20155339 Exp4 malicious code analysis

20155339 Exp4 malicious code analysis

Answer questions after the experiment

(1) If you suspect that there is malicious code on a host at work, but just guess what all the people who want to monitor the system are doing every day. Please design what operations you want to monitor and how to monitor them.

• Monitor network connections.
  
• When there are multiple system processes, focus on monitoring.
  
• Monitor registry changes.
  
• Monitor unknown IPs for unusually frequent connections.
  
• Monitor system logs for changes.

(2) If it has been determined that there is a problem with a program or process, what tools do you have to obtain further information about it.

• Create a scheduled task to track the network connections of the process.
  
• Use Systracer to take multiple snapshots of the system and compare snapshots taken at different times to analyze changes to the registry that have changed.
  
• wireshark monitors the program's packets.
  
• Use Process Explorer to obtain information such as its command line, path, connected port number, and the port number opened by the machine.

Experiment summary and experience

Through this experiment, the anxiety of the last experiment was relieved, and I learned how to check the status of the system and analyze the existence of malicious code. It may not be difficult to implant a backdoor, so the analysis of the state of the system and the backdoor is particularly important. Compared with backdoor attacks, the analysis is a bit boring, but the analysis is extremely important.

practice process record

GE_Windows scheduled tasks schtasks

• To start creating a task, first create a text document for outputting the results and copy it to the C drive.
• Use the C:\schtasks /create /TN netstat /sc MINUTE /MO 5 /TR "cmd /c netstat -bn > c:\netstatlog.txt"command to record which programs are connected to the network every five minutes. If you need to record once a minute, you can change it MO 5to MO 1analyze the relevant parameters:

/TN   taskname     指定唯一识别这个计划任务的名称。
/S   system        指定要连接到的远程系统。如果省略这个
                       系统参数，默认是本地系统。  
/SC   schedule     指定计划频率。有效计划任务:  MINUTE、 HOURLY、DAILY、WEEKLY、 
                       MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE, ONEVENT.  
/MO   modifier     改进计划类型以允许更好地控制计划重复
                周期。有效值列于下面“修改者”部分中。  
 /TR   taskrun      指定在这个计划时间运行的程序的路径和文件名。

                       

• When the following figure appears, the new creation is successful, but even so, it is found that netstatlog.txt has not changed. Open the control panel, find the task plan, click Properties, and find that some settings need to be changed. First, choose to use "Run with the highest privileges" in the general, and then Remove the following two conditions from the conditions in the conditions.
  

• You can now see that recordings are taking place every five minutes.
  

• Let's process it again and create a file c:\netstatlog.bat in the desired directory of the C drive, with the following contents:

  date /t >> c:\netstatlog.txt
  time /t >> c:\netstatlog.txt
  netstat -bn >> c:\netstatlog.txt

  You can open the scheduled task in the graphical interface, and replace the command executed every 5 minutes from "cmd /c netstat -bn > c:\netstatlog.txt" to "c:\netstatlog.bat". After the change, we will see the following output in netstatlog.txt, with more date and time, which looks more convenient.
  

• After putting it for more than a day, I imported it into excel. The specific import method is to select import from text document in the Excel data, then select the delimiter, then select all the delimiters, and type ":" after the others ,Finish.
  

• Then I performed a pivot analysis on the data, here I arranged it in descending order, and the histogram more clearly highlighted the programs with the most external connections, and analyzed a few of them.
  

• There are a lot of wpscloudsvr.exe, but it seems to be a WPS cloud service. I searched for a WPS hotspot. This is really annoying. Every time I manually close it, it seems that the close is not thorough enough. Find out where to close the program, and delete it.
  
• Next is SogouExplorer.exe. After this time, I plan to switch to Firefox. The number of casual connections is too many. My traffic is ah.
  
• vmware-hostd.exe, this is actually a server of VMware. It is said on the Internet that it can be closed without affecting normal use. For a novice like me, I should keep it.
  
• What is devenv.exe? It turns out to be the user interface program of the program development platform Microsoft Visual Studio. It is no problem for developers to design, develop and debug on this interface.
  
• ComputerZTray.exe is the hardware core service of Master Lu, and it is also a normal software, SGTool.exe is the acceleration program of Sogou input method, xmp.exe Xunlei Kan Player, DsmSvc, so that this can accelerate the startup speed of the application, if disabled, it will Speed ​​up system startup. In other words, you have to make a trade-off, whether you want the startup speed or the loading speed of the software in the future. Of course, there is also my backdoorc3.exe, which of course cannot be found on the Internet. When I put it on virscan , the killing rate is of course expected to be high. Of course, it is a virus.
  

