Malware Analysis

175 Lakeside Ave, Room 300A

04/21/2017 Phone: (802) 865-5744
http://lcdiblog.champlain.edu Fax: (802) 865-6446
 Disclaimer:

This document contains information based on research that has been gathered by employee(s) of The Senator
Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily
and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained
in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in
connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage
resulting from use of this data. Information in this report can be downloaded and redistributed by any person or
persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly
annotated.

Contents
Introduction 2
Background 2
Purpose and Scope 2
Terminology 2
Methodology and Methods 3
Equipment Used 3
Results 4
1.1 Fake Flash 4
1.2 DarkComet NJRAT 7
1.3 Hicurdismos ScareWare 10
Conclusion 12
Future Work 13
References 14

Malware Analysis Page 1 of 15

 Introduction
Malware has been plaguing the world for years. Cyber criminals can use it to infect a system without the user
knowing. There are many different types of malware out there, from ones that can be used to log keystrokes to
ones that can remotely gain access to an entire system. It is important to understand how to analyze different
types of malware because it can help detect and prevent future cyber-attacks. Malware, as its name suggests, is
malicious and needs to be analyzed in a secure environment. In order to keep it from infecting the LCDI
network, our team is using Amazon Elastic Compute Cloud (Amazon EC2) in the Amazon Web Services
(AWS) cloud. Amazon EC2 allows us to launch a virtual server that we can use to create an isolated computing
environment in which to monitor malware. Within AWS we used a program called ThreatAnalyzer, which is a
dynamic malware analysis sandbox that can analyze malware and create a report within minutes. Employing
these services allows our team to safely research what different malware does to our system and share our
results with the community.

Background
This project is being done to give the community an understanding of how malware works, and is a
continuation of a project previously done at the LCDI. We are using their research to move forward with the
project. Last semester Cuckoo Sandbox, an open-source analysis environment, was used to analyze malware.
Unfortunately, a sample of malware managed to escape that sandbox and out onto the LCDI network. For this
reason, we are using the AWS environment.

Purpose and Scope

The scope of this project is to statically and dynamically analyze malware. When analyzing the malware, it is
essential to gain an understanding of what the code is designed to do, and what type of information it could
obtain from the given system.

Research Questions
1. Given a piece of malware, what type of information can be discovered using different forms of malware analysis?
2. Is Amazon EC2 able to supply a safe environment to analyze malware in?
3. Is ThreatAnalyzer able to successfully analyze all samples of malware?
4. Is the information gathered from ThreatAnalyzer relevant in understanding malware?

Terminology
Amazon WorkSpaces (AWS) - Amazon WorkSpaces is a fully managed, secure desktop computing service
which runs on the AWS cloud. Amazon WorkSpaces allows you to easily provision cloud-based virtual
desktops and provide your users access to the documents, applications, and resources they need from any
supported device, including Windows and Mac computers, Chromebooks, iPads, Fire tablets, Android tablets,
and Chrome and Firefox web browsers. (Amazon)

Static Analysis - Static Analysis is a term referring to when computer code is examined without executing the
program in order to gain an understanding of the content and capability of the code. When static analysis is
Malware Analysis Page 2 of 15
done by an automated tool, the code is parsed and identifiable content is reported in a human readable format.
(Rouse)

Dynamic Analysis - Dynamic Analysis is considered testing and evaluating a computer program by executing
it in real time in a controlled test environment. Executing the code allows the analyst to examine any visual and
ephemeral effects caused by code on the test environment. (Rouse)

ThreatAnalyzer - ThreatAnalyzer is a dynamic malware analysis sandbox used to reveal the impact malware
can have on an organization so they can respond quickly. (ThreatAnalyzer)

Malware - Malware is any software that is intended to damage or disable a computer or computer system.
(Christensson)

Methodology and Methods

All analysis of malware samples took place on a Windows XP virtual machine that was running on an Amazon
Workspace client. This is because running malware analysis is much too dangerous to both our facility’s
computers and it’s network. Conducting the analysis in a virtual environment allows full connectivity of a
normal PC with lessened risk to the local network, as the infected machine can be sanitized quickly and easily.
This is in line with other web based software like ThreatAnalyzer and VirusTotal that allow for more static
analysis. This is combined with other internal software like Procmon that allow a user to see all active processes
that a specific application is running in the background, as well as the foreground, and Sysinternals Suite for
more dynamic analysis of the malware while functioning.

