Reversing malware analysis trainingpart9 advanced malware analysis
Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.
-
Upload
keon-tamplin -
Category
Documents
-
view
215 -
download
0
Transcript of Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.
![Page 1: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/1.jpg)
Malware Artifacts
![Page 2: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/2.jpg)
Agenda
• Quick Introduction• Quick overview of artifacts• Walk-through lab
![Page 3: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/3.jpg)
Introduction
• Edgar Sevilla– CIO, Kyrus Technology– 15 years software development, reverse
engineering, computer forensics, & information security
• Ken Warren– Director of training, AccessData– 15 years of experience in law enforcement and
computer forensic examinations
![Page 4: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/4.jpg)
Today’s Goal
• Gain a high-level understanding of the of artifacts than can be found in memory, dead disk, and live systems when malware executes
• Walkthrough of a memory image, disk image, and live systems to find artifacts
• This lab will NOT go into the reverse engineering, no matter how much I want to!
![Page 5: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/5.jpg)
Where can we find artifacts?
• Memory– Processes enumeration– Driver enumeration– Module enumeration– Open Registry keys– Open File Handles– Synchronization events– Communications– Content
![Page 6: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/6.jpg)
Where can we find artifacts?
• Disk– Files– Prefetch files– Registry Files– File Attributes– File Times– Restore points– pagefile
![Page 7: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/7.jpg)
Where can we find artifacts?
• Live Systems– Hidden Files– Hidden Processes– Repetitive actions• Registry activity• Communications• Processes
– Hidden Registry Entries
![Page 8: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/8.jpg)
Processes/Drivers
• Process enumeration• Driver enumeration
![Page 9: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/9.jpg)
Files
• Prefetch file• File times• File Attributes• Hidden files• Open Handles• Loaded Modules
![Page 10: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/10.jpg)
Registry
• Autoruns entries– Check autoruns entries in registry
• Windows Firewall modifications
![Page 11: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/11.jpg)
Synchronization Methods
• Mutants/Mutex• Semaphores• Events
![Page 12: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/12.jpg)
Communications
• Sockets– Listening sockets– Connected sockets
• Named Pipes– Inter-process
communication• Communication content,
urls, headers
![Page 13: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/13.jpg)
Getting Started
• Finding the first artifact is sometimes the toughest– Process listing– Anomalous files– System autoruns– Prefetch artifacts
• Good news there are a lot of artifacts, the bad news there are a lot of artifacts
![Page 14: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/14.jpg)
List of tools that can be used
• Disk– FTK– Encase
• Memory– FTK– Volatility– Memoryze
• Live System– FTK Enterprise– Microsoft Sysinternals Tools– GEMR
![Page 15: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/15.jpg)
Questions prior to the lab
?
![Page 16: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/16.jpg)
Process Listing Prefetch File Anomalous File
Autoruns EntryBot.exe
Read only Attrib
Userint entry
Lowsec directory
Winlogon.exePid: 652 Svchost.exe
Pid: 876
Active sockets
Lowsec\local.ds
Avira_2109
IP Address
Domain: m4ht.com
Get HTTP Request
Avira_2109Lowsec\local.ds Lowsec\user.ds.ll
A0013970.exe
sdra64.exe
Owner: Administrator
Unusual Create Time
Post HTTP Request
URLs
LabRed = Possible starting pointsBlue = Artifacts
Active Connections
Restore pointOpen HandlePrefetch file
File Properties
File Properties
File Properties
Registry FileAutoruns tool
Rootkit RevealerRestore point
Open HandleOpen Handle
Open Handle
Open HandleOpen Handle
Open Handle
Open Handle
Socket lists Socket Listing
Memory Scan
Memory Scan
Memory Scan
Memory Scan
![Page 17: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/17.jpg)
Summary• Initial Thread
– Found bad process in Process Listing– Anomalous file listing– Autoruns entries– Prefetch file
• Found Installer file, and dropped file• Identified data files• Linked data files to winlogon & svchost• Svchost had active sockets• IP address linked:
– to domain m4ht.com– Get HTTP request to download configuration file– Post HTTP request to upload data
![Page 18: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/18.jpg)
Remediation
• Remove artifacts that have been found– Delete sdra64.exe• Can we delete a file that we can’t access
– Remove entry from userinit registry entry• While Zeus is running this entry is checked every few
seconds
– Delete data files from lowsec directory• Can we delete files that are hidden and in use
– Re-enable Windows Firewall
![Page 19: Malware Artifacts. Agenda Quick Introduction Quick overview of artifacts Walk-through lab.](https://reader038.fdocuments.us/reader038/viewer/2022103111/55162df555034694308b5edc/html5/thumbnails/19.jpg)