Danielle Eve’s Guide to Reverse Engineering Malware – Day 4: Looking at Behavioral Data (RegShot, ProcDot, Wireshark)

procdot-snippet

danieve

 

Notes from the Girl

Well it’s been a bit of a long haul these past couple of months.  After the recent round of layoffs at my employer, I’m currently acting as Director of application ops for our corporate systems (accounting and HR) rather than doing IR.  If this continues long term, my skills will get seriously rusty.  I am starting to see accounting ledger sheets in my sleep.

In any event, on the more personal side of things, I’ve gone back to Blonde hair rather than the darker color I had switched to in March (the darker shown in the picture).  My wife, Reg (short for Regina), has made it clear that the color was too dark for me.  I’m just happy that she expressed an opinion.  We’re still rocking and rolling.  It’s always awesome to see love take a front seat to fear.  Speaking of which, what’s up with these bathroom laws people?  I just wanna pee.  Like a woman.  I don’t want to be in the men’s room.  This crap is silly.  Well, I hope the good people of North Carolina and Mississippi (as of this writing) are prepared to have men like Buck Angel in the women’s restroom.  If you don’t know who Buck Angel is, google it.

If “peeping Tom’s” are your concern, make it a crime to peek at someone in the restroom. Oh, wait, that’s already a crime in both North Carolina and Mississippi (GSNC § 14-202, MSC § 97-29-61).  If rape is your concern, I have to tell you, any transwoman who has been on HRT for more than a month hasn’t a hope in hell of being able to rape anyone.  Wait, rape is illegal too, in North Carolina and Mississippi even.  So what were these bathroom bills supposed to prevent?  Nothing that wasn’t already illegal.  The reality is that they are designed to make transition as uncomfortable as possible for transwomen.  Not for transmen mind you.  Again, go look at Buck Angel.  Who is going to challenge him in the men’s room?

All in all, the last two months have been a little depressing.  But, I am surviving.  As my mother and step-mother have both told me many times, this, too, shall pass.

Oh, one other thing, my Faerie Lanterns turned out great.  My daughter stole them for her room.  Grrr. . . .

On with this week’s discussion. Interpreting ProcDot, RegShot, and Wireshark data from our behavioral capture.

Looking at ProcDot, RegShot, and Wireshark Data

Last week, we launched brbbot.exe in order to get some data.  Unfortunately, this didn’t result in any real information on the network, but we did see some behaviors associated in our Process Monitor capture that showed up in ProcDot when we analyzed the results.  Part of this information showed some registry changes, new files, and a few other things.  Unfortunately, we didn’t do a careful registry capture that would allow us to see the changes clearly.  However, not to worry, this week, we’re going to make that happen.  So, go ahead, if you haven’t already, revert your Windows Reverse Engineering VM to the known good state.  Next, you’ll want to change your network properties as follows (I’m using Argon Network Switcher for convenience, but you can set these values in the control panel just as easily).

argon

Now, start your Remnux installation as well and make sure it’s reverted to the most recent known good snapshot.  Now, in Remnux, open a terminal window and type myip.  You should see something like the screenshot below.

myip

If you don’t have 192.168.244.129 as your IP on your remnux workstation, then make sure you change it.  You can do so with the following command:
sudo ifconfig eth0 192.168.244.129 netmask 255.255.255.0

Right, now, like last time (Day 4), go back to your windows reversing workstation and start process hacker, wireshark.  Your screen should look something like this:

ph-ws-screen-cap

Now fire up regshot and click 1st shot and select Shot.  Regshot creates a lot of noise in procmon and the number of entries will likely crash procmon on our VM given our limited resources.

regshot1

Now, start your wireshark capture and procmon like we did last time and right click brbbot.exe and click Run As Administrator.  We’ll let that run for about 3 minutes and then we’ll kill it by right clicking in Process Hacker and selecting Terminate.

