Label: malicious code
1. Practical goals
1. Practice objects
- Backdoor in experiment two
meter_backdoor.exe
2. Practice content
- System operation monitoring
- Use such as scheduled tasks to record every minute what programs the computer is connected to the Internet and where the connected external IP is. Run for a period of time and analyze the file to summarize the analysis results. Objective: To find out the connection and operation of all networked programs, whether this operation is appropriate and reasonable, and to capture packets for further analysis;
- Installation configuration
sysinternals
of thesysmon
tool, set a reasonable configuration file, the focus of the monitoring host something suspicious behavior; - The analysis of the actual log also needs to exert its own creativity, combined with the previously learned knowledge such as Linux text processing instructions, etc. (The difficulty is to find out the rules from the large amount of data and find out the problem).
- Malware analysis
- Analyze the backdoor software when the software is connected to the target machine and any other operations (such as process migration or screen capture) when the software is started and connected
- What registry entries have been read, added, or deleted;
- What files have been read, added or deleted;
- What external IP is connected, what data is transmitted (capture analysis).
- Analyze the backdoor software when the software is connected to the target machine and any other operations (such as process migration or screen capture) when the software is started and connected
2. Basic knowledge
1. Practice requirements
- Monitor the running status of your own system to see if suspicious programs are running;
- When analyzing a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals systracer suite as much as possible ;
- Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.
2. Instruction parameters
schtasks
Schedule commands and programs to run regularly or within a specified timeTN
Task name, named hereschtasks5121
sc
Timing method, here MINUTE means minutesbn
b is the name of the executable file, n is the IP and port numberTR
Instruction to run>
Output redirection is the output file path, this time isc:\netstatlog.txt
schtasks /create /TN schtasks5121 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"
3. Preliminary knowledge
- MAL_Dynamic analysis_Windows scheduled tasks schtasks
- Principle and Implementation of Microsoft Lightweight Monitoring Tool sysmon
- analyzing tool
- Schtasks schedule commands and programs to run regularly or within a specified time
- Excel imports data recorded by Schtasks and uses tables to generate statistics
- Sysmon uses system services and drivers to record process creation, file access, and network information (Windows log events)
- Wireshark performs packet capture analysis on network protocols (TCP ICMP, etc.) when malicious code returns to the server (Kali)
- SysTracer tracks and monitors the modification behavior of the entire system and compares
- PEiD detects packed files (type and signature)
- VirusTotal analyzes malicious code online (corresponding system files and registry)
3. Practice steps
1. System operation monitoring
- Use schtasks command
schtasks /create /TN schtasks5121 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"
Add Scheduled Task
- New
schtasks5121.txt
input
date /t >> c:\netstat20175121.txt
time /t >> c:\netstat20175121.txt
netstat -bn >> c:\netstat20175121.txt
- Save and exit, modify the extension
schtasks5121.bat
and copy to the C drive directory - Task scheduler
- Run the task to
netstat
start recording the background data and keep the computer in normal use. After about two hours, open thenetstat20175121.txt
data in the C drive directory to view the data
- Reference tutorial: https://www.cnblogs.com/zjy1997/p/8824717.html, use
Excel
the table tool to import document data, and generate a pivot chart
Netease cloud music cloudmusic.exe
office Excel.exe
experiment two backdoor meter_backdoor.exe
NVIDIA graphics card driver nvcontainer.exe
windows svchost.exe
VMware Workstation Pro vmware.exe
vmware-authd.exe
vmware-hostd.exe
WeChat wechat.exe
system push serviceWpnservice.exe
-
The most used vmware virtual machine during this time, in line with the actual situation
-
Download SysinternalsSuite.zip and unzip
-
Because the system is a 64-bit system, select it
Sysmon64.exe
, right-click the property to view the product version in the detailed information, create it in the directory where SysinternalsSuite is locatedsysmon20175121.xml
, open the text file, enter the code to save and exit -
The code in the file sysmon20175121.xml is (the version is changed to the version number of the Sysmon downloaded by yourself)
<Sysmon schemaversion="10.12">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<Image condition="end with">iexplorer.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
- Run CMD as administrator to execute in the
Sysmon64.exe
directorySysmon64.exe -i sysmon20175121.xml
- Click agree, the installation is successful
事件查看器(本地)
-应用程序和服务日志
-Microsoft
-Windows
-Sysmon
