2019-2020-2 20175315 Chen Yuyang "Network Countermeasure Technology" Exp4 Malicious Code Analysis

2019-2020-2 20175315 Chen Yuyang "Network Countermeasure Technology" Exp4 Malicious Code Analysis

1 Practice description

1.1 practical goals

      (1) Monitor the running status of your own system to see if suspicious programs are running

      (2) When analyzing a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool uses native instructions or sysinternals, systracer suite

      (3) Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment to first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature 

1.2 Basic knowledge

1.2.1 Definition of malicious code

      Assuming that you think there is a problem with your host in future work, you can use this idea in the experiment to first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature

1.2.2 Malicious code characteristics

      The malicious purpose itself is that the computer program takes effect through execution

1.2.3 Malicious code classification

      Non-infected dependent malicious code (Trojan horse, logic bomb)

      Independent malicious code that does not infect (dropper, multiplier)

      Infectious dependent malicious code (virus)

      Infectious independent malicious code (worm)

2 System operation monitoring

2.1 Windows scheduled tasks schtasks

      Requirements: Use such as scheduled tasks to record every minute what programs are on your computer, and where is the connected external IP. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted

      Enter the following command and record which programs are connected to the network every minute. After this command is completed, every minute will monitor which programs are using the network, and record the results in the netstatlog.txt file

schtasks /create /TN 20175315netstat /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"

Respectively:

TNIs the abbreviation of TaskName, the name of the scheduled task we created is netstat5308;

scTo indicate the timing method, we fill in MINUTE in minutes;

TRIs Task Run, the command to be run is netstat

bn, bMeans to display executable file name, nmeans to display IP and port with numbers;

>Represent output redirection, store the output in a c:\netstatlog.txtfile

Create a file c: \ netstatlog.bat under the C drive, the content is:

date /t >> c:\netstatlog.txt
time /t >> c:\netstatlog.txt
netstat -bn >> c:\netstatlog.txt

Open Control Panel-> Administrative Tools-> Task Scheduler and find the created task

 Open the properties and change the original cmd in the box to c: \ netstatlog.bat

Check in the General column: run regardless of whether the user is logged in, run with the highest authority

After waiting for a while, we open the c: \ netstatlog.txt file created earlier, and we can see:

By referring to the blog of "Zhang Jingyu Xuejie", we imported the data in the text into an Excel table and obtained the chart as follows:

As can be seen from the above picture, the most connected is 360, and other software such as qq, WeChat, and the League of Legends game I hung on the computer at the time. . .

2.2 sysmon tool

Requirement: Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of the main things of your host

Download the sysmon tool

Create a configuration file sysmon.xml, write the following instructions in the file:

<Sysmon schemaversion="4.23">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <DriverLoad onmatch="exclude">
      <Signature condition="contains">microsoft</Signature>
      <Signature condition="contains">windows</Signature>
    </DriverLoad>
    
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">iexplorer.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>

    <NetworkConnect onmatch="include"> 
      <DestinationPort condition="is">5334</DestinationPort>     
      <DestinationPort condition="is">80</DestinationPort>      
      <DestinationPort condition="is">443</DestinationPort>    
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

Open cmd as administrator and install using the command Sysmon.exe -i sysmon.xml

This completes the installation. After that we open Computer Management> Event Viewer> Application and Service Log> Microsoft> Sysmon> Operational

Here we see the earliest log in the timeline is to find the sysmon.xml configuration file we created

3 Malware analysis

3.1 

Use the backdoor generated in Experiment 3 to connect back to the virtual machine.

Open the event viewer, and after refreshing, you can find the relevant message that we found the backdoor that has just been run according to the running time.

Here we also carried out a packet capture, and the reconnection that was in progress after the packet capture started. You can see that the three handshake is completed in the figure below.

Here we go back to kali again. Use webcam_snap to take a picture, you can see a few more records in the event viewer immediately. There is one such:

The full name of conhost.exe appearing here is Console Host Process, which is the host process of the command line program. Simply put, he is a new console application processing mechanism introduced by Microsoft for security reasons. Werfault.exe also appeared. This process is a program for error reporting that comes with the windows system.

Due to the reasons at home, the experiment time span is relatively long, so some screenshots are omitted here, I hope the teacher understands!

3.2 Static analysis

(1) Use VirusTotal to analyze malicious programs

As shown above, you can see the details in the detail, such as the summary value of three algorithms, file type, file format

(2) Use PEiD to analyze malware

Detection of unpacked backdoor programs

Detection of backdoor program with compressed shell

Detection of encryption shell backdoor program

It can be seen from the figure that the backdoor file with the compressed shell can be detected, but the backdoor file with the encrypted shell cannot be detected.

Click the Task viewer to view the process. We can see that when executing the backdoor program, we can also find that there will be many .DLLfiles, that is, dynamic link library.

3.2 Dynamic analysis (SysTracer tool)

First install and download Sys Tracer

Click to create a snapshot, I created three for comparison, namely:

   Snapshot # 1: do nothing

   Snapshot # 2: Run the backdoor program and successfully bounce the connection

   Snapshot # 3: Run the webcam_snap command

The following is a comparison chart:

Here is after we run the backdoor program to bounce the connection, we can see that we have added the backdoor5315.exe that we implanted, and added and deleted many files.

Changes to the registry file

Added a lot of dll files

4 Question answer

(1) If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use to monitor

Answer: 1. Use schtasks to monitor the machine, and arrange the monitoring records after the machine runs for a period of time. 2. Use Sysmon, configure the options you want to view, such as network connection, registry information, etc., and view and analyze through the generated logs. 3. You can also use Systracer to directionally record the "running" comparison of the current running process, and then determine whether there is any behavior to add or delete the registry.

(2) If you have determined that there is a problem with a program or process, what tools do you have to get further information about it

Answer: Use Wireshark for packet capture analysis and monitor the communication process between it and the host; use the systracer tool to perform related analysis and view its modifications to the registry and files.

5 Experimental thoughts

This experiment is simpler than the previous ones, but the more important thing is that the comparative analysis requires me to take it seriously. The hard part for me is that there is a lot of data and it is difficult to find the exact desired data. It is also a big problem to get the data analysis. Although it is indeed a bit tiring to do, this tiredness also made me understand the malicious code better. Then because of some things at home, the time span of this experiment is relatively large, and some places are missing details. I apologize to the teacher here.