Now, let’s stop our captures and save our procmon and wireshark data.  Don’t forget to save the procmon data as a csv and not PML.  Close Procmon and Wireshark.  Once you’ve verified that brbbot.exe is no longer executing, close Process Hacker.  Now, in RegShot, click 2nd shot.  Then click copare.  This will open up notepad and give you a listing of changed registry keys since the 1st shot.  Minimize this and keep it handy, we’ll be referring to it soon.  Go ahead and load up your brbbot captures in procdot and we’ll see what we get.  You should see something like what is below.

brbbot-procdot

 

You’ll notice a few things.  Indicated in the upper right corner of our procdot screen, right after it started, BRBBot created a new file in C:\Windows\System32 called brbbot.exe.  This is actually a copy of the program itself to be used for later purposes.  This is good to know as it can be used as an IOC (Indicator of Compromise).

Also, it added itself to the HKLM\Microsoft\Widnows\CurrentVersion\Run registry key.  This gives it an autostart.  It also created C:\Windows\System32\config\SOFTWARE.LOG2.  This is an indication of the modifications to the software hive.  The registry system creates backups when the registry is modified.

We can also see that it created brbconfig.tmp and modified several other registry entries.  We’ll come back to brbconfig.tmp, but let’s look at the registry changes.  Lucky for us, we actually have registry captures to see the changes.

As you can see the below registry key was created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot: "C:\Windows\system32\brbbot.exe"

This is to survive reboot.

There were several other keys touched.  Go through each one in your registry and your regshot data and see if you can find out what was changed on each one, if anything.  Also, at the end of the regshot data is a listing of files that were modified or created.  A couple of things to note, brbbot.exe looks at the ProxyEnable and the ProxyBypass settings.  It’s probably a good bet that it will set a bypass if ProxyEnable is set to 1.  That’s just hypothetical, but if you want to find out, restore your initial known good snapshot, set an internet proxy in your internet options and re-run the same test.  Let me know how it turns out.

Okay, so you can also look at brbconfig.tmp.  Unfortunately, opening it in notepad or in Notepad++ yields very little value.  Looks like it may be encrypted.  You may want to save that file on a thumb drive or something because we’ll be coming back to it in a later adventure.

Next time, we’ll look at gathering network data that actually means something and how to use our REMnux tools to “feed” malware what it thinks is good network traffic.

Danielle Eve’s Guide to Malware Reverse Engineering Day 3: Installing Windows for REM

Prologue from the Girl

withbadge

The Holiday break is over and we are now on with mighty joint!  Sigh, no one makes movies like Mel Brooks.

Anyway, in deference to my wife and daughter who just weren’t ready for the social stress of me presenting female at the family gathering, I spent 6 miserable days in Atlanta as “the reluctant drag king.”  I will NEVER do that again.  I have come way too far.  It’s hard on them I know, but the reality is that we have all resolved to stay together through this.  We all have a lot of adjusting to do.  That being said, they are the greatest just for trying to make this work and I love them with all of my heart.  My boys too.

On the lighter side, our CIO and HR department sent me flowers about a week after I started transitioning in the workplace.  It really was amazing.

We have gone to see The Force Awakens twice since my last post.  Yay!!! Rey is cool.  I think I’m in love with Daisy Ridley, in a movie star kind of way.  I think she put Finn in the friend zone at the end, so there may be hope. Ha ha. . . I’m pretty sure she’s straight.  Not to mention I’m married and I like having a head on my shoulders.

 

Moving on to our topic at hand, Installing Windows on our system for reverse engineering.

Installing Windows on our Virtual Box Setup

A couple of items of note.  When we create this windows virtual machine we need to start the process using NAT networking.  This is important for a few reasons.  First and foremost, we need to activate windows.  Secondly, we have some tools that we need to download and install.  Patching the system isn’t my primary concern as we will be using generally “off-line” anyway.  The scope of these tutorials is to focus on malicious binary analysis.  Web based exploits like cross-site scripting (XSS) and JavaScript obfuscation will wait for a later date.

