Quick and Dirty Windows Malware Analysis
This is to accompany the slide deck that Chris Ziegler and I presented last week at University of Washington. We presented it really within the context of doing quick and dirty malware analysis during a CTF / Red/Blue exercise...
Malware can be examined statically (at rest) or dynamically (when it's running). Let's start with static analysis...
Finding malware in the first place:
- Look for files with high entropy - there aren't that many legit heavily encrypted / obfuscated binaries
- Look for files that have been timestomped (had their timestamp overwritten)
- Look for alternate data streams
- Note: there is a legitimate use of ADS for IE where it uses ADS to provide the extra dialog prompts for internet-downloaded files. ADS have also been used in other applications for tagging files, etc. -- From a forensic standpoint, all of the files with ADS should stand out like a sore thumb
- To look at entropy, there are a number of open-source python projects and it's not too involved. There are also EnCase features that will allow for you to check that out.
- NOTE: there's now an even easier way to do this (thanks to @mattifestation) in powersploit called Get-Entropy which will take either a file or a byte array ( C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll )
- Take a look through the PE Headers with a good PE Explorer:
- Chris' favorite is NTCore Explorer Suite
- Look for some of the following hinky stuff in the PE:
- Empty executable sections (or sections filled with NOPs)
- Uncommon section names - it turns out that most binaries have similar section names
STRINGS... yup running strings on a binary at rest and / or dumping a process and looking through the strings can be a super useful way to pull a lot of good and interesting data from the stuff that you're analyzing. It's funny how easy it is to store (and retrieve) C2, address, domain, function, config and versioning information with strings.
Import Address Table info
- The IAT is a section of the PE which is used as a lookup table for when an application is calling different functions
- In Windows, functions are connected to the main executable through linking (static, dynamic, runtime). Runtime linking is pretty popular with malware and static linking isn't very popular on Windows (in general) - most other stuff will be dynamically linked.
- If stuff is dynamically linked then you'll see lots of juicy imported functions in the PE Header
- Linking at runtime means using GetProcAddress and LoadLibrary and probably not a lot of other inputs, which also probably looks a lot like that file could be / is malware
- There are a few functions that are pretty stand-out ish such as:
- Import hashing is a pretty good technique for tracking pieces of malware across actors and campaigns
- Practical Malware Analysis
- Parsing Binary File Formats with PowerShell
- Get-PEHeader - A Scriptable In-memory and On-disk PE Parsing Utility
Dynamic analysis is looking the behavior and characteristics of malware while it's not at rest. There are more or less two main ways to look at this, either to load up tools on a compromised machine/asset or to put the malware / a compromised system inside of a sandbox or other monitoring environment.
The first way that we're going to cover to do dynamic analysis is to load up tools on a compromised / affected host. This is good for live monitoring things like network traffic (with Wireshark / Tshark) and for monitoring how a piece of malware that you've got interacts with the underlying system. For more of a reference of how malware lives on a system - check out the "Malware is Alive" section of the Backdoor Primitives post that I wrote.
Loading up tools onto a host is a fine technique once the host is completely quarantined. however, it's super loud and if you have an attacker that knows what they're doing on the host, it will stand out like a sore thumb.
Evaluating processes with process explorer
- Process Explorer is a very powerful tool that's part of the Sysinternals toolset , I would definitely encourage folks to look through the whole set of tools and their various capabilities. below are the quick and dirty capabilities that y'all should take a look at.
- Verify Options
- verify signature - this will show whether or not the signature of the process image is valid or not
- verify packing - this will run a basic analysis to tell you if the process image is packed
- all (at least 3 char) printable strings
- either f rom process image on disk or in memory
- For this particular method of finding threads, you can use the volatility "threads" functionality
- It's been a while since I gave volatility a whirl and poked around for threads, however, a cursory search found this MNIN Security Blog which is literally all about it.
Sandbox'n it Up
So pretty much the Cadillac of free sandboxes these days is Cuckoo, the easiest way to get started with it / run it is probably in Malwr. I say this because I'm not an expert with VirtualBox and the last time that I tried to set up Cuckoo on my own it wasn't painless. I would write more about the ins and outs of Malwr and Cuckoo, but I think that exercise is better left to the reader. You can look back through old submissions on the malwr homepage and some interesting submissions with analysis are linked on the @malwr twitter feed.
Anubis is another very handy online tool that you should check out and is also fairly self-explanatory. I submitted a toy sample to Anubis that can be checked out here. Features of Anubis include:
- Mutexes created
- Memory-mapped files
- Device Control Communication
- File System Control Communication
- Files Modified
- Files Read
- Files Created
- Files Deleted
- Registry key operations ( Modified, Read, Monitored )
- Brian Baskin's Blog (Advanced)
- Using Process Explorer with Malware (Microsoft)
- Process Explorer Tutorial / Reference
- Volatility Command Reference
- Malware Memory Forensics Rundown
- Sam Bowne's Practical Malware Analysis Class