2019-2020-4 20175121 Yang Bo "Network Countermeasure Technology" Exp4 Malicious Code Analysis

Label: malicious code

---

1. Practical goals

1. Practice objects

• Backdoor in experiment twometer_backdoor.exe

2. Practice content

• System operation monitoring
  • Use such as scheduled tasks to record every minute what programs the computer is connected to the Internet and where the connected external IP is. Run for a period of time and analyze the file to summarize the analysis results. Objective: To find out the connection and operation of all networked programs, whether this operation is appropriate and reasonable, and to capture packets for further analysis;
  • Installation configuration sysinternalsof the sysmontool, set a reasonable configuration file, the focus of the monitoring host something suspicious behavior;
  • The analysis of the actual log also needs to exert its own creativity, combined with the previously learned knowledge such as Linux text processing instructions, etc. (The difficulty is to find out the rules from the large amount of data and find out the problem).
• Malware analysis
  • Analyze the backdoor software when the software is connected to the target machine and any other operations (such as process migration or screen capture) when the software is started and connected
    • What registry entries have been read, added, or deleted;
    • What files have been read, added or deleted;
    • What external IP is connected, what data is transmitted (capture analysis).

2. Basic knowledge

1. Practice requirements

• Monitor the running status of your own system to see if suspicious programs are running;
• When analyzing a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals systracer suite as much as possible ;
• Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.

2. Instruction parameters

• schtasksSchedule commands and programs to run regularly or within a specified time
  • TNTask name, named hereschtasks5121
  • scTiming method, here MINUTE means minutes
  • bnb is the name of the executable file, n is the IP and port number
  • TRInstruction to run
  • >Output redirection is the output file path, this time isc:\netstatlog.txt
  • schtasks /create /TN schtasks5121 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"

3. Preliminary knowledge

• MAL_Dynamic analysis_Windows scheduled tasks schtasks
• Principle and Implementation of Microsoft Lightweight Monitoring Tool sysmon
• analyzing tool
  • Schtasks schedule commands and programs to run regularly or within a specified time
  • Excel imports data recorded by Schtasks and uses tables to generate statistics
  • Sysmon uses system services and drivers to record process creation, file access, and network information (Windows log events)
  • Wireshark performs packet capture analysis on network protocols (TCP ICMP, etc.) when malicious code returns to the server (Kali)
  • SysTracer tracks and monitors the modification behavior of the entire system and compares
  • PEiD detects packed files (type and signature)
  • VirusTotal analyzes malicious code online (corresponding system files and registry)

3. Practice steps

1. System operation monitoring

• Use schtasks command schtasks /create /TN schtasks5121 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"
  Add Scheduled Task

• New schtasks5121.txtinput

date /t >> c:\netstat20175121.txt 
time /t >> c:\netstat20175121.txt 
netstat -bn >> c:\netstat20175121.txt

• Save and exit, modify the extension schtasks5121.batand copy to the C drive directory
• Task scheduler

• Run the task to netstatstart recording the background data and keep the computer in normal use. After about two hours, open the netstat20175121.txtdata in the C drive directory to view the data

• Reference tutorial: https://www.cnblogs.com/zjy1997/p/8824717.html, useExcel the table tool to import document data, and generate a pivot chart

Netease cloud music cloudmusic.exe
office Excel.exe
experiment two backdoor meter_backdoor.exe
NVIDIA graphics card driver nvcontainer.exe
windows svchost.exe
VMware Workstation Pro vmware.exe vmware-authd.exe vmware-hostd.exe
WeChat wechat.exe
system push serviceWpnservice.exe

• The most used vmware virtual machine during this time, in line with the actual situation

• Download SysinternalsSuite.zip and unzip

• Because the system is a 64-bit system, select it Sysmon64.exe, right-click the property to view the product version in the detailed information, create it in the directory where SysinternalsSuite is located sysmon20175121.xml, open the text file, enter the code to save and exit

• The code in the file sysmon20175121.xml is (the version is changed to the version number of the Sysmon downloaded by yourself)

<Sysmon schemaversion="10.12">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">chrome.exe</Image>
      <Image condition="end with">iexplorer.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

