# 2019-2020-2 Cyber confrontation technology 20175333 Cao Yakun Exp4 Malicious code analysis

2019-2020-2 Network Countermeasure Technology 20175333 Cao Yakun Exp4 Malicious Code Analysis

Experimental content

1. Practical goals
   Monitor the running status of your own system to see if suspicious programs are running.
   To analyze a malware, analyze the backdoor software generated in Exp2 or Exp3; the analysis tool tries to use native instructions or sysinternals, the systracer suite
   assumes that you think there is a problem with your host in future work, you can use this idea in the experiment, first the entire system Monitor to see if the suspicious object can be found, and then further analyze the suspicious object to confirm its specific behavior and nature.

2. Practical content
   2.1 System operation monitoring
   (1) Use such as scheduled tasks, every minute to record which programs of your computer are connected to the network, and where is the connected external IP. Run for a period of time and analyze the file to summarize the analysis results.
   (2) Install and configure the sysmon tool in sysinternals, set reasonable configuration files, and monitor the suspicious behavior of your host.
   2.2 Analyze the software when (1) start back connection, (2) install to the target machine (3) and other arbitrary operations (such as process migration or screen capture, the important thing is that you are interested).
   The backdoor software
   reads, adds, and deletes which registry entries,
   reads, adds, and deletes which files are
   connected, which external IPs, and what data are transferred

question answer

1. If you suspect malicious code on a host at work, but just guess, all you want to monitor what the system is doing every day. Please design what operations you want to monitor and what method to use for monitoring.

   • You can use the schtasks command that comes with Windows to set a scheduled task and find that the network connection is abnormal
   • You can use Sysmon to write configuration files and record related system logs
   • Can capture packets to analyze abnormal data transmission

2. If you have determined that there is a problem with a program or process, what tools do you have to get further information about it?

   • You can use the systracer tool to analyze malware and view its modifications to the registry and files.
   • You can use Wireshark to perform packet capture analysis and monitor the communication performed by the host.
   • You can use the static analysis tool to check whether there is a shell in the protection, whether it is malicious code missed by antivirus software.

Experimental task

Task 1: Use schtasks command to monitor the system

1. Use the command schtasks / create / TN netstat5333 / sc MINUTE / MO 1 / TR "cmd / c netstat -bn> c: \ netstatlog.txt" to create a scheduled task nestat5333

• TN is the abbreviation of TaskName, the name of the scheduled task we created is netstat5333;
• sc means timing method, we fill MINUTE in minutes;
• TR = Task Run, the command to be run is netstat
• bn, b means to display the executable file name, n means to display the IP and port as numbers;
• '>' Means output redirection, store the output in the c: \ netstatlog.txt file

2. Create a netstat5333.bat script file in the C drive and write the following content

date /t >> c:\netstat5318.txt
time /t >> c:\netstat5318.txt
netstat -bn >> c:\netstat5318.txt

3. Open the task scheduler, you can see the newly created task

4. Double-click this task and click Action-> Edit to change the script to the netstat5333.bat file we created.

5. In the general check box, run regardless of whether the user is logged in or run with the highest authority

6. Executing this script for a certain period of time, you can view the network records of this machine in this period of time in the netstat5333.txt file

7. When the recorded data is rich enough, stop the task and analyze the obtained data in excel.
This process must be kept on and connected to the network in order to continue monitoring and
wait for a period of time), organize the stored data through the excel table

statistical results:

Task two: use the sysmon tool to monitor the system

• sysmon is a tool in the Microsoft Sysinternals suite. Before using the sysmon tool, you must first configure the file. Refer to using the lightweight tool Sysmon to monitor your system and create the configuration file sysmon20175333.xml.

• The available event filters are:
  ProcessCreate process creation, FileCreateTime process creation time
  NetworkConnect network link, ProcessTermina process end
  DriverLoad driver loading, ImageLoad mirror loading
  CreateRemoteTh remote thread creation, RawAccessRead driver read
  ProcessAccess process access, FileCreate file creation
  RegistryEvent Registry events , FileCreateStre file stream creation, etc.

1. Create a configuration file

• Refer to the Xuejie blog to create a configuration file: sysmon20175333.xml

<Sysmon schemaversion="3.10">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <!-- Log all drivers except if the signature -->
    <!-- contains Microsoft or Windows -->
    <ProcessCreate onmatch="exclude">     
      <Image condition="end with">chrome.exe</Image> 
      <Image condition="end with">MicrosoftEdgeCP.exe</Image>
    </ProcessCreate>

    <ProcessCreate onmatch="include"> 
      <ParentImage condition="end with">cmd.exe</ParentImage>
    </ProcessCreate>

    <FileCreateTime onmatch="exclude" >
      <Image condition="end with">chrome.exe</Image>
      <Image condition="end with">MicrosoftEdgeCP.exe</Image>
    </FileCreateTime>
    
    <NetworkConnect onmatch="exclude">
      <Image condition="end with">chrome.exe</Image>
      <Image condition="end with">MicrosoftEdgeCP.exe</Image>
      <SourcePort condition="is">137</SourcePort>
      <SourceIp condition="is">127.0.0.1</SourceIp>
    </NetworkConnect>

