2019-2020-2 Network Countermeasure Exp4 Malicious Code Analysis
20175235 Zeren Lacuo
table of Contents
1. Experimental process
-
1. System operation monitoring
-
2. Malware analysis
-
Dynamic Analysis
-
Static analysis
-
1.1 Combining windows scheduled tasks with netstat command
-
step
-
Use the command to
schtasks /create /TN 20175235netstat /sc MINUTE /MO 5 /TR "cmd /c netstat -bn > c:\netstatlog.txt"create a scheduled task 20175235 netstat
-
Create a netstatlog.bat script file in the C drive (you can create a txt text file first, and use Notepad to write to modify the file format by modifying the file name)
Enter the following:
date /t >> c:\netstatlog.txt time /t >> c:\netstatlog.txt netstat -bn >> c:\netstatlog.txt -
Open the task scheduler (in computer management), you can see our newly created task
-
Double-click this task, click on the operation and edit, change the "program or script" to the netstatlog.bat batch file we created, you can confirm
-
Executing this script for a certain period of time, you can view the network records of this machine in this period of time in the netstatlog.txt file
-
When you think it ’s almost time, you can use Excel to analyze
-
Open the data in Excel-> From Text-> Separator, and mark all separators in the next step.
-
The statistical chart is as follows:
-
Analyze statistical data:
By ranking:
[360DayPop.exe]: 360 pop-up advertisement
[wps.exe]:wps
[360Tray.exe]: 360 monitoring program
[Explorer.EXE]: program manager
[HarmonySettingService.exe]: Suspected virus
[iumsvc.exe]: Not clear
[Lenovo.HarmonySetting.exe]: Service
[SoftMgrLite.exe]: 360 assistant
[updateui.exe]: executable file
[WeChat.exe]: WeChat
[vmware-authd.exe] Virtual machine related processes
[wpscenter.exe]: wps hotspot
-
-
There are many software processes that are not actively running in the background. Even the adware is still the largest process, there are other self-starting processes, and there is a virus. Not only can it guarantee the security of its own information, but also
ensure the smooth operation of the system.
-
1.2 Use sysmon to monitor the system
-
Download and install sysmon
- Configuration file:
<Sysmon schemaversion="4.23">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<NetworkConnect onmatch="exclude">
<Image condition="end with">iexplorer.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">5310</DestinationPort>
<DestinationPort condition="is">80</DestinationPort>
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
- Enter the event viewer to view the log
Enter the event view log to find the specific location of the log through the application and service log / Microsoft / Windows / Sysmon / Operational
2.1 Malware
-
2.1 Static analysis
-
1. Use VirusTotal to analyze malware
In experiment three, a packed backdoor program was put into virusTotal for analysis. It
can be seen that its SHA-1, MD5 summary value, file type, file size, TRiD file type, packing situation, algorithm library support
-
2. Use PEID for shell inspection:
After installation, drag the program of Experiment 3 into it, you can see its packed version, etc.
-
3. Decompile and disassemble (PE Explorer tool)
PE Explorer is a powerful visual Delphi, C ++, VB program parser, which can quickly decompile 32-bit executable programs and modify their resources.
After opening PE Exploer, open the backdoor program zxy_20175227_backdoor.exe, showing the file header information:
-
-
2.2 Dynamic analysis
-
Capture tool application (wireshark)
ICMP package when Kali system and Windows system Ping pass
-
MSFTCP packet during bounce connection
-
dirCheck the files in the backdoor program directory on the disk, the log is not updated
-
2. Explanation of experiment content and answers to basic questions
-
1. If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
-
Use Windows to schedule tasks schtasks: regularly check the network connection, including IP and port, and perform statistical analysis to confirm the IP belongs to and the details of the connection initiator.
-
Use the sysmon tool: configure the options you want to view, such as network connection, registry information, etc., and view and analyze through the generated logs.
-
Use PEiD, PE Exploer tools: check whether a program is packed, and disassemble and decompile, check and analyze whether the program has illegal operations.
-
Use Wireshark tool: capture data packets and analyze data flow.
-
-
2. If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
-
Use Wireshark to analyze packet capture and monitor the communication process with the host.
-
Use Process Explorer to view the called library, etc.
-
Use PEid to view the packing situation
-
3. Experimental summary
This experiment is very operable and can be used to check malicious code on its own in the future, which is more difficult and requires more software to be installed. This experiment still gained a lot.