We will need some software when applying the dynamic analysis method. Let's take a look at these software categories.
Some of the frequently used virtualization software are as follows;
- VMware Workstation
- VMware Fusion
- Oracle Virtualbox
An ideal isolated dynamic analysis environment consists of a completely separate physical device and a separate network. However, setting up this complex environment is both very costly and it is not necessary to begin with.
After installing your own virtual operating system, you need to install software that will be useful in dynamic analysis. For example, we will not be able to perform dynamic analysis of office files with file extensions such as docx, xlsx without installing Microsoft Office or similar software on the system.
-
Microsoft Office
-
Adobe Reader
-
Browser (Chrome, Firefox etc.)
-
WinRAR
-
Text Editors (Notepad++, Sublime Text etc.)
-
The attackers are very familiar with the dynamic analysis method.
Therefore they check whether frequently used software is installed or not on the target system to be able determine if the malware is running on a virtual operating system before performing malicious activities on the devices they compromised.
Debuggers are software that are generally used by programmers to test the codes and catch the errors. Debuggers help to see the instructions of a process and change the flow of the program
Malware analysts frequently make use of debuggers to learn the working structure of the malware and disable some prevention mechanisms by making changes to the malware codes.
For instance, you want to analyze a malware that does not work when the device name is not “John”. With the help of the Debugger, you can disable this control by making changes to the codes in which this control is made, and ensure that the malware continues to run.
Since this training addresses the beginner topics, we will not go in detail about debugging, but since we will use them in our future training, installing debuggers now will make our work easier.
Some debuggers that are frequently preferred by malware analysts are as follows.
- Ollydbg
- X64dbg
- Windbg
- Radare2
Information such as the network connections established by the malware, the addresses it communicates with and how it communicates with those should be reported as a result of the malware analysis.
We need some software to detect the network activities of the malware. Some of them are as follows.
- Wireshark
- Fiddler
- Burp Suite
A new process is created for the program we run for malware analysis. In order to monitor these processes, we should use process monitoring tools.
Windows already comes with a process monitoring tool called “Task Manager”. However, other process monitoring tools are more useful in terms of usage and features for malware analysis.
You can install the following process monitoring tools in the virtual operating system we will create for dynamic malware analysis.
- Process Hacker
- Process Explorer (SysInternals)
- Procmon (SysInternals)
File activities are one of the first activities that should be followed in dynamic analysis. Malware can read files to collect information from the operating system, write other components of the malware to the file system, and move itself to the startup folder to ensure the persistence. Malware can be involved in various activities in the file system for these and other reasons. We should detect and indicate these activities in the malware analysis report.
You can use the following tools to see file activities.
- Sysmon
- SysInternal Tools
- CFF Explorer
- PEView
- TriDNet
- BinText
- PEiD
- Regshot
- HashMyFiles
Before installing a virtual operating system, we need to install one of the virtualization software that enables this.
While there are some differences between them, any of the virtualization software will help us for our dynamic analysis. You can install one of the following virtualization software:
- VMware Workstation
- VMware Fusion (for macOS)
- Oracle Virtualbox
We will use VMware Workstation virtualization software during the training and it is recommended for you to install it so that you can follow the training easily.
You can download and install VMware Workstation here.
After installing the virtualization software on our system, let's set up our operating system with the help of these virtualization software.
In order to install the operating system together with the virtualization software, we need to obtain the ISO files of the operating systems. You can use the application called MediaCreationTool published by Microsoft to create an ISO file for the Windows operating system.
Malware may be programmed not to work or to behave differently depending on the operating system. For this reason, we strongly recommend that you have different operating systems at hand.
When you run MediaCreationTool, you will be prompted with “Upgrade this PC now” and “Create installation media” options. Let's continue by selecting the "Create installation media" option.
Then, we are asked to choose what kind of installation we want to proceed with. We continue our installation by choosing “Typical (recommended)”.
We select the ISO file that we have downloaded by selecting the “Installer disc image file (iso)” option.
Next, we are asked to name the Virtual Machine and specify the directory that we want the files of the VM to be kept. You can use "Windows10 Dynamic Analysis" as the name and “the default directory” as the directory. We recommend giving it a descriptive name to your VM so that you won’t confuse your VMs if you have multiple. If you wish you can change this name you have given to the VM later.
After choosing the name and the directory where the VM's files will be kept, we are asked to determine the disk size of our operating system. Since we will install various software and applications in it, we recommend that you allocate a minimum of 60-70 GB.
Finally, we are presented with some hardware settings that the operating system uses. At this stage, we go to the customization step by clicking the "Customize Hardware" button.
Since we are using an operating system with a 64-bit architecture, I recommend reserