2019-2020-2 20175215 Ding Wentao "Network Countermeasure Technology" Exp4 Malicious Code Analysis

Others 2020-04-19 00:02:29 views: null

1. Overview of practical goals and content

1. Practice goals

  • Monitor the running status of your own system to see if suspicious programs are running.
  • To analyze a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals, systracer suite as much as possible.
  • Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment, first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.

2. Practice content

  • 2.1 System operation monitoring

    • (1) Use such as scheduled tasks to record every minute what programs are on your computer, and where is the connected external IP. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted.
    • (2) Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behaviors of the main host of your host.
    • Reference: schtask and sysmon application guide

  • 2.2 Malware analysis: Analyze the software when (1) start back connection, (2) install to target machine (3) and other arbitrary operations (such as process migration or screen capture). The backdoor software

    • What registry keys have been read, added, and deleted
    • What files were read, added, and deleted
    • What external IP is connected and what data is transmitted (capture analysis)

2. Practice content

1. System operation monitoring

1.1 Use schtasks command monitoring system

  • Use schtasks /create /TN schtasks5215 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"commands to create scheduled tasksschtasks5215
    • TNIs the abbreviation of TaskName, the name of the scheduled task created is schtasks5215;
    • scMeans the timing mode, it needs to be filled in minutes MINUTE;
    • TR=Task Run, The command to run isnetstat
    • bn, bIndicating that the executable file name nis displayed , indicating that the IP and port are displayed in numbers;
    • >Represent output redirection, store the output in a c:\netstatlog.txtfile
  • Create a netstat5215.txtfile and write the following
date /t >> c:\netstat5215.txt 
time /t >> c:\netstat5215.txt 
netstat -bn >> c:\netstat5215.txt

Then change the .txtsuffix name to.bat

  • Open the task scheduler, you can see this newly created task:
  • Double-click this task, click operation and edit, and then operate the edit in the tab to start the program, change the program or script cmdintonetstat5303.bat
  • Change other attributes yourself
  • Run the task to schtasks5215start recording the background data and keep the computer in normal use. After about two hours, open the netstat20175215.txtdata in the C drive directory to view the data
  • Organize through Excel
    • The statistics are as follows:
    • The statistical chart is as follows:
  • analysis
    • Common application process
      • QQBrowser.exe: QQ browser process
      • qmbrowser.exe: a child process of QQ browser
      • javaw.exe: Sun Microsystems' related network protocol software. Usually works based on Internet Explorer.
      • TIM.exe: the process of QQ Office Edition
      • BaiduNetdiskHost.exe: Baidu network disk service process
      • wps.exe: The process of wps files.
    • Other processes
      • AppleMoblieDeviceService.exe、vmware-hosted、QQMusic.exe等

1.2 Use the sysmon tool to monitor the system

  • Sysmon is a tool in the Microsoft Sysinternals suite. Before using the sysmon tool, you must configure the file. Refer to this article on using the lightweight tool Sysmon to monitor your system and create a configuration file sysmon20175215.xml.
  • Selectable event filters are ProcessCreate process creation, FileCreateTime process creation time, NetworkConnect network link, ProcessTermina process end, DriverLoad driver loading, ImageLoad image loading, CreateRemoteTh remote thread creation, RawAccessRead driver reading, ProcessAccess process access, FileCreate file creation, RegistryEvent Registry event, FileCreateStre file stream creation, etc.
  • The content of the created configuration file sysmon20175215.xml is code cloud link
  • Install sysmon:, the sysmon.exe -i C:\Users\Administrator\Sysmon\sysmon20175215.xmlsuccessful installation results are as follows:

  • Check the "Event Viewer", select the location of the log 应用程序和服务日志/Microsoft/Windows/Sysmon/Operational, there are new events recorded according to the requirements of the configuration file, as well as event ID, task category, detailed information, etc.
  • The first log recorded by this configuration file is openedC:\Users\Administrator\Sysmon\sysmon20175215.xml配置文件
  • And the content behind
  • After running shell, getuid and other commands, I found a C: \ Windows \ SysWOW64 \ cmd.exe program that has not appeared before. As shown in the figure below, SysWOW64 can run 32bit programs in 64bit Windows, while under Windows cmd.exe is 64bit.

2. Malware analysis

  • Static analysis

    • File scanning (VirusTotal, VirusScan tool, etc.)
    • File format recognition (peid, file, FileAnalyzer tools, etc.)
    • String extraction (Strings tool, etc.)
    • Disassembly (GDB, IDAPro, VC tools, etc.)
    • Decompile (REC, DCC, JAD tools, etc.)
    • Logical structure analysis (Ollydbg, IDAPro tools, etc.)
    • Packing and unpacking (UPX, VMUnPacker tools, etc.)

  • (1) Use VirusTotal to analyze malware

    • Put the generated malicious code in VirusTotal for analysis, the basic situation is as follows:
    • Basic information: You can see its SHA-1, MD5 digest value, file type, file size, and TRiD file type recognition results.
    • And the algorithm library support of the malicious code:

  • (2) Using PEiD to analyze malware
    PEiD (PE Identifier) ​​is a well-known shell checking tool. Its powerful function can detect almost all shells, and its number has exceeded 470 kinds of PE file packing types and signatures.

    • Detect backdoors without shell
    • Detect the backdoor program for UPX packing
    • Detecting backdoor procedures for Hyperion packing
    • The detection is mostly normal, but the Hyperion encryption shell cannot be found

  • (3) Use wireshark to capture packets and analyze malware

    • Enter the filtering conditions in the Wireshark filter to ip.addr == 192.168.30.135view the relevant protocol packet information
    • ICMP package when King system and Windows system ping together
    • TCP packet during MSF bounce connection
    • Use getuid to view the user who is running the server, and SearchUI starts.

SP1. Question answer and experience after the experiment

1. Question answer after experiment

  • (1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
    • Use the schtasks command that comes with Windows to set a scheduled task and find that the network connection is abnormal
    • Use Sysmon and other programs to write configuration files and record related system logs
    • Use Process Explorer, Process Monitor and other tools to monitor process activity.
  • (2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
    • Use the systracer tool to analyze the malware and view its modifications to the registry and files.
    • Use Wireshark to analyze packet capture and monitor the communication process with the host.
    • Use Process Explorer tool or Process Monitor tool to monitor file system, registry, process / thread activity.

2. Experimental experience

This experiment is relatively simple, the content is mainly to monitor your computer and find potential malicious code, focusing on the protection and monitoring of this experiment. Use various tools to test the system. However, I am a bit rusty about the use of some backdoor programs. I still need to use and apply this knowledge.

SP2. References

1. Application guidance for schtask and sysmon
2. 2018-2019-2 network countermeasure technology 20165318 Exp4 malicious code analysis
3. Malicious code analysis

Guess you like

Origin www.cnblogs.com/jxxydwt1999/p/12635033.html
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com