2019-2020-2 20174310 Sui Runqi "Network Countermeasure Technology" Exp4 Malicious Code Analysis

1. Experimental goal

 1. Practical requirements

• Monitor the running status of your own system to see if suspicious programs are running;
• When analyzing a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals systracer suite as much as possible;
• Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.

2. Practice content

1. System operation monitoring
   • Use such as scheduled tasks to record every minute what programs the computer is connected to the Internet and where the connected external IP is. Run for a period of time and analyze the file to summarize the analysis results. Objective: To find out the connection and operation of all networked programs, whether this operation is appropriate and reasonable, and to capture packets for further analysis;
   • Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the host ’s suspicious behaviors;
   • The analysis of the actual log also needs to exert its own creativity, combined with the previously learned knowledge such as Linux text processing instructions, etc. (The difficulty is to find out the rules from the large amount of data and find out the problem).
2. Malware analysis
   • Analyze the backdoor software when the software is connected to the target machine and any other operations (such as process migration or screen capture) when the software is started back to the connection: What registry entries are read, added, and deleted;
   • What files have been read, added or deleted;
   • What external IP is connected, what data is transmitted (capture analysis).

Second, the practical process

 1. System operation monitoring-scheduled tasks

Create scheduled tasks so that the system automatically detects which programs are connecting to our network every 1 minute.

Use administrator mode to run cmd mode, enter the following command

schtasks / create / TN netstat4310 / sc MINUTE / MO 1 / TR "cmd / c netstat -bn> d: \ netstat4310.txt" (I tried to take a screenshot before, so the task already exists, so recreate it here)

• TN: Task Name, in this case netstat4310
• SC: SChedule type, MINUTE in this example, time in minutes
• MO: MOdifier
• TR: Task Run, the command to be run is netstat
• -bn, b means to display executable file name, n means to display IP and port with numbers
• 

Create a new text file in the root directory of the d drive and enter the following:

• date /t >>d:\netstat4310.txt
• time /t >>d:\netstat4310.txt
• netstat -bn >>d:\netstat4310.txt

After saving, rename the file to netstat20174310.bat as a batch command

• 

Find the created task in [Control Panel]-> [System and Security]-> [Administrative Tools]-> [Task Scheduler] and modify the plan properties

• 

Use the highest authority to run, otherwise it may fail to run, and the configuration is changed to windows10.

• 

 And replace the script with the bat file just created

• 

After running the task, start recording the background data, which keeps the computer in normal use. After about an hour, open the netstat4310.txt file located on the D drive to view the contents.

• 

Import the text file into Excel and use excel's data processing function to generate a data perspective.

• 
• 

•  360se.exe: 360 browser
• 360tray.exe: 360 firewall
•  chrome.exe: Google Chrome
• EXCEL.EXE: Excel program
• GDCAgent.exe: Lenovo Service Center
• mysqld.exe: mysql database program

Wait, from the result observation, my computer does not seem to have any self-starting software, so it should be relatively safe.

2. System operation monitoring-using Sysmon

Go to the official website to download SysinternalsSuite.zip and unzip it.

Choose the Sysmon version according to your own system. My computer is a 64-bit system, so I choose Sysmon64.exe to view the version information in the properties of the program.

•  

 And create a text file in the directory where SysinternalsSuite is located, save it in the following code and rename it to sysmon20174310.xml.

<Sysmon schemaversion="10.42">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>

    <NetworkConnect onmatch="exclude">
      <Image condition="end with">chrome.exe</Image>
      <Image condition="end with">iexplorer.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

• ProcessCreate Process creation, the process name here includes all processes ending with the process name
• NetworlConnect Network connection, filter out the network connection of the browser, that is, the network connection with the source IP of 127.0.0.1 (local IP) and the connection service with the destination port of 137 (provide ID or IP query service in the LAN), and check the destination port 80 (http) and 443 (https) network connection
• CreateRemote Remote thread creation
• FileCreate Time Process creation time
• onmatch include/exclude Set inspection-free / required list
• 

Run cmd as administrator and execute Sysmon64.exe -i sysmon20174310.xml in the Sysmon64.exe directory (because it has been tested before, so it shows that it has been registered)

•  

 Through [Event Viewer (Local)]-[Application and Service Log]-[Microsoft]-[Windows]-[Sysmon]-[Operational] View the process information, process number path etc. recorded according to the configuration information [sysmon20174310.xml] system message

• 
•  

3. Analysis of malware

3.1 Analysis using wireshark

Use malware (the backdoor of the packed backdoor program in Experiment 3 to connect back), use log information and Wireshark packet capture information to analyze the system process rules.
In the event viewer, find relevant information about the operation of the corresponding backdoor program according to the running time. Enter the filter condition [ip.addr == 192.168.80.131] to view related protocol package information

• King system and Windows system Ping communication ICMPpackage
• 

• MSFBounce the TCPpacket  when connected

• 

• dirCheck the files in the backdoor program directory on the disk, look carefully, and find that the log has not been updated

• 

3.2 Analysis using SysTracer

Download and install SysTracer

 

Enter port number 4310

The installation is complete and can be used

• Take a snapshot before opening the back door, select-> take snapshot, and Snapshop # 1 will be displayed when finished.
• Kali started monitoring. After Windows running the backdoor, taking a snapshot after successful connection, Snapshop # 2 was displayed after completion.
• Use MSF related operation sysinfo screenshot in kali, and display Snapshop # 3 after completion.
• After the connection is completed, the snapshot shows Snapshop # 4.