    <NetworkConnect onmatch="include">     
      <DestinationPort condition="is">80</DestinationPort>      
      <DestinationPort condition="is">5333</DestinationPort>    
    </NetworkConnect>

    <CreateRemoteThread onmatch="include">
      <TargetImage condition="end with">explorer.exe</TargetImage>
      <TargetImage condition="end with">svchost.exe</TargetImage>
      <TargetImage condition="end with">MicrosoftEdgeCP.exe</TargetImage>
      <TargetImage condition="end with">winlogon.exe</TargetImage>
      <SourceImage condition="end with">powershell.exe</SourceImage>
    </CreateRemoteThread>
  </EventFiltering>
</Sysmon>

• 3.10 means that the current version of Sysmon is version 3.10.
• Exclude is equivalent to a whitelist, no need to record. include is equivalent to a blacklist.
• Image condition changes according to the browser you use, for example, Google Chrome is "chrome.exe", Internet Explorer is "iexplore.exe", Firefox is "firefox.exe". I want to know the process name of your browser, you can View the records in "netstat5333.txt".
• NetworkConnect filters out the network connection of the browser, the network connection with the source IP of 127.0.0.1 and the connection service with the destination port of 137, and checks the network connection with the destination port of 80 (http) and 5333 (https)
• CreateRemote (remote thread creation) records the remote threads targeted at explorer.exe, svchost.exe, MicrosoftEdgeCP.exe, winlogon.exe and powershell.exe
  • explorer.exe is a Windows program manager or file explorer
  • svchost.exe is a system program belonging to the Microsoft Windows operating system, and is the common host process name of the service running from the dynamic link library (DLL).
  • winlogon.exe is a Windows NT user login program used to manage user login and logout.
  • powershell.exe is a new Windows command-line shell designed specifically for system administrators. The shell program includes interactive prompts and scripting environments, both of which can be used independently or in combination.

2. Install sysmon (install under administrator rights)

• Run the command sysmon.exe -i C: \ sysmon20175333.xml, the successful installation results are as follows:
  

3. View logs

• View the "Event Viewer", select the location of the log, application and service logs / Microsoft / Windows / Sysmon / Operational, here, we can see the new events recorded according to the requirements of the configuration file, as well as the event ID, task category, Details, etc.
  

4. Analyze logs
Analyze the backdoor files generated by yourself

• Start back to connect to kali
  

• Find the log corresponding to the backdoor file, open this event, you can see that it belongs to "NetworkContect". View detailed information, you can see the specific location, source IP and port, destination IP and port of this backdoor image file, etc.
  

• Execution operations: like shell, getuid
  generates two new logs no matter what operations are performed, and nothing can be seen.
  

Task 3: Malware analysis

1. Use VirusTotal to analyze malware

• Put the generated malicious code in VirusTotal for analysis (you can also use the VirusScan tool)
  

• Looking at the basic attributes of this malicious code, we can see the results of its SHA-1, MD5 digest value, file type, and file size.
  

• The malware's algorithm library support
  

2.
Analyze the backdoor file generated by yourself with wrieshark patch package analysis

• Start back to connect, set the filter rule to ip.addr == 192.168.253.128 (kali ip)

• It can be seen that there are a large number of TCP packets, including the TCP synchronization request packet SYN sent by Windows to Kali, the SYN synchronization request packet and confirmation packet ACK sent by Kali to Windows, the ACK packet transmitted by Kali to Windows, the PSH + ACK packet and so on.
  

• Run webcam_snap, screenshot and other commands, and found that this time there are more packets with a long byte length, which should be screenshots, the data of the photo, and I can't see anything specific.
  

3. Use Systracer to analyze malware

• Download and install the SysTracer tool, and set the port number 5333
• Click take snapshot on the right to store the snapshot
  • Snapshot 1: Do not run the backdoor program
  • Snapshot 2: Kali opens msfconsole, starts monitoring after completing relevant settings, and runs Windows backdoor
  • Snapshot 3: Kali attack to obtain camera (photograph)
  • Snapshot 4: Kali attack to obtain host audio equipment (recording)
    

• Snapshot analysis:

  • Click on Applications-> Running Processes-> find the backdoor process "cyk_backdoor.exe"-> click on "Opened Ports" to view the return address, remote address and port number
    

  • Click "Compare" in the lower right corner of "Snapshots" on the snapshot interface to compare the changes that occurred in the computer before and after reconnecting. All the blue marks are the places where the changes occurred before and after.
    

  • The backdoor generated many files, directories, keys and connections
    

Three: Experimental experience
This experiment takes a long time, mainly because this experiment needs to use the knowledge and tools of the previous experiments, and also need to contact new software. And the large amount of data provided by these new software is tantamount to a person like me who has no analytical experience. During the completion of this experiment, I learned how to monitor the running status of my system, I also learned how to analyze malware, and I could use Excel to analyze data and write configuration files myself. By analyzing the data, we have a better understanding of what the backdoor program is doing and have a deeper understanding of the malicious code.