this.  I recommend some background in forensics or at least some training.

I use the local username of REM for the windows username by the way.

Make sure you have your activation key handy, you are in NAT networking mode, and you activate the system.  This last is vitally important as we only want to do this once.  Once windows is installed, we’re going to download the tools listed below.

Reversing Software

Java 1.7
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u80-oth-JPR

ExeInfo PE
http://sourceforge.net/projects/exeinfope/files/

Capture Bat
https://www.honeynet.org/node/315

OllyDbg (get both versions 1 and 2)
http://www.ollydbg.de/

Scylla
https://tuts4you.com/download.php?view.3503

CFF Explorer
http://www.ntcore.com/exsuite.php

RegShot
http://sourceforge.net/projects/regshot/

Fiddler
http://www.telerik.com/fiddler

Bintext
http://www.mcafee.com/us/downloads/free-tools/bintext.aspx

Process Hacker
http://processhacker.sourceforge.net/

SSView
http://www.mitec.cz/ssv.html

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

PE Studio
https://www.winitor.com/

ProcDot
http://www.procdot.com/

Mandiant Redline
https://www.fireeye.com/services/freeware/redline.html

HashTab
http://implbits.com/products/hashtab/

SetDLLCharacteristics
http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/

ActivePython
http://www.activestate.com/activepython

IDA Pro Freeware

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Firefox

https://www.mozilla.org/en-US/firefox/new/

Wireshark

http://www.wireshark.org/

Update:  I missed a few dependencies.

GraphViz

http://graphviz.org

WinDump

http://winpcap.org/windump

 

Once we’ve activated the system and downloaded the tools above, go ahead and install the VirtualBox Additions per the VirtualBox instructions.

Now, set the networking to internal, use the name “intnet” for the network name.

windows-8-vm-create-10

Once you’ve done that, go ahead and create your clean snapshot.

windows-8-vm-create-11

Aaaaaaand. . . .you’re done.  Next time, we’ll look at some basic behavioral analysis techniques.