• Run CMD as administrator to execute in the Sysmon64.exedirectorySysmon64.exe -i sysmon20175121.xml

• Click agree, the installation is successful
• 事件查看器(本地)- 应用程序和服务日志- Microsoft- Windows- Sysmon- OperationalCheck according to the configuration sysmon20175121.xmlinformation of the process of recording the information process ID, path and other systems

2. Malware analysis

• Use malware (the backdoor program in Experiment 2 to connect back), analyze the system process rules with log information and Wireshark packet capture information
• Ping data packet between Kali system and Windows system

• MSFBounce the TCPpacket when connected

• dirCheck the files in the backdoor program directory on the disk, the log is not updated

• getuidView the user who is running the server, update the log

• SearchFilterHost.exeThe index program of the desktop search engine is mainly used to create a quick index file, so that users can search any information on the computer better. It will automatically scan the file name, attribute information and file content of a given category in the index location when the computer is idle. These index locations include the desktop, favorites, start menu, system directory by default
• screenshotScreen capture, three log updates

• webcam_snapTake a picture through the camera, the log has updated two

• In general, Sysmon cannot fully monitor the attack behavior of malicious software without circumventing Sysmon monitoring, and the driver that deletes configuration items or uninstalls SysmonDrv filter can bypass Sysmon, so it is safe Software is still very important. From the results of Wireshark's packet capture, the number of protocol packets is mainly determined by the size of the transmitted data (file)
• Download SysTracer and install it. The download address
  SysTracer is a security auxiliary tool that integrates HIPS and process behavior tracking functions. It can track and monitor the modification behavior of the process on the entire system, including file operations, registry operations, memory operations, and dangerous behaviors. SysTracer can monitor all processes, or a process specified by the user and its sub-processes, and provides monitoring logs to help users analyze the behavior of a specific process. You can get countless screen snapshots at any desired time, you can compare any pair of desired screen snapshots, and observe the differences between them. Taking screenshots usually lasts a few minutes, depending on the number of files and folders and the total number of registry entries.
• First download and install after the completion, the steps are: agree-> choose the second

• Enter the corresponding port during installation

• Run SysTracer for a total of 4 records, in order to control the variable Kali is always running, and because the position of the backdoor program and the virtual machine are on the C drive and D drive, you can only check the corresponding content according to the actual situation to simplify the analysis process
• Take a snapshot before opening the back door, click "take snapshot", scan to select Only selected items, then click start

• Snapshot #1Before malware is implanted
• Snapshot #2After implanting malware
• Snapshot #3After the malware returns
• Snapshot #4MSF related operations作sysinfo screenshot
• Snapshot #5After exiting the malware
• Click "Applications" above-> "Running Processes" on the left-> find the backdoor process "meter_backdoor.exe" to see the corresponding calling process

• Select the two snapshots to be compared below, click "view differences list" in the lower right corner of the "Snapshots" in the snapshot interface, and compare the computer changes before and after reconnecting

• Compare #1with #2, you can find that some registry values ​​are added

• Compared #2with it #3, you can find that a large number of potentially unrelated registry values ​​and related processes have been added

• Compared #3with #4, the MSF instruction operation performed did not find particularly obvious related changes

• Compare #4with #5, related processes and files and key values ​​are deleted

• The backdoor program has not run in the background, but the relevant registry value has not changed temporarily (may also be deleted after restart), so in addition to regularly cleaning up disk junk files, we also need tools to maintain the registry (repair or delete Wait)

• Use VirusTotal to check malicious code, you can view MD5, SHA-1, file type, file size, packing method and other related information