Go ahead and create a new virtual machine in VirtualBox.  I call mine REM Windows 8.  I chose Windows 8 (64-bit).  We’ll assume that you are using Windows 8 64-bit for the purposes of this tutorial.  The same essential approach applies to Windows 10 as well in terms of Machine set up.  Obviously, you would choose Windows 10 in that case.

windows-8-vm-create-1

I have a copy of the Windows 8.1 Pro ISO as I purchased that from Microsoft.  If you haven’t had a chance to create a Windows 8.1 ISO, you’ll need to do so from a Microsoft Windows machine.  If you don’t have one, go to a friend’s house.  You can use the Windows Media created located at the following address to create your ISO.

http://windows.microsoft.com/en-us/windows-8/create-reset-refresh-media

Go ahead and give the VM 2 GB of RAM.  You shouldn’t need much more than that to do effective reverse engineering.  If so, you can always increase it later.  If you don’t have much RAM in your reversing workstation, then there will be performance degradation as the host system will swap your VM processes to disk in order to accommodate larger RAM settings.

windows-8-vm-create-2.png

For the hard disk, choose Create virtual hard disk now.  Don’t worry about where it says 25.00GB, we’ll be setting the hard disk size later.

windows-8-vm-create-3.png

I choose VDI format for the disk.  This is the native image format for VirtualBox.  I typically choose it in this instance to make sure that any future releases that may have new goodies we can do with the disk are compatible.  You can choose VMDK if you want a VMWare compatible disk, but I don’t see any value in this instance.  If you want to move the VM, you can export it to an OVA.

windows-8-vm-create-4

I typically choose dynamically allocated for the disk, this incurs a minor performance hit during processing, but allows us to create the disk quickly and for our purposes, the performance hit is negligible.

windows-8-vm-create-5

Finally, I am going to select 100GB in this instance for the disk size.  Mind you virtual box will only allocate what is needed as it is used because we selected dynamic allocation.

windows-8-vm-create-6

And Click Create.

Now, before we start up the vm, we need to open the settings and make two changes.

  • Change the Networking to NAT. windows-8-vm-create-7
  • Attach the Windows 8 ISO to the virtual machine so it boots and installs windows 8.windows-8-vm-create-8windows-8-vm-create-9

Installing Windows 7/8/10

I will NOT go through the details of the windows installation for two reasons.  One, this is a vanilla installation, it shouldn’t require rocket science.  Two, if you can’t handle a basic windows installation inside of Virtual Box, then these guides probably aren’t for you.  We’re going to get into advanced topics in these guides like assembly, code obfuscation, and data/code encryption.  You really need to have a solid background in computing to do this.  I recommend some background in forensics or at least some training.

I use the local username of REM for the windows username by the way.

Make sure you have your activation key handy, you are in NAT networking mode, and you activate the system.  This last is vitally important as we only want to do this once.  Once windows is installed, we’re going to download the tools listed below.

Reversing Software

Java 1.7
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u80-oth-JPR

ExeInfo PE
http://sourceforge.net/projects/exeinfope/files/

Capture Bat
https://www.honeynet.org/node/315

OllyDbg (get both versions 1 and 2)
http://www.ollydbg.de/

Scylla
https://tuts4you.com/download.php?view.3503

CFF Explorer
http://www.ntcore.com/exsuite.php

RegShot
http://sourceforge.net/projects/regshot/

Fiddler
http://www.telerik.com/fiddler

Bintext
http://www.mcafee.com/us/downloads/free-tools/bintext.aspx

Process Hacker
http://processhacker.sourceforge.net/

SSView
http://www.mitec.cz/ssv.html

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

PE Studio
https://www.winitor.com/

ProcDot
http://www.procdot.com/

Mandiant Redline
https://www.fireeye.com/services/freeware/redline.html

HashTab
http://implbits.com/products/hashtab/

SetDLLCharacteristics
http://blog.didierstevens.com/2010/10/17/setdllcharacteristics/

ActivePython
http://www.activestate.com/activepython

IDA Pro Freeware

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Firefox

https://www.mozilla.org/en-US/firefox/new/

Wireshark

http://www.wireshark.org/

Update:  I missed a few dependencies.

GraphViz

http://graphviz.org

WinDump

http://winpcap.org/windump

 

Once we’ve activated the system and downloaded the tools above, go ahead and install the VirtualBox Additions per the VirtualBox instructions.

Now, set the networking to internal, use the name “intnet” for the network name.

windows-8-vm-create-10

Once you’ve done that, go ahead and create your clean snapshot.

windows-8-vm-create-11

Aaaaaaand. . . .you’re done.  Next time, we’ll look at some basic behavioral analysis techniques.