• Do a bulk search for IPs with more than 10 connections.
  

• Big companies like China Unicom and China Mobile should be fine, but I did a search on IPs that I find suspicious and I can't imagine why I would connect to these places. First of all, let's do a search on this one in the United States, and I didn't. Some foreign websites. First, perform a search on my data to see what program IP it is. The search finds that it is vmware. Yes, it should be credible.
  

• Do a search on these two again.
  

• Also go back to my data to search, it turns out that the WPS hotspots are these companies!
  

• Let's take a look at what this is, it's the devenv.exe process, I've searched the Internet, it's part of VS, used for application development, then there's no problem, it seems that my computer is fine.
  

VirScan

• Put my backdoor soft armor on VirScan to scan, as expected, 22% kill rate.
  

• It can be seen that it chose MD5 and sha-1 for hash digest, which may be used in the encoding process.
  

• Try to get additional information, click on any scan result to see what else is found.
  

• There is not much discovery, but we found the backdoor software produced by ourselves and scanned on VirScan. It seems that the viruses found are all the same.

Sysmon

• Sysmon is a tool in Microsoft's Sysinternals suite. Almost all important operations can be monitored.
• After configuring the file, start to install sysmon, first download it from the teacher's attachment, the file name is SysinternalsSuite201608, which includes Sysmon.exe, etc. The installation command is sysmon.exe -i 配置文件名.
  
• First, learn the teacher's configuration file and write your own configuration file. It should be noted that exclude is equivalent to a whitelist, and no records are required, while include is equivalent to a blacklist. It is necessary to pay attention to the one-to-one correspondence in syntax, for example, <SourceIp xxx>to </SourceIp>correspond with each other. I ignored this in the process of writing, and an error occurred when I copied it directly from the above.
  
• Regarding my configuration file, I added the Sogou browser to the whitelist. At the same time, for HTTP on port 80 and HTTPS on port 443, of course, I also need to include my port 5339, as follows:

<Sysmon schemaversion="3.10">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
  <Signature condition="contains">microsoft</Signature>
  <Signature condition="contains">windows</Signature>
</DriverLoad>

<NetworkConnect onmatch="exclude">
  <Image condition="end with">SogouExplorer.exe</Image>
  <Image condition="end with">iexplorer.exe</Image>
</NetworkConnect>

<NetworkConnect onmatch="include">
  <DestinationPort condition="is">80</DestinationPort>
  <DestinationPort condition="is">443</DestinationPort>
  <DestinationPort condition="is">5339</DestinationPort>
</NetworkConnect>

<CreateRemoteThread onmatch="include">
  <TargetImage condition="end with">explorer.exe</TargetImage>
  <TargetImage condition="end with">svchost.exe</TargetImage>
  <TargetImage condition="end with">winlogon.exe</TargetImage>
  <SourceImage condition="end with">powershell.exe</SourceImage>
</CreateRemoteThread>
  </EventFiltering>
</Sysmon>

• But it should be noted here that we need to open cmd as an administrator.
  

• Then it can be installed successfully.
  

• I learned a trick here. If we want to switch the directory of the drive letter, the correct usage is to add a '/d' between the cd and the path. For example, if I want to switch to the F drive, I need to input cd /d f:it. Direct cd is not OK.
  
• Open Control Panel, open Event View Log, click Application and Service Logs->Microsoft->Windows->Sysmon->Operational

• A large amount of data may not be conducive to our analysis, so I used a filter to sift through the data.
  

• Created a Sogou expression tool.
  

• The Excel file has changed.
  

Analyze malware with the systracer tool

1. Take a snapshot of Windows under normal circumstances, i.e. without backdoors.
2. Take a snapshot after copying the backdoor program to the host.
3. Take a snapshot after the connection is successful.

• Snapshot results for comparative analysis:

  • 1 and 2 are compared, and only different parts are observed. It can be seen from the figure below that the registry has changed. First, many key values ​​have been modified. These key values ​​include the sub-keys under the processing key of the display control system and software, the current User's configuration data information, etc.
    

  • Added some subkey values ​​under HKEY_LOCAL_MACHINE.
    