-Operational
Check according to the configurationsysmon20175121.xml
information of the process of recording the information process ID, path and other systems
2. Malware analysis
- Use malware (the backdoor program in Experiment 2 to connect back), analyze the system process rules with log information and Wireshark packet capture information
- Ping data packet between Kali system and Windows system
MSF
Bounce theTCP
packet when connected
dir
Check the files in the backdoor program directory on the disk, the log is not updated
getuid
View the user who is running the server, update the log
SearchFilterHost.exe
The index program of the desktop search engine is mainly used to create a quick index file, so that users can search any information on the computer better. It will automatically scan the file name, attribute information and file content of a given category in the index location when the computer is idle. These index locations include the desktop, favorites, start menu, system directory by defaultscreenshot
Screen capture, three log updates
webcam_snap
Take a picture through the camera, the log has updated two
- In general, Sysmon cannot fully monitor the attack behavior of malicious software without circumventing Sysmon monitoring, and the driver that deletes configuration items or uninstalls SysmonDrv filter can bypass Sysmon, so it is safe Software is still very important. From the results of Wireshark's packet capture, the number of protocol packets is mainly determined by the size of the transmitted data (file)
- Download SysTracer and install it. The download address
SysTracer is a security auxiliary tool that integrates HIPS and process behavior tracking functions. It can track and monitor the modification behavior of the process on the entire system, including file operations, registry operations, memory operations, and dangerous behaviors. SysTracer can monitor all processes, or a process specified by the user and its sub-processes, and provides monitoring logs to help users analyze the behavior of a specific process. You can get countless screen snapshots at any desired time, you can compare any pair of desired screen snapshots, and observe the differences between them. Taking screenshots usually lasts a few minutes, depending on the number of files and folders and the total number of registry entries. - First download and install after the completion, the steps are: agree-> choose the second
- Enter the corresponding port during installation
- Run SysTracer for a total of 4 records, in order to control the variable Kali is always running, and because the position of the backdoor program and the virtual machine are on the C drive and D drive, you can only check the corresponding content according to the actual situation to simplify the analysis process
- Take a snapshot before opening the back door, click "take snapshot", scan to select
Only selected items
, then click start
Snapshot #1
Before malware is implantedSnapshot #2
After implanting malwareSnapshot #3
After the malware returnsSnapshot #4
MSF related operations作sysinfo
screenshot
Snapshot #5
After exiting the malware- Click "Applications" above-> "Running Processes" on the left-> find the backdoor process "meter_backdoor.exe" to see the corresponding calling process
- Select the two snapshots to be compared below, click "view differences list" in the lower right corner of the "Snapshots" in the snapshot interface, and compare the computer changes before and after reconnecting
- Compare
#1
with#2
, you can find that some registry values are added
- Compared
#2
with it#3
, you can find that a large number of potentially unrelated registry values and related processes have been added
- Compared
#3
with#4
, the MSF instruction operation performed did not find particularly obvious related changes
- Compare
#4
with#5
, related processes and files and key values are deleted
- The backdoor program has not run in the background, but the relevant registry value has not changed temporarily (may also be deleted after restart), so in addition to regularly cleaning up disk junk files, we also need tools to maintain the registry (repair or delete Wait)
- Use VirusTotal to check malicious code, you can view MD5, SHA-1, file type, file size, packing method and other related information
Basic Properties
MD5 c68f5f089544634816ee7d115b327c78
SHA-1 ebde084c4d3de28db835ff3e94edc82ed8e1c299
SHA-256 74b9f08a8edd0180816cb2f232a13502889b517721b94f6e887b4c3fdb1bc24b
Vhash 074046755d151028z2e32tz27z
Authentihash a9bc27d788fd344262f3bfa898ecd103166d4089444a9752a92752803802fc14
Imphash 481f47bbb2c9c21e108d65f52b04c448
SSDEEP 1536:IqIlIAkIaacFC691zYWzyVBQ66KcMb+KR0Nc8QsJq39:DINkIYCU1xzmQ6qe0Nc8QsC9
File type Win32 EXE
Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size 72.07 KB (73802 bytes)
History
Creation Time 2009-06-23 12:47:45
First Submission 2020-03-26 04:06:46
Last Submission 2020-03-26 04:06:46
Last Analysis 2020-03-26 04:06:46
Names
meter_backdoor.exe
ab.exe
Signature Info
Signature Verification
File is not signed
File Version Information
Copyright Copyright 2009 The Apache Software Foundation.