Basic Properties
MD5	c68f5f089544634816ee7d115b327c78
SHA-1	ebde084c4d3de28db835ff3e94edc82ed8e1c299
SHA-256	74b9f08a8edd0180816cb2f232a13502889b517721b94f6e887b4c3fdb1bc24b
Vhash	074046755d151028z2e32tz27z
Authentihash	a9bc27d788fd344262f3bfa898ecd103166d4089444a9752a92752803802fc14
Imphash	481f47bbb2c9c21e108d65f52b04c448
SSDEEP	1536:IqIlIAkIaacFC691zYWzyVBQ66KcMb+KR0Nc8QsJq39:DINkIYCU1xzmQ6qe0Nc8QsC9
File type	Win32 EXE
Magic	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size	72.07 KB (73802 bytes)
History
Creation Time	2009-06-23 12:47:45
First Submission	2020-03-26 04:06:46
Last Submission	2020-03-26 04:06:46
Last Analysis	2020-03-26 04:06:46
Names
meter_backdoor.exe
ab.exe
Signature Info
Signature Verification
 File is not signed
File Version Information
Copyright	Copyright 2009 The Apache Software Foundation.
Product	Apache HTTP Server
Description	ApacheBench command line utility
Original Name	ab.exe
Internal Name	ab.exe
File Version	2.2.14
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Portable Executable Info
Header
Target Machine	Intel 386 or later processors and compatible processors
Compilation Timestamp	2009-06-23 12:47:45
Entry Point	21121
Contained Sections	4
Sections
Name	Virtual Address	Virtual Size	Raw Size	Entropy	MD5
.text	4096	43366	45056	7.01	ec1f468c27a1f0859e9c6cc68db03006
.rdata	49152	4070	4096	5.32	25d7ceee3aa85bb3e8c5174736f6f830
.data	53248	28764	16384	4.41	283b5f792323d57b9db4d2bcc46580f8
.rsrc	86016	1992	4096	1.96	c13a9413aea7291b6fc85d75bfcde381
Imports
ADVAPI32.dll
KERNEL32.dll
MSVCRT.dll
WS2_32.dll
WSOCK32.dll
Contained Resources By Type
RT_VERSION	1
Contained Resources By Language
ENGLISH US	1
Contained Resources
SHA-256	File Type	Type	Language
465417d96548ce85076f6509efac41e5ad02fee2b8f712416e8b6aa08d93c494	Data	RT_VERSION	ENGLISH US
ExifTool File Metadata
CharacterSet	Unicode
CodeSize	45056
Comments	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName	Apache Software Foundation
EntryPoint	0x5281
FileDescription	ApacheBench command line utility
FileFlagsMask	0x003f
FileOS	Win32
FileSubtype	0
FileType	Win32 EXE
FileTypeExtension	exe
FileVersion	2.2.14
FileVersionNumber	2.2.14.0
ImageFileCharacteristics	No relocs, Executable, No line numbers, No symbols, 32-bit
ImageVersion	0.0
InitializedDataSize	40960
InternalName	ab.exe
LanguageCode	English (U.S.)
LegalCopyright	Copyright 2009 The Apache Software Foundation.
LinkerVersion	6.0
MIMEType	application/octet-stream
MachineType	Intel 386 or later, and compatibles
OSVersion	4.0
ObjectFileType	Executable application
OriginalFileName	ab.exe
PEType	PE32
ProductName	Apache HTTP Server
ProductVersion	2.2.14
ProductVersionNumber	2.2.14.0
Subsystem	Windows GUI
SubsystemVersion	4.0
TimeStamp	2009:06:23 13:47:45+01:00
UninitializedDataSize	0

4. Experimental summary and experience

1. Answer basic questions

• (1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
  • You can create a regularly updated log to view by scheduling tasks
  • Monitor through sysmon.
  • Use the Process Explorer tool to check whether any program calls the abnormal dll library
• (2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
  • You can use the packet capture tool for analysis.
  • Use the systracer tool to analyze some changes in the computer's registry, files, and ports before and after the execution of a program.
  • Use VirusTotal, Virscan and other channels for inspection

2. Experimental gains and thoughts

Through this experiment, I have a certain understanding of which processes are working and where I connect to during my free time. Through various tools to monitor and detect whether there is some malicious code software on your computer, you have learned things that antivirus software cannot solve. In the course of the experiment, I encountered a variety of problems, and the files, processes, or the registry were relatively unfamiliar. These all need to be resolved patiently. In terms of malicious code detection, our own knowledge reserve is still quite scarce, and we still need to continue to learn and summarize, combine theoretical knowledge and practice, and realize the unity of knowledge and action, in order to be able to move forward in the next study.