Scribd
Upload
31 views8 pages

Proj 4. Basic Dynamic Analysis (30 PTS)

Uploaded by

Lâm Bạch
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views8 pages

Proj 4. Basic Dynamic Analysis (30 PTS)

Uploaded by

Lâm Bạch
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Proj 4.

Basic Dynamic Analysis (30 pts)


Task 1. Basic Static Analysis
Using PEview
Open Lab03-01.exe in PEview. As shown below, the only DLL imported is kernel32.dll, and the only function imported is ExitProcess. That
doesn't tell us much--perhaps this malware is packed and the real imports will come at runtime.

Using Strings
Examine the strings in Lab03-01.exe and find these items, as shown below.

SOFTWARE\Classes\http\shell\open\commandV -- A registry location


www.practicalmalwareanalysis.com -- a URL
VideoDriver

These readable strings are surprising--if the malware were packed, the strings would not be readable. Something strange is going on, and
the easiest way to learn more is dynamic analysis.

Task 2. Preparing for Dynamic Analysis


Dynamic analysis is simple: run monitoring tools, then run the malware, and let it have its way with our virtual machine. This is a sloppy
technique, trusting a system that is being infected, but it usually works.

We will use these three programs to see what the malware does:

1. Process Explorer
2. Wireshark
3. Process Monitor
Run Process Explorer
Process Explorer shows currently running processes, with far more detail than Task Manager. It doesn't keep a log of them, so it's
harmless to leave running.

Run Wireshark
Start Wireshark and begin capturing packets from the interface that goes to the Internet, which is normally "Local Area Connection".

If your virtual machine is in "NAT" networking mode, there shouldn't be a lot of traffic.

Start Process Monitor


Process Monitor logs all the events in Windows Event Viewer, which will typically be hundreds of thousands of events. Don't leave it
running for too long or it will use up all the RAM and crash.

It's best to start Process Monitor last, so you can exclude all the harmless processes the other tools are using.

Launch Process Monitor. If a Security Warning box pops up, allow the software to run.
Agree to the license.

You see Process Monitor, with no visible events, as shown below.

The "Process Monitor Filter" box shows the events that are being excluded, which is why the box is empty before the malware runs.

Excluding Harmless Processes


You don't need to do this on the VM I gave you, but if you are using Process Monitor on some other system, here's how you exclude
processes.

In Process Monitor, right-click the name of one of the visible processes, such as explorer.exe, and click "exclude 'lsass.exe'", as shown
below:

Repeat the process until all current processes are hidden, as shown above. There were a lot of processes to ignore, perhaps 20 or 30.

Starting Process Monitor


In the "Process Monitor Filter" box, click the OK button.

Run the Lab03-01.exe File


On your desktop, open the "Practical Malware Analysys Labs" folder. Open the "Binary Collection" and Chapter_3L folders. Now
double-click the Lab03-01.exe File.

Viewing the Running Malware in Process Explorer


In Process Explorer, in the top pane, find Lab03-01.exe and click it.

Troubleshooting
If the Lab03-01.exe process does not appear in Process Explorer, that probably means that the malware has already been
run on this VM.

To make the malware run properly again, open Process Explorer and kill the vmx32to64.exe process. Then delete this file:

C:\Windows\System32\vmx32to64.exe

In Process Explorer, click View, "Lower Pane View", Handles.

You see the WinVMX32 mutant, as highlighted below. A mutant, also called a mutex, is used for interprocess connunication. A wonderful
explantion of mutexes in terms of rubber chickens is here.

A folder name is covered by a green box in the image above. Enter that name into the form below.

4.1: Recording Your Success (10 pts.)


Use the form below to record your score in Canvas.

Name or Email:
Folder name (redacted in the image above):
SUBMIT

Viewing DLLs
In Process Explorer, click View, "Lower Pane View", DLLs.

Scroll to the bottom to find ws2_32.dll and WSHTCPIP.DLL, as shown below. This shows that the malware has networking functionality.
Viewing the Malicious Process's Events in Process Monitor
In Process Monitor, click the magnifying glass icon on the toolbar to stop capturing events.

In Process Monitor, click Filter, Filter. Enter a Filter for "Process Name" is Lab03-01.exe, Include, as shown below.

Click Add to add the filter.

Add two more filters:

Operation of RegSetValue
Operation of WriteFile

In the "Process Monitor Filter" box, click OK.

You end up with the two events shown below.

Double-click the event with a Path ending in vmx32to64.exe. The Properties sheet shows that this event creates a file named
vmx32to64.exe, as shown below.

The malware wrote 7,168 bytes--the same size as Lab03-01.exe itself. The malware copied itself to a file named vmx32to64.exe, so that
filename is a useful Indicator of Compromise.
Double-click the event with a Path ending in VideoDriver.

This event creates a new a Run key in the registry named "VideoDriver" with a value of "C:\WINDOWS\system32\vmx32to64.exe" -- this is
a persistence mechanism, to re-launch the malware when the machine restarts.

A folder name is covered by a green box in the image above. Enter that name into the form below.

4.2: Recording Your Success (10 pts.)


Use the form below to record your score in Canvas.

Name or Email:
Folder name (redacted in the image above):
SUBMIT

Viewing Beacons in Wireshark


In the Windows machine, in Wireshark, click Capture, Stop.

At the top left of the Wireshark window, in the Filter bar, type a filter of

frame contains malware

Press Enter to see the filtered packets, as shown below.

Every 30 seconds, the malware performs a DNS lookup for the domain "www.practicalmalwaresnalysis.com".
Click the line showing the first DNS request for www.practicalmalwareanalysis.com -- in the example above, it is packet 174.

In the top right of Wireshark, in the green filter bar, click the X button, or the Clear word in some versions of Wireshark, to clear the filter.

The packets following the DNS request appear, as shown below. Notice these items:

ARP request and reply to find the MAC address of the DNS resolver (colored pale yellow)
DNS request and reply (colored pale blue)
TCP handshake (SYN, SYN/ACK, ACK) to open port 444 (colored gray and pale pink)
A packet labeled "SSL Continuation Data"

This is intended to fool a firewall into thinking it's HTTPS traffic, but there is no actual encryption or key exchange. A real HTTPS
connection contains many more packets, such as "Client Hello", "Server Hello", and "Change Cipher Spec".

Find the SYN packet sent to the https port, which may be marked "443". In the example above, it is packet 176. Right-click it and click
"Follow TCP Stream".

You see 256 bytes of random data, as shown below. These are beacons and are used by malware to notify the Command and Control
server that the machine is infected and ready to use.

Examining Saved PCAP File


Download this PCAP file and open it in Wireshark:

pDC5.pcap

The file contains two malware beacons, as shown below.


Follow the TCP stream in the second beacon. You should see random bytes, as shown below.

The last line of the beacon contains six readable characters, which are redacted in the image above.

4.3: Recording Your Success (10 pts.)


Use the form below to record your score in Canvas.

Name or Email:
Last Bytes:
SUBMIT

Posted 8-28-18
Wireshark "Clear" button added 9-11-18

You might also like