Equipment Used
Hardware:
Device OS Version Comments
LCDI Workstation Windows 10 Used to host software that was used for
malware analysis
Cisco VoIP Phone N/A Used to aid in data generation for one
piece of malware

Software:
Software Name Version Comments
Amazon AWS Current Used as remote platform for malware
analysis
Process Monitor 3.32 Used as part of our System Internals
Suite of applications to perform dynamic
analysis on malware within our RDP
Threat Analyzer Client

Malware Analysis Page 3 of 15

DiE (Detect it Easy) 1.01 Used for dynamic analysis
Threat Analyzer 6.1.0.552 Application used to analyze malware
statically
VirusTotal N/A Repository from which we gathered
known malware samples for analysis
CFF Explorer 8.0.0.0 Suite of tools that includes the PE Editor
and a process viewer that were used in
static analysis

Results
Several pieces and types of malware were recorded, as well as some common scams that are often known to
install malware onto a system. The data from these samples included VirusTotal and ThreatAnalyzer analysis,
as well as physically running them on the Amazon Workspace. Below are some of the examples of the findings
that we came across.

1.1 Fake Flash

This type of malware is endemic to an outdated flash player. Ripe with vulnerabilities, many flash player
installation files are targets for this type of malware insertion. Below, in figures 1 and 2, is one example of such
malware.

Figure 1Flash Player Downloaded Info Screen

Figure 1: Flash Player Download Info Screen

Malware Analysis Page 4 of 15

 Figure 2: Additional Information on Downloaded Sample

This particular piece of malware was disguised as a flash updater, but immediate red flags arose when we saw
the name of the file, as seen in Figure 1 as a long string of numbers and letters. Also, the company that was the
claimed publisher was not the well-known and trusted Adobe. Rather it was a company called Emurasoft, Inc.

Malware Analysis Page 5 of 15

 Figure 3: Process Monitor showing spawned remote shell

This is where the process became interesting. A file recently named stub.exe had changed its name to
Trojan.exe ironically enough. Highlighted above in figure 3 is its process and the attempt to connect back out to
an external address, this was likely to aid the next part of the malware, the keylogger it dropped.

Figures 4 & 5: Keylogger data on application use

We derived that the whole purpose of this malware was to send data out of our system and back to the attacker.
Due to the constraints of our AWS environment, the malware was thankfully unable to actually send data out.
We decided to follow the path that was indicated in the command it ran to open the netshell. Within this
directory, we found a text file that had been logging all our activity since installing this flash player update. It
recorded us opening applications, all keystrokes, and even what some of the applications we had opened were
doing on our system. In order to test these actions live, we opened up Notepad and typed something in. Sure
enough, it was logging everything and attempting to send it to the remote system indicated earlier.

Figures 6 & 7: Keylogger data from logged keystrokes

Malware Analysis Page 6 of 15

1.2 DarkComet NJRAT
This type of program is a piece of software used by what is commonly known as, “script kiddies.” This term is
applied to users that have no idea how the code works, but it works nonetheless. This tool is designed to gain
remote admin access to a system.

Figure 8: DarkComet Software setup

Malware Analysis Page 7 of 15

 Figures 9 & 10: CFF Explorer enumeration of malicious imports

Once installed, the software executes several command prompts and begins its work. Due to prior static
analysis, we were able to predict the targets of the system like the firewall and the administrator account. This
allows the user on the other end to execute any commands they want, including network commands as the
network firewall is now disabled and cannot be reactivated.

Malware Analysis Page 8 of 15

 Figure 11: ProcMon showing maliciously spawned remote shell

Figure 12: Windows Firewall has been turned off by malware

Malware Analysis Page 9 of 15

 Figure 13: Static analysis report of DarkComet malware sample

Shown above in figure 13 is the static analysis of the actual piece of malware. This piece of malware had also
targeted the task manager and disabled it so we attempted to load task manager. We found the sample of
malware had also turned off our ability to access task manager.

Figure 14: Task Manager disabled by DarkComet

1.3 Hicurdismos ScareWare

The main idea behind this type of malware is similar to the idea behind Ransomware, the main difference being
Ransomware holds the entire system for ransom while Scareware simply alerts the user of a problem that
doesn’t exist. This was sort of a hybrid of the two, where we received a lockout message that stated there were
problems with our computer that we knew did not exist. The prompt at the bottom said to call a number for
support. Naturally that’s what we did. We configured our physical and system environment to better suit the
needs of our investigation, which would require us to speak to a “Microsoft Tech Support Representative” to
solve our issue. Being in a lab environment, we needed a way of conducting this analysis with limited
distractions, while also making sure our cover was secure. So, we utilized a separate office phone and made
Malware Analysis Page 10 of 15
sure students were quiet during our conversation in order to do that. Since our AWS system that was “hacked”
was very clearly just that, we also had to manipulate file names and change the background to better represent a
more normal desktop environment. The main method of attack was through an application available at
fastsupport.com called GoToAssist that has been known to be a way for attackers to easily enter a system.

Once our support session had been established, our “representative” showed us how much of a stranglehold
these viruses had on our system. Anyone that is slightly versed in the syntax for Windows Command Prompt
would see this glaring issue in their plan to fool us. The commands they entered literally say “virus found
<name of virus>”, with the resulting error message displayed right below it. Our investigator on the phone with
our representative at the time asked about the error message below. The tech support representative said that
was yet another indication of the presence of this malware and quickly changed the subject.

