2019-2020-2 network countermeasure technology 20175311 Hu Jidong Exp4 malicious code analysis

2019-2020-2 network countermeasure technology 20175311 Hu Jidong Exp4 malicious code analysis

table of Contents

• 1. Experiment introduction
• 2. Experimental procedure
• • 1. Use schtasks instruction to monitor the system
• • 2. Use the sysmon tool to monitor the system
• • 3. Use VirusTotal to analyze malware
• • 4. Use PEID to analyze malware
• • 5. Use systracer to analyze malware
• • 6. Use Wireshark to capture packets and analyze malware
• 3. Experimental requirements
• 4. Experimental thoughts

1. Experiment introduction

1. Experimental Objective

• Monitor the running status of your system to see if any suspicious programs are running.
• To analyze a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals, systracer suite as much as possible.
• Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.

2. Experimental content (3.5 points)

2.1 System operation monitoring (2 points)

• Use as scheduled tasks to record every minute what programs your computer is connected to the Internet and where the connected external IP is. Find out all the programs connected to the network, where they are connected and what they do, and carry out further analysis to capture the packets in a targeted manner.
• Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of your host's key issues.

2.2 Malware analysis (1.5 points)

• Analyze the software when (1) start back connection, (2) install to the target machine (3) and other arbitrary operations (such as process migration or screen capture, the important thing is that you are interested). The backdoor software
• • What registry keys have been read, added, and deleted
• • What files were read, added, and deleted
• • What external IP is connected and what data is transmitted

2. Experimental procedure

1. Use schtasks instruction to monitor the system

• Use schtasks /create /TN netstat5311 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"commands to create tasksnetstat5311

• • TNIs the abbreviation of TaskName, the name of the scheduled task we created is netstat5318;
• • scTo indicate the timing method, we fill in MINUTE in minutes;
• • TRIndicates Task Run, the command to be run is netstat
• • bnShows the name of the executable file and nshows the IP and port in numbers;
• • >Represent output redirection, store the output in a c:\netstatlog.txtfile
    

• Create a new script file netstat5311.batand drag it to the c drive directory, write the following content

date /t >> c:\netstat5311.txt
time /t >> c:\netstat5311.txt
netstat -bn >> c:\netstat5311.txt

• Open the task scheduler and find the newly created task
  
• Double-click the task, adjust the settings, and change the "program or script" to the netstat5311.batbatch file we created , just confirm
  
• The default operation in the power options is "Start this task only when the computer uses AC power", then the task will be stopped when using battery power. In order to count more data, we will remove this check.
  
• Select the highest authority to run and click OK to save.
  
• Then just wait to collect data ~
  
• After waiting for a long time, we imported the data into an Excel table. Import text data: create a new excel file-> select "data" above-> select "get external data"-> select "self text"
  
• Enter the first step of the file import wizard, select "Separator" and click "Next"
  
• Enter the second step of the file import wizard, select all separators, and click "Next"
  
• Enter the third step of the file import wizard, select normal for the column data format, and click "Finish". The final data is as follows:
  
• Create a new chart from the exported data, delete the fields that are not meaningful, and import the values.
  
  
• Finally, the final exported chart is as follows:

• Through the above chart, I can see that the program with the most Internet connection is Google's web browser "chrome.exe", the second is
  the service process of driving the wizard "dgservice.exe", and the third is the "TXEDU" of Tencent Classroom. ".exe", the fourth place is win10 system process "searchUI.exe". In addition, we can also see some other system processes and networking programs such as WeChat, QQ, and virtual machines.
• No suspicious malicious programs were found, so let's analyze the network connection made by chrome.exe. By looking at the table, we found that Google's browser visited 119.3.240.79:80, which should be the web page I visited when I was looking for information when doing the experiment.

2. Use the sysmon tool to monitor the system

• Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of your host's key issues.
• Download the SysinternalsSuite.zip uploaded by the teacher to Code Cloud and unzip it. sysmon is in the unzipped folder.
• The writing method of the configuration file can refer to the blog to use the lightweight tool Sysmon to monitor your system
• Create sysmon5311.txt in the directory where sysmon is located, and enter the configuration requirements in it

<Sysmon schemaversion="3.10">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <ProcessCreate onmatch="exclude">     
      <Image condition="end with">chrome.exe</Image> 
    </ProcessCreate>

    <FileCreateTime onmatch="exclude" >
      <Image condition="end with">chrome.exe</Image>
    </FileCreateTime>
    
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">chrome.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>
    <NetworkConnect onmatch="include">     
      <DestinationPort condition="is">80</DestinationPort>      
      <DestinationPort condition="is">443</DestinationPort>    
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

• For common chrome and wps, I put them in iniclude. In the above code, the sysmon version number on the first line corresponds to the sysmon used. ProcessCreate means process creation, NetworlConnect is network connection, CreateRemote is remote thread creation, and FileCreate Time is process creation time. The parameters include and exclude following onmatch represent the "exempt inspection" and "required inspection" lists, respectively.
• The remote thread creation records the remote threads whose targets are explorer.exe, svchost.exe, winlogon.exe and powershell.exe. explorer.exe is a Windows program manager or file resource manager; svchost.exe is a system program belonging to the Microsoft Windows operating system, and is the common host process name of a service running from a dynamic link library (DLL); winlogon.exe is Windows NT user login program, used to manage user login and logout; powershell.exe is a new Windows command-line shell designed specifically for system administrators. The shell program includes interactive prompts and scripting environments, both of which can be used independently or in combination.
• Obtain administrator rights to enter the command line, run sysmon.exe -i sysmon5311.txt, pay special attention to the need for administrator rights (you can right-click to get administrator rights when running cmd)
  
• Run successfully
  
• Search to open the computer management, select Event Viewer / Service Log / Microsoft / Windows / Sysmon / Operational
  
• You can see the details of the record
  
• Generate backdoor software in kali and put it into the system
  
• Open the event viewer, and after refreshing, we will find the relevant message of the back door that has just been run according to the running time.
  
