table of Contents
1. Experimental Objective
2. Experimental content
3. Experimental steps
- Use schtasks to set up scheduled tasks
- Use the sysmon tool to monitor the system
- Use VirusTotal to analyze malware
- Use PEiD to analyze malware
- Use PE Explorer to analyze malware
- Use wireshark to analyze backdoor software
- Analysis with Systracer
4. Problems encountered in the experiment
5. Experimental gains and thoughts
6. Question answer
2019-2020-2 20175330 Yang Jingxu "Network Countermeasure Technology" Exp4 Malicious Code Analysis
1. Experimental Objective
Task 1: Monitor the running status of your own system to see if suspicious programs are running
Task 2: Analyze a malware, analyze the backdoor software generated in Exp2 or Exp3; analysis tools use native instructions or sysinternals, systracer suite as much as possible
Task 3: Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment to first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature
2. Practice content
(1) System operation monitoring
-
-
Use as scheduled tasks to record every minute what programs your computer is connected to the Internet and where the connected external IP is. Run for a period of time and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted.
-
Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of your host's key issues.
-
(2) Malware analysis
Analyze the software at
(1) Start back connection
(2) Install to the target machine
(3) and any other operations (such as process migration or screen capture, the important thing is that you are interested)
The backdoor software
(1) What registry entries are read, added, and deleted
(2) Which files have been read, added and deleted
(3) What external IPs are connected and what data is transmitted (capture analysis)
3. Experimental procedure
1. Use schtasks to set up scheduled tasks
step1: Enter the following command
date /t >> c:\netstat5330.txt time /t >> c:\netstat5330.txt netstat -bn >> c:\netstat5330.txt
Create netstat5330.bat script in the C drive
step2: Enter in cmd
schtasks /create /TN netstat5330 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"schtasks /create /TN netstat5330 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"
Create scheduled task nestst5330
Detailed command:
TNIt is the abbreviation of TaskName, followed by the task name netstat5330
scIndicates the timing mode, which means timing MINUTEin minutes,
TRThat is Task Run, the running instruction is netstat,
b命令为输出Executable file name,
nThe role is to display the IP and port with numbers,
Finally, the output is redirected, and the output is stored in a c:\netstatlog.txtfile.
step3: Open the mission planning program library, find the created program, click- 操作> 编辑, it will 程序或脚本change to the netstat5330.batfile we created .
step5: Check to run regardless of whether the user is logged in, use the highest authority
step6: Wait for a while, you can see the statistics in the netstat5330.txt file
step7: Import the data into excel analysis
step8: Analyze the data
- The most used application software:
vmware virtual machine, WeChat, Firefox, Thunder, steam (after all, doing experiments). There is no suspicious software in the rest
step1: Download Sysinternals .step2: Determine the target to be monitored. And trust the program to set up a white list.
step3: Create the corresponding configuration file in the directory where Sysmon is located
sysmon20175330.xml
. The configuration file is as follows:
<Sysmon schemaversion="10.42">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<ProcessCreate onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
</ProcessCreate>
<ProcessCreate onmatch="include">
<ParentImage condition="end with">cmd.exe</ParentImage>
</ProcessCreate>
<FileCreateTime onmatch="exclude" >
<Image condition="end with">chrome.exe</Image>
</FileCreateTime>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">80</DestinationPort>
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">firefox.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
Interpretation:
<Sysmon schemaversion="10.42">
Indicates that the version of Sysmon is version 10.42
excludeIndicates a white list, that is, the programs in the label are not recorded.
include表示blacklist. onmatch表示match.
ProcessCreate为Process creation
NetworkConnect表示Internet connection
CreateRemoteIndicates remote thread creation.
FileCrete Time表示Process creation time
Sysmon.exe -i sysmon20175330.xml
事件查看器
in
应用程序和服务日志/Microsoft/Windows/Sysmon/Operational
, you can see the event record.
3. Malware analysis
step1: Run the backdoor program of experiment three before:
step2: View the running record of the backdoor program in the event viewer
SearchProtocolHost.exe and SearchIndexer.exe are indexing programs for desktop search engines in Windows Vista and Windows 7. It automatically scans the file name, attribute information, and file content of a given category when the computer is idle. These index locations include by default Desktop, favorites , start menu , system directory, and directories added to Libraries in Windows 7 (user folders under Windows Vista, such as documents, pictures, music, and video folders) can also be used as backdoors carried out.
Use wireshark to analyze backdoor software
The communication method used by the backdoor program is TCP transmission. When the Windows host implanted into the backdoor invades, the host and the virtual machine first complete a complete three-way handshake
Use VirusTotal to analyze malware
Upload the program to VirusTotal to get detailed information including size, MD5, SHA-1, SHA-256 values and encryption shell type.
Use PEiD to analyze malware
PEiD (PE Identifier) is a well-known search tools shell, its powerful, can detect almost all the shells, their number has more than 470 kinds of PE document shell type and signature.
Scanning mode:
Use PE Explorer to analyze malware
The extremely powerful visualized Chinese integration tool can directly browse and modify software resources, including menus, dialog boxes, string tables, etc. In addition, it also has the decompilation capability of W32DASM software and the PE file header editing function of PEditor software. It is easier to analyze the source code and repair the damaged resources. It can handle PE format files such as EXE, DLL, DRV, BPL, DPL, SYS, CPL, OCX, SCR and other 32-bit executable programs. The software supports plug-ins . You can enhance the functions of the software by adding plug-ins. The original company bundled UPX unpacking plug-ins, scanners and disassemblers in the tool .
Use the import function to view the dynamic link library referenced by the file:
其中系统的内存和管理数据的输入输出操作和中断处理由KERNEL32.dll控制。
msvcrt.dllThe function library
that compiles software for Microsoft is used by backdoor programs KERNEL32.dll.KERNEL32.dll被调用应当警惕。
Analysis with Systracer
step1: download and installSystracer
step2: Click to take snapshotstore the snapshot.
- Snapshot 1: Backdoor programs not ported
- Snapshot 2: Backdoor implant
- Snapshot 3: Run the backdoor program and connect back in Kali
- Snapshot 4: execute the dir command
step3: Compare snapshots
Comparing snapshot one with snapshot two, you can see that the backdoor file is added20175330.exe
Compare Snapshot 2 and Snapshot 3 and find the program that 20175330.exe出现在了正式runs after the backdoor starts
There are many more dll files added by backdoor programs
Comparing Snapshot 3 and Snapshot 4, it is found key_local_machinethat the content in the root key has been modified.
Problems encountered in the experiment
Experimental gains and thoughts
This experiment is not difficult to operate, mainly because there are some difficulties in the analysis of the backdoor program. The focus of this experiment is on the analysis of the program's running results and event logs. I don't know what to do at first. The backdoor has read a lot. After the classmate's blog has a general direction, the Chinese body is still very rewarding.
question answer
(1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use to monitor
- Upload the suspected program to VirusTotal
- Check if the program is packed with PEiD
- Whether to reference the dynamic link library about the backdoor through the PE Explorer program
- Check whether there is a doubtful port and purpose when transmitting information through wireshark
- Take a snapshot with Systracer tool
2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
Use the systracer tool to view the program modifications to the registry and files.
Monitor related processes through the Process Explorer tool.