Product Apache HTTP Server
Description ApacheBench command line utility
Original Name ab.exe
Internal Name ab.exe
File Version 2.2.14
Comments Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Portable Executable Info
Header
Target Machine Intel 386 or later processors and compatible processors
Compilation Timestamp 2009-06-23 12:47:45
Entry Point 21121
Contained Sections 4
Sections
Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 43366 45056 7.01 ec1f468c27a1f0859e9c6cc68db03006
.rdata 49152 4070 4096 5.32 25d7ceee3aa85bb3e8c5174736f6f830
.data 53248 28764 16384 4.41 283b5f792323d57b9db4d2bcc46580f8
.rsrc 86016 1992 4096 1.96 c13a9413aea7291b6fc85d75bfcde381
Imports
ADVAPI32.dll
KERNEL32.dll
MSVCRT.dll
WS2_32.dll
WSOCK32.dll
Contained Resources By Type
RT_VERSION 1
Contained Resources By Language
ENGLISH US 1
Contained Resources
SHA-256 File Type Type Language
465417d96548ce85076f6509efac41e5ad02fee2b8f712416e8b6aa08d93c494 Data RT_VERSION ENGLISH US
ExifTool File Metadata
CharacterSet Unicode
CodeSize 45056
Comments Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName Apache Software Foundation
EntryPoint 0x5281
FileDescription ApacheBench command line utility
FileFlagsMask 0x003f
FileOS Win32
FileSubtype 0
FileType Win32 EXE
FileTypeExtension exe
FileVersion 2.2.14
FileVersionNumber 2.2.14.0
ImageFileCharacteristics No relocs, Executable, No line numbers, No symbols, 32-bit
ImageVersion 0.0
InitializedDataSize 40960
InternalName ab.exe
LanguageCode English (U.S.)
LegalCopyright Copyright 2009 The Apache Software Foundation.
LinkerVersion 6.0
MIMEType application/octet-stream
MachineType Intel 386 or later, and compatibles
OSVersion 4.0
ObjectFileType Executable application
OriginalFileName ab.exe
PEType PE32
ProductName Apache HTTP Server
ProductVersion 2.2.14
ProductVersionNumber 2.2.14.0
Subsystem Windows GUI
SubsystemVersion 4.0
TimeStamp 2009:06:23 13:47:45+01:00
UninitializedDataSize 0
4. Experimental summary and experience
1. Answer basic questions
- (1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
- You can create a regularly updated log to view by scheduling tasks
- Monitor through sysmon.
- Use the Process Explorer tool to check whether any program calls the abnormal dll library
- (2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
- You can use the packet capture tool for analysis.
- Use the systracer tool to analyze some changes in the computer's registry, files, and ports before and after the execution of a program.
- Use VirusTotal, Virscan and other channels for inspection
2. Experimental gains and thoughts
Through this experiment, I have a certain understanding of which processes are working and where I connect to during my free time. Through various tools to monitor and detect whether there is some malicious code software on your computer, you have learned things that antivirus software cannot solve. In the course of the experiment, I encountered a variety of problems, and the files, processes, or the registry were relatively unfamiliar. These all need to be resolved patiently. In terms of malicious code detection, our own knowledge reserve is still quite scarce, and we still need to continue to learn and summarize, combine theoretical knowledge and practice, and realize the unity of knowledge and action, in order to be able to move forward in the next study.