• Go back to kali, use webcam_snapto take a picture, you can see a few more records in the event viewer. Since an error occurred in Kali, we saw the Werfault.exe process in the event viewer, which is a program for error reporting that comes with the Windows system. We also saw the svchost.exe process, which is also a background program that comes with the windows system.
  
  
  
• I typed dir in kali to view the current directory file, and a few more messages immediately appeared in the event viewer. There is a SearchProtocolHost.exe process, after Baidu view, it is found that it is a desktop search engine indexing process, which also just explains the desktop file information that jumps out after entering dir. There is also a conhost.exe process, the full name is Console Host Process, which is the host process of the command line program. Simply put, he is a new console application processing mechanism introduced by Microsoft for security reasons.
  
  
  

3. Use VirusTotal to analyze malware

• Here, the compressed shell backdoor program hjd20175311.upxed.exe generated in Experiment 3 was used to scan in VirusTotal. The results are as follows. You can see that the file detection rate is quite high. You can see its SHA-1, MD5 digest value, file type, file size, and TRiD file type recognition results.
  
  
• There are some malicious code algorithm library support
  

4. Use PEiD to analyze malware

• Search and download PEiD v0.95 in Baidu, unzip the installation and start, and scan the specific process files
• Unpacked
  
• Compression shell
  
• Encryption shell
  
• Encryption plus compressed shell
  
• Through the results of four experiments, we can see that any shell software with encryption cannot be identified.

5. Use Systracer to analyze malware

• First download Systracer from the information provided by the teacher, and install it after completion. The steps are: agree-> select the second
  
  
  * set the listening port number
  
• Take a snapshot before opening the back door, click "take snapshot", as shown in the figure, follow the steps below. Show Snapshop # 1 when finished
  
  
• After the malware is implanted, a record is made, and after completion, Snapshop # 2 is displayed; after the malware is reconnected, the record is displayed, and after completion, Snapshop # 3 is displayed; after the corresponding operation is performed on the kali terminal, the record is selected. Here, webcam_snap and ls are selected and completed After showing Snapshop # 4
• Comparing snapshop # 1 and # 2, all the places marked in blue are the places that have changed before and after. For example, we saw backdoor program files that I added before and after. There are many files added and deleted.
  
  
• Compare snapshop # 2 and # 3, you can see that there are more backdoors in the running process, some health values ​​are implanted, and you can also see the specific information of the added and deleted files
  
  
  
• Comparing snapshop # 3 and # 4, I carried out the ls command and the photo command here, so you should be able to see the startup changes of related cameras and other devices on the host. But I do n’t know why there is no registration here
  
  
  

6. Use wireshark for packet capture analysis

• Open wireshark and select wlan mode. After starting to capture packets, the machine starts a malicious program to connect back to the kali virtual machine. After the connection is successful, it stops capturing packets and enters filter conditions ip.addr == 192.168.1.102to view
  
• Through the packet capture information, you can see that the TCP three-way handshake connection has been established. This should be the data packet generated when the connection is bounced back.
• Then use pwd``ls``webcam_snapother commands to analyze the generated data packets. webcam_snapMultiple records are generated during use , which should be caused by the operation required when taking pictures and the occupied memory.
  

3. Experimental requirements

Questions after the experiment

Question 1: If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.

• Through this experiment, we can use the software used in this experiment to view.
• • Use Windows scheduled tasks schtasks to monitor, you can check whether there are suspicious processes running, network connection, port connection, and statistical data for analysis
• • You can use Sysmon to configure the options you want to view, such as network connection, registry information, etc., to view and analyze through the generated logs
• • You can use Systracer to directionally record the current running process for "photo" comparison
• • Use Wireshark tool: capture data packets and analyze data flow to view suspicious IP addresses and port numbers
• • Use the PEiD tool: check whether a program is packed, and analyze the content

Question 2: If you have determined that a program or process has a problem, what tools do you have to get further information about it?

• You can use VirusTotal to check; you can use Systracer to analyze and view its modifications to the registry and files; you can use wireshark to analyze packet capture to see which ip it is connected to and what communication it has with the outside world.

4. Experimental thoughts

• This is the fourth experiment of cyber confrontation technology, and each experiment is extremely difficult. The difficulty of this experiment is not very big, mainly the application of some related software and analysis of related data, but it is still relatively time-consuming and labor-intensive. I think the more time-consuming point is that I do n’t know where to start when I encounter a bunch of data. I am still very unfamiliar with the things I just touched, and I do n’t know the characteristics of malicious code. A lot of practice and energy. However, after this, I have a better understanding of some processes of the system. Through the analysis of the malicious code, it also makes me have a better understanding of the behavior and characteristics of the malicious code. Come on ~