open source malware lab

1@ThreatConnect

Open Source Malware Lab

© 2016 ThreatConnect, Inc. All Rights Reserved

2@ThreatConnect

Director of Research InnovationResearch Team

ThreatConnect, Inc.


3@ThreatConnect

Why Do I Need A Malware Analysis Lab?

• Malware Research• Automated Malware Analysis (AMA)

• First two of four major stages• AMA can include second stage

• Enhanced Threat Intelligence

• Analysis of malware in your enterprise

• Stage of malware hunting process

• Network Defense• Network Traffic• Inbound Email• Host Intrusion Detection System

• Fun!!!

https://zeltser.com/mastering-4-stages-of-malware-analysis/


4@ThreatConnect

Malware Analysis Process Entry Points

File URL PCAP MemoryImage


5@ThreatConnect

CuckooSandbox Thug Bro Volatility

Open Source Malware Analysis Tools


6@ThreatConnect

Cuckoo SandboxStatic and Dynamic File Analysis


7@ThreatConnect

Sandbox

• A controlled, safe environment

• Leverages• Virtual machines• Bare metal computers

• Running malware• Observing its behavior• Dynamic malware analysis• May also perform static

malware analysis


8@ThreatConnect

More Than Just Dynamic Analysis


TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic

$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Strings

AV Detections

9@ThreatConnect





Strings

AV Detections

10@ThreatConnect





Strings

AV Detections

11@ThreatConnect





Strings

AV Detections

12@ThreatConnect



data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile

Metadata

13@ThreatConnect





Sections

Resources


Metadata

14@ThreatConnect





Sections

Resources


Metadata

15@ThreatConnect





Sections

Resources


Metadata

16@ThreatConnect





Sections

Resources


Metadata

17@ThreatConnect





Sections

Resources


Metadata

18@ThreatConnect





Sections

Resources


Metadata

19@ThreatConnect





Sections

Resources


Metadata

20@ThreatConnect

Cuckoo Sandbox Flavors


Plain VanillaVersion 1.2 (Stable)

Cuckoo Modified(brad-accuvant / spender-sandbox)

Next GenerationVersion 2.0 RC1

21@ThreatConnect

Cuckoo Modified

• Normalization of file and registry paths• 64bit analysis• Service monitoring• Extended API• Tor for outbound network connections• Malheur integration


22@ThreatConnect

Normalization - Why this is Great!

• Not normalized•C:\Documents and Settings\Dumdum\Application Data\bonzo\AIDVFP.jpg•C:\Users\Dumdum\AppData\bonzo\AIDVFP.jpg

• Normalized•%APPDATA%\bonzo\AIDVFP.jpg


23@ThreatConnect

Cuckoo Next Generation

• Support for:• MacOS X• Linux• Android


• Integrations• Suricata• Snort• Moloch• SSL decryption• VPN support• 64-bit analysis• Fun, fun, fun

24@ThreatConnect

What if the Malware is VM or Sandbox Aware?

• Pafish (Paranoid Fish)• Uses malware’s anti-analysis

techniques• Shows successful and

unsuccessful techniques• Pinpoint ways to improve

sandbox• VMCloak

• Automated generation of Windows VM images

• Ready for use in Cuckoo• Obfuscates VM to prevent

anti-analysis


25@ThreatConnect

Cuckoo Output

• HTML Report• JSON Report• MongoDB Output• Dropped Files• PCAP• Memory Image• Visited URLs


26@ThreatConnect

ThugLow-Interaction Honeyclient


27@ThreatConnect

What is a Low-Interaction Honeyclient?

• Pretends to be a browser

• Trigger a drive-by download

• Capture its payload


28@ThreatConnect

Wolf in Sheep’s Clothing

• User agent can change• Windows, Mac, Linux, Android, iOS• Limitless possibilities• http://www.useragentstring.com/

pages/useragentstring.php• http://www.browser-info.net/

useragents

• Simulates vulnerable plugins with configurable versions

• Flash• Java• Acrobat Reader (PDF)


29@ThreatConnect

Available User Agents


30@ThreatConnect

Thug Output

• Payload Files• Other Content Files• Visited URLs• MongoDB Output• Elasticsearch Output• HPFeeds• MAEC• Native Report Format


31@ThreatConnect

BroNetwork Analysis Framework


32@ThreatConnect

What is Bro?• Network Security Monitoring (NSM) Framework• Processes

• Live Packet Capture• Recorded Packet Capture (PCAP)

• Series of scripts• Output Bro logs• Packaged with a large group of scripts• Rich community of open source scripts• Write your own Bro script for specific needs


33@ThreatConnect

Bro in Action


• Analysis Target: tue_schedule.doc_7387.doc• PCAP Source: https://www.hybrid-analysis.com/• SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e• What can we learn from PCAP only?