 

Perform a simple analysis on # 2 first, first select [Applications]-> [Running Processes]-> [4310srq_backdoor.exe]-> [Opened Ports] to view the return address, remote address and port number.

•  Comparing # 1 and # 2, you can see a lot of changes in the registry before and after the backdoor operation.
• 
•  At the same time, found the record of the backdoor program, established a TCP connection
• 
•  Comparing # 3 and # 4, it can be found that compared with # 1 and # 2, there are a lot of deletion operations
• 
•  Through careful search, found the delete operation corresponding to the backdoor program
• 

3.3 Analysis using Process Explorer 

After Kali connects back successfully, open the software and check the detailed information.

 It is easy to find the backdoor program.

By selecting [View]-> [Select Columns] there are several options that can be displayed on the main page to help us analyze the backdoor program.

Image Path: Show the file path of the process
Command Line: Show the process command line parameters
Image Type: Show whether the process is a 64-bit process or 32-bit
session ID: Show the current Session ID of the
process Whether user rights are network administrator rights or ordinary administrator rights

 

 By adding display items, more detailed analysis and research of backdoor programs

For example, according to the Image Path directly find the location of the backdoor program, clean up, etc.

3.4 Use OllyDbg to analyze the backdoor program

Before analyzing the code, first analyze the login dialog box written in win32 to facilitate the introduction of OD

• The initial interface of the dialog
• 
•  It will be displayed when the input information is correct
• 
• It will be displayed when the input is wrong
• 
•  Open the exe program in OD, according to the usual programming experience
• 

   The four required parameters have been pushed into the stack before the call, which can roughly determine the entry of the main function of this dialog box

• 

• Press Enter to follow up the function and find out that it is true 

• 

• The second parameter is the window processing function, use ctrl + g to jump 

• 

• Found two windows with correct and wrong output here, the function to judge whether it is correct should be at the top

• 

• Continue to press Enter to follow this function

• 

• Found the judgment conditions, according to the meaning of the assembly code, the account length should be equal to 3, the password length should be equal to 5, you can jump to the success dialog
• 

•  

  

• Sure enough (some steps were omitted in the whole process)

The following begins to track the backdoor program

Open the backdoor program in OD

• Disassembly panel
• 
•  Register panel
• 
•  Data panel
• 
•  Stack panel
• 

 First, make a rough trace of the program (F7 does not enter the function, F8 enters the function)

Found that the program will continue to cycle in this section

 

 Interpretation and analysis of this part of the program, and found that because of this command, it always loops

 

 According to our understanding of the backdoor, there can only be one case of continuous looping, which is to wait for the attacker's rebound connection, so we first change the flag register ZF to 1.

Keep it running and observe what happens

 

Successfully continue to run, continue to track, and subsequently fell into the loop many times, without analyzing this program successfully

Because I have no experience in writing backdoor programs, I can't understand assembly code and some meanings of jumps. I usually need to learn more in this area.

3.5 Analysis of PE structure of backdoor program

I use the PE parser written by myself here, the function is similar to many PE parsers downloaded online, after loading, as shown below

 

 

From the PE header and section table information of the program, I can't see the difference between this program and the ordinary exe program

I start from the import table and observe what special place the dll used

 

 

 This program uses the dll of windows socket to rebound the attacker and transmit information

 

 According to the usual programming experience, the socket programming is used in the dll to transmit and receive information functions, which can be roughly judged as the possibility of sending computer information to the outside.

3. Answering basic questions

If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor, and what method to monitor?

• Use the sysmon tool to configure the monitoring port, registry information, network connection and other information, and view it through the log file generated by it
• Use wireshark to view the packet.
• Use systracer to take snapshots and compare information such as registry and files
• Use Process monitor and Process Explorer to monitor and view the process execution status, file system and registry activities.
• For some suspicion programs, you can use the PE parser to observe its imported function and determine its specific function
• Use OD for dynamic analysis of the program or IDA for static analysis (we must strengthen this aspect of learning after class, and the study of the reverse aspect is not enough)

If it has been determined that there is a problem with a program or process, what tools do you have to get further information about it?

• Use the systracer tool to analyze the malware and view its modifications to the registry and files.
• Use Wireshark to analyze packet capture and monitor the communication process with the host.

4. Experimental summary

　This experiment made me fully aware of my deficiencies in dynamic analysis and static analysis, code experience is not enough about socket programming, etc., can not understand the meaning of some codes and their comments, resulting in the inverse analysis of backdoor programs, lesson The next step is to strengthen learning in this area.

　At the same time, it also made me realize that the original network security is not far away from us, and I usually use what I have learned in the experiment to detect whether the computer is safe or not.