In order to explain the severity of our issue better, the “representative” proceeded to go over, in excruciating
detail, exactly what these viruses were by surfing to their Wikipedia pages. We are still unsure why they spent

Malware Analysis Page 11 of 15

nearly an hour reading verbatim the Wikipedia articles on these enumerated viruses, perhaps it was meant to
fatigue us into letting them have full control or maybe it was purely for our own education. Finally, we came to
the part of his script where he had to ask us for money. He opened up a new Notepad Window and wrote up
fields for us to fill in our credit card information, as well as outlining payment plans and options. A previous
malware analysis team had already created an alias to use for this purpose, so we used that for this information.
Once we had filled that in, the “representative” proceeded to set a boot password that was not disclosed to us.
This would normally restrict us from using our system upon logging in later, thankfully we could just blow
away the instance and rebuild it after our phone call.

In order to act like they were performing a real service for us, the “representative” installed several free
applications that would strengthen our security, including CCleaner, MalwareBytes, and Adblock Plus. At the
end of our work shift, we quickly ended our phone call but did not disconnect our support session in order to see
if they would drop any additional malware onto our system before leaving. Instead, they simply typed in a new
Notepad window asking us to call them back.

Conclusion
Having completed our research, we are now able to answer our research questions as found below:

1. Given a piece of malware, what type of information can be discovered using different forms of malware
analysis?
2. Is Amazon EC2 able to supply a safe environment to analyze malware in?
3. Is ThreatAnalyzer able to successfully analyze all samples of malware?
4. Is the information gathered from ThreatAnalyzer relevant in understanding malware?

A largely varying amount of information can be available from malware samples. Naturally, the type of

Malware Analysis Page 12 of 15

information changes based on the nature of the malware in question. Generally, we were able to find
maliciously spawned processes and were able to trace the roots of the malware down to where they embed
themselves in the root of most file systems. We were also able to find network traffic related to some malware
samples, as well as actively monitor the changes it made while it was executed.
Our team agrees that Amazon’s EC2 performed well beyond expectations. With the occasional outage
on Amazon’s side out of the way, the system was completely separated from our normal lab environment,
making it a very safe platform within which to detonate and analyze malware. On top of that, the instance was
easy to use and even easier to reset back to working order, allowing us to quickly and efficiently analyze
malware and proceed to the next sample.
We agree the ThreatAnalyzer is not quite capable of analyzing all forms of malware. There are certain
types of malware that the ThreatAnalyzer client cannot return much information about, or it ended it up not
being very useful. Its integration with VirusTotal made it easy to analyze the malware, but not all samples were
complete enough for ThreatAnalyzer to provide any sort of meaningful analysis on. There were also other
samples that needed certain criteria in order to run that prevented them from running on such a sandbox.
After ThreatAnalyzer had analyzed a sample of malware, it provided a rather intricate report that
detailed everything it found during its scan. Generally, these reports were helpful to us as a first point of
reference on which to continue our analysis. Sometimes, however, nothing would be found or the information it
provided would be completely unusable. The information was hardly detailed enough to bank all of our findings
off of, but it was definitely used as a preliminary tool to assess the severity of the malware, in order for us to
determine if we should continue investigating it or not.

Future Work
Using the AWS platform for this type of forensic analysis worked much better than expected. We believe this is
a good tool to use in order to provide safety to the lab’s internal network while providing the functionality of a
normal computer system in which to introduce malware samples. We would like to see this platform used in the
future for this purpose. One addition task would be to configure it to allow multiple people to interact with it at
one time. Having just one user account limited our ability to analyze more than one sample at a time. We would
have liked to analyze more samples than we had the opportunity to do.

Malware Analysis Page 13 of 15

 References
1. Amazon Elastic Compute Cloud. (2017). Retrieved from
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

2. Distler, D. (2017, December 14). Malware Analysis: An Introduction. Retrieved from

https://www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103

3. I. (2017). Remote Access Trojan. Retrieved from http://www.trusteer.com/en/glossary/remote-access-

trojan-rat

4. K. (2017). What is a Keylogger? Retrieved from https://usa.kaspersky.com/internet-security-

center/definitions/keylogger#.WMClElXyuUk

5. ThreatAnalyzer. (2016). Retrieved from https://www.threattrack.com/malware-analysis.aspx

6. Rouse, M. (2006, November). What is static analysis (static code analysis)? Retrieved from
http://searchwindevelopment.techtarget.com/definition/static-analysis

7. Rouse, M. (2006, May). What is static analysis (static code analysis)? Retrieved from
http://searchsoftwarequality.techtarget.com/definition/dynamic-analysis

8. Christensson, P. (2006). Malware Definition. Retrieved 2017, May 1, from https://techterms.com

Malware Analysis Page 14 of 15