2019-2020-2 20175305 Zhang Tianyu "Network Countermeasure Technology" Exp4 Malicious Code Analysis
1. Practice goals
1.1 is to monitor the running status of your own system to see if any suspicious programs are running.
1.2 is to analyze a malware, analyze the backdoor software generated in Exp2 or Exp3; analysis tools use native instructions or sysinternals, systracer suite as much as possible.
1.3 Assuming that you feel that your host has a problem in future work, you can use this idea in the experiment to first monitor the entire system to see if suspicious objects can be found, and then further analyze the suspicious objects to confirm their specific behavior and nature.
2. Practice content and steps
2.1 System operation monitoring
(1) Use such as scheduled tasks to record every minute what programs are on your computer, and where is the connected external IP. Run it for a while and analyze the file to summarize the analysis results. The goal is to find out all the programs connected to the network, where they are connected, and what they have done (you can only guess if you don't capture packets). Do you think it is appropriate to do so? If you want to further analyze, you can capture packets targeted.
(2) Install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behaviors of the main host of your host.
2.2 Malware analysis
Analyze the software when (1) start back connection, (2) install to the target machine (3) and other arbitrary operations (such as process migration or screen capture, the important thing is that you are interested). The backdoor software
(3) What registry entries are read, added, and deleted
(4) Which files have been read, added and deleted
(5) What external IPs are connected and what data is transmitted (capture analysis)
This experiment focuses on "analysis", not "how to use a certain software". The team leader and the project leader request to be more detailed, others can focus on the analysis
Practice record
Task 1: Use the schtasks command to monitor the system (use tasks such as scheduling tasks to record every minute what programs are on your computer and where the connected external IP is. Run for a while and analyze the file to summarize the analysis results)
Create a netstat5305.batscript file in the C drive and write the following
date /t >> c:\netstat5305.txt
time /t >> c:\netstat5305.txt
netstat -bn >> c:\netstat5305.txt
Use schtasks /create /TN netstat5305 /sc MINUTE /MO 1 /TR "cmd /c netstat -bn > c:\netstatlog.txt"commands to create scheduled tasksnetstat5305
TNIs the abbreviation of TaskName. The name of the scheduled task we created is netstat5318; it
scmeans the timing mode, we fill in MINUTE in minutes;
TR= Task Run, the command to be run is netstat
bn, whichbmeans that the executable file namenis displayed , which means that the IP and Port;
>means output redirection, store the output in ac:\netstatlog.txtfile:
Open the control panel search management tools, then open the task scheduler, find the new plan netstat5305:
Double-click this task, click Action and edit, change the "program or script" to the netstat5305.batbatch file we created , clear the optional parameters, click OK, you can see in the "Condition" tab, in order to count enough data , Cancel the default operation in the power options 只有在计算机使用交流电源时才启动此任务. Next, select Run with the highest authority under the General column and click OK to save. Next, select under the General column 使用最高权限运行and click OK to save:
When the recorded data is rich enough, stop the task and analyze the obtained data in excel. This process must be kept on and connected to the network to continue monitoring.
Wait for a while, and sort the stored data through the excel table. The
statistics are as follows:
The statistical chart is as follows:
Task two: Use the sysmon tool to monitor the system (install and configure the sysmon tool in sysinternals, set a reasonable configuration file, and monitor the suspicious behavior of the main things of your host.)
Sysmon is a tool in Microsoft's Sysinternals suite. It is installed on the system as a system service and device driver, and remains resident. sysmon is used to monitor and record system activities and log to the windows event log, which can provide detailed information about process creation, network link and file creation time changes.
Selectable event filters are ProcessCreate process creation, FileCreateTime process creation time, NetworkConnect network link, ProcessTermina process end, DriverLoad driver loading, ImageLoad image loading, CreateRemoteTh remote thread creation, RawAccessRead driver reading, ProcessAccess process access, FileCreate file creation, RegistryEvent Registry event, FileCreateStre file stream creation, etc.
Download and unzip SysinternalsSuite.zip, SysinternalsSuitecreate a configuration file in the directory, sysmon20175318.xmlyou can add an event filter to the configuration file, the specific filtering event options are as follows
- The filter event options for ProcessCreate are:
UtcTime, ProcessGuid, ProcessId, Image, CommandLine, CurrentDirectory, User, LogonGuid, LogonId, TerminalSessionId, IntegrityLevel, Hashes, ParentProcessGuid, ParentProcessId, ParentImage, ParentCommandLine - The filter event options of FileCreatTime for process creation time are:
UtcTime, ProcessGuid, ProcessId, Image, TargetFilename, CreationUtcTime, PreviousCreationUtcTime - Network connection NetworkConnect filtering event options are:
UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName - The filtering event options for CreateRemoteThread created by the remote thread are:
UtcTime, SourceProcessGuid, SourceProcessId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, NewThreadId, StartAddress, StartModule, StartFunction
According to these filtering events, choose to write a configuration file sysmon20175305.xml:
<Sysmon schemaversion="7.18">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<NetworkConnect onmatch="exclude">
<Image condition="end with">chrome.exe</Image>
<Image condition="end with">iexplorer.exe</Image>
<SourcePort condition="is">137</SourcePort>
<SourceIp condition="is">127.0.0.1</SourceIp>
</NetworkConnect>
<CreateRemoteThread onmatch="include">
<TargetImage condition="end with">explorer.exe</TargetImage>
<TargetImage condition="end with">svchost.exe</TargetImage>
<TargetImage condition="end with">winlogon.exe</TargetImage>
<SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
</EventFiltering>
</Sysmon>
Exclude is equivalent to a whitelist, no need to record. include is equivalent to a blacklist.