  • Of course, there are also some software, such as Sogou, SysTracer itself, and the key-value changes caused by WeChat, which can be said to be very detailed.
    

  

  • The rest is that you can't watch it without registration, um, there's no way.
  • Comparing 2 and 3, the registration changes are more obvious, but still can't be seen.
    

  

  • Comparing 1 and 3 again, the key value has changed a lot, and a lot of key value has been added, but it cannot be read without registration. It seems that it can only be analyzed by other methods.
    

• In general, implanting a backdoor program and there will be a lot of key value changes when connecting back, which can be analyzed through this aspect, but it seems to be inapplicable to those who are just getting started and have not registered.

Analyze with wireshark

• Start to capture packets, and at the same time Kali starts to search for the backdoor program through msf to connect back, the host double-clicks the backdoor program to connect back, and ends the capture.
  

• Start analyzing some of the contents of TCP. This 119.75.213.61 is a bit suspicious. Go back and look at the Excel that was originally sorted out. It turned out to be the Kingsoft WPS office software cloud service process. Just after closing the WPS cloud service, there is another Kingsoft WPS office software cloud service, which is also closed for him.
  

• There is also a search for what is 23.57.229.163, a search scared me, this IP turned out to be from India.
  

• It is very doubtful, and then see if the connection is successfully established.
  

• The three-way handshake was successfully established, but a 304 error was reported to me, so what is this? I searched the Internet and found that it was the IP of Akamai (a CDN operator) website.

• The next thing is my port 5339 that was attacked by the virtual machine. Under the direct operation of the local virtual machine attacking the local machine, wireshark intuitively reproduces and analyzes the process. At the beginning of the VM broadcast, it looked for which host started the backdoor and started to connect back to 192.168.224.140.
  

• The port and the IP of the connection are directly exposed.
  

• I always thought that the host's IP communicated with the virtual machine's IP, but it was found that the IP address of the host's Ethernet adapter was connected to Kali. Connections with other IPs need to be analyzed, and some things cannot be propagated or even controlled by physical machine IP alone.
  
• Others did not catch any other packages

Process Explorer for analysis

• The software is very simple to run. After downloading and installing, it will be monitored. This software is relatively easy to use, allowing users to understand the processing programs that are executed in the background that cannot be seen. It can display which modules have been loaded so far. Used by which programs, it can also display the DLL processes called by these programs, and the handles they have opened. The biggest feature of Process Explorer is that it can terminate any process, even the key processes of the system! I think this is even better than the task manager! Only now know.
  
• This software is also relatively simple to use. After installation, you can start monitoring directly. You can right-click in the blank space of the monitoring menu bar, select Add Column, and then add the user name, path command line, etc. used to the displayed list. analyze.

• Use this software for analysis.
  

• First of all, a smss.exe process entered my line of sight at the beginning. I checked the Internet and was shocked. Many people said it was a Trojan horse or virus. I checked a few more websites and found that the full name of this program is actually Session Manager Subsystem, which is a part of the Microsoft Windows operating system. This program itself is a normal system process, but if the user finds that there are multiple smss.exe processes in the system process or the CPU usage changes greatly, then be careful that the program may be a hacking Trojan lurking in the depths of the computer program, so I searched again and found that there is only this one smss.exe, but I am still a little worried about comparing with the connection of the process captured by the previous task plan, and I did not find the connection of this item, so it should be no. question.
  

• svchost.exe may also be a virus, which is also analyzed in this software as shown in the figure below. At the same time, every svchost.exe in the host is scanned by virscan, and the detected value is 0, which can basically be regarded as a system program rather than a virus.
  

• This should be the program that the scheduled task schtasks writes to netstatlog.txt.
  

• Next is my backdoor program.
  

• You can clearly see the IP of the back-to-back connection and the open port of the machine, and you can also view its process ID number.
  

• Yet another strange program.
  

• Internet search found that the igfxem.exe process is a normal process. It is the process of the core display driver of the Intel family. The core display is the "core graphics card", which means that the GPU part is built on the same core chip as the CPU, and the two are completely integrated. It exists at the same time as the igfxhk.exe process. It seems to be safe, in fact, this can also be disabled, but it will have a certain impact on the core graphics card settings.
  

• There seems to be no problem with other processes. This software also reduces Baidu for unknown system programs to a certain extent, such as the figure below.
  

• It seems my computer is still relatively clean.