34@ThreatConnect

conn.log$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t


35@ThreatConnect



36@ThreatConnect



37@ThreatConnect



38@ThreatConnect



40@ThreatConnect



41@ThreatConnect



42@ThreatConnect

Poor Man’s pDNS


43@ThreatConnect

Whois Data


44@ThreatConnect

Whois Data


45@ThreatConnect

Site Content


46@ThreatConnect

Site Content


47@ThreatConnect



48@ThreatConnect

Poor Man’s pDNS


49@ThreatConnect

Whois Data


50@ThreatConnect

Whois Data


51@ThreatConnect

Poor Man’s Reverse Whois


52@ThreatConnect

Site Content


53@ThreatConnect



54@ThreatConnect

Whois Data


55@ThreatConnect

Whois Data


56@ThreatConnect

pDNS


58@ThreatConnect



59@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved

Zapoi (Russian: запой)

A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two

or more days of continuous drunkenness.

https://en.wikipedia.org/wiki/Zapoy

60@ThreatConnect

/zapoy/gate.php = Pony


61@ThreatConnect



62@ThreatConnect

/xdaovcny/index.php = Nymaim


63@ThreatConnect



64@ThreatConnect

pe.log$ cat pe.log | bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t


67@ThreatConnect

What Can We Learn From PCAP Only?

• Adversary Likely Russophone• Office Document generating network traffic• Multi-stage malware• One payload is Pony• One payload is Nymaim• Nymaim has

• Dedicated infrastructure•Rogue DNS

• Dropper uses compromised Drupal websites• Adversary is MAN1


68@ThreatConnect

Collected Lots of Indicators


69@ThreatConnect

My local.bro


70@ThreatConnect

cuddlesome.exe = Ruckguv


71@ThreatConnect

Bro Output

• Important Logs• conn.log• dns.log• http.log• pe.log• file.log

• Extracted Files• Alternative JSON Output for Elasticsearch


72@ThreatConnect

VolatilityMemory Analysis Framework


73@ThreatConnect

What is the Volatility Framework?

• Extracts artifacts from samples of volatile memory• An amazing view into what is happening in memory

while a malware sample is running


74@ThreatConnect

Operating System Support


75@ThreatConnect

Volatility in Action

• Analysis Target: b.exe• Sample Source: https://www.hybrid-analysis.com/• SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742• What can we learn from memory analysis?


76@ThreatConnect

Preparing Your Memory ImageConvert ELF64 image into raw dd-style memory dump

• Dump a memory image from running VirtualBox VM• VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img• vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw


77@ThreatConnect

pslist & psscan


• psscan shows hidden and terminated processes• pslist shows running processes• pslist before and after running malware sample

78@ThreatConnect

malfind$ vol.py -f copy.raw --profile=Win7SP1x64 malfind -D .


79@ThreatConnect

Malware Found?

Avira: TR/Patched.Ren.Gen7Qihoo-360: HEUR/QVM40.1.Malware.Gen

Qihoo-360: HEUR/QVM40.1.Malware.Gen

0x80000

0xa000


80@ThreatConnect

netscan$ vol.py -f copy.raw --profile=Win7SP1x64 netscan | grep explorer


81@ThreatConnect

What Can We Learn From Memory Analysis?

• Sample uses process injection• Injects explorer.exe• Command and Control IP Address: 216.170.126.105


82@ThreatConnect

Volatility Output

• Files extracted from services• Files extracted from injection• DLLs extracted• IP addresses extracted from network connections• URLs extracted from IE history• URLs extracted from malware configuration• Suspicious mutexes


83@ThreatConnect

Tying It All TogetherConclusion


84@ThreatConnect

Cuckoo, Thug, Bro Process


85@ThreatConnect

Volatility, Thug, Cuckoo Process


86@ThreatConnect

Orchestration and Automation• Use a message queue

• Redis• Rabbit MQ• ZeroMQ <- Preferred

• Use NGINX for file transfer under message queue• Keep all output in Elasticsearch

• Cuckoo needs to be cuckoo-modified or write your own report plugin• Thug uses ES natively• Bro can export logs in JSON format• Volatility can export logs in JSON format

• Glue everything together with Python3


87@ThreatConnect

Questions?


www.ThreatConnect.com/blog

@MalwareUtkonos @ThreatConnect

open source malware lab

Technology