Image condition needs to be changed according to the browser you use, and "2345 Accelerated Browser" and "360 Safe Browser" are whitelisted. At the same time, remove the loopback address 127.0.0.1, and remove port 137. The main function of port 137 is to provide a computer name or IP address query service in the local area network, and view port 80 of HTTP and port 443 of https.
Remotely built to create a remote thread that records explorer.exe, svchost.exe, firefox.exe, winlogon.exe and powershell.exe.
explorer.exe is a Windows program manager or file resource manager
svchost.exe is a system program that belongs to the Microsoft Windows operating system, and is the general host process name of the service running from the dynamic link library (DLL).
winlogon.exe is a Windows NT user login program used to manage user login and logout.
powershell.exe is a new Windows command-line shell designed specifically for system administrators. The shell program includes interactive prompts and scripting environments, both of which can be used independently or in combination.
After writing, use Sysmon64.exe -i sysmon20175305.xml to install in cmd as administrator
Open the event viewer, in 应用程序和服务日志/Microsoft/Windows/Sysmon/Operationalwhich we can see the new events recorded according to the requirements of the configuration file, as well as the event ID, task category and detailed information:
You can see that the first log recorded by the C:\Users\qinghuan\Desktop\Sysmon\sysmon20175305.xmlconfiguration file is to open the configuration file, and then run the backdoor program of the previous experiment 3:
The running record of the backdoor program can be found in the event viewer:
The following information can be obtained from the figure:
程序:C:\Users\qinghuan\Desktop\20175305_backdoor.exe
协议:tcp
源IP地址:192.168.10.128(Windows的IP)
目标IP地址:192.168.10.131(kali的IP)
目的端口:5305
Task 3: Malware analysis
Static analysis
- File scanning (VirusTotal, VirusScan tool, etc.)
- File format recognition (peid, file, FileAnalyzer tools, etc.)
- String extraction (Strings tool, etc.)
- Disassembly (GDB, IDAPro, VC tools, etc.)
- Decompile (REC, DCC, JAD tools, etc.)
- Logical structure analysis (Ollydbg, IDAPro tools, etc.)
- Packing and unpacking (UPX, VMUnPacker tools, etc.)
(1) File scanning (virustotal):
(2) File format identification (pied)
PEiD (PE Identifier) is a well-known shell checking tool. Its powerful function can detect almost all shells, and its number has exceeded 470 types and signatures of PE files.
It has 3 scan modes: normal scan mode, deep scan mode, and core scan mode.
Scan the unpacked backdoor files: The main function of PEiD is to check the shell, first look at the unpacked:
Then scan the packed program:
(3) Use PE Explorer to analyze malware
PE Explorer is a powerful visual Delphi, C ++, VB program parser, which can quickly decompile 32-bit executable programs and modify their resources. The software supports plug-ins. You can enhance the functionality of the software by adding plug-ins. The original company bundled UPX unpacking plug-ins, scanners, and disassemblers in the tool.
Mainly look at the file header information and the called DDL file:
You can also see the version information of the software:
Dynamic Analysis
Snapshot comparison (SysTracer, Filesnap, Regsnap tools, etc.)
Packet capture analysis (WireShark tools, etc.)
Behavior monitoring (Filemon, Regmon, ProcessExplorer tools, etc.)
Sandbox (NormanSandbox, CWSandbox tools, etc.)
Dynamic trace debugging (Ollydbg, IDAPro tools, etc.)
Download and install systracer,
click take snapshot and then start to start capturing; click stop to stop and store.
Snapshot 1 (Snapshot # 1): Backdoor program is not ported
Snapshot 2 (Snapshot # 2): Backdoor program is implanted
Snapshot 3 (Snapshot # 3): Runs the backdoor program and implements backlink
snapshot 4 (Snapshot # 4) in Kali : Execute the websnam_snap command
Snapshot 5 (Snapshot # 5): execute the getuid command
We click compare, this time to compare snapshot one and snapshot two, and snapshot two and snapshot three
A lot of .ddl files have been deleted, and many ddl files have been added, that is, dynamic link libraries, disguised as latent:
Use Wireshark to analyze malware
Start Wireshark to start capturing packets, connect back to kali and enter the dircapture in kali to end the capture. We can see that there are a large number of TCP packets, including the packets related to the back link, and the data transmitted by the dir command
from the data packets. See the source IP, destination IP, source port, destination port, and transmitted data:
Kali obtains the command window and enters dir to capture the data packet:
The transmitted data includes the TCP synchronization request packet SYN sent by Windows to Kali, the SYN synchronization request packet and confirmation packet ACK sent by Kali to Windows, the ACK packet transmitted by Kali to Windows, the PSH + ACK packet, etc.
3. Basic question answering
1. If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.
Answer: Use the schtasks command to set a scheduled task and find that the network connection is abnormal; sysmon monitors the host, writes a configuration file, and records related system logs. Statically scan with VirusTotal and VirusScan; compare dynamic snapshots.
2. If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?
Answer: Use the Process Explorer tool to analyze and monitor the file system and registry activities; or the SysTracer tool to check whether the process has modified the registry and file programs; and Wireshark to capture packets to see what data has been transferred by the process
4. Experimental summary and experience
This experiment has taught me a lot of things. Knowledge includes the use of various instructions and tools; static analysis and dynamic analysis of backdoor programs. The experiment is not difficult, but the software to be downloaded and the analysis are many and complicated, but let me master some very practical software tools, SysTracer tool to view the process, how to use excel to arrange data, how to use Sysmon to monitor or analyze logs; The biggest gain is the content of the phenomenon, which has a certain understanding of the various characteristics of the malicious code, which will be of great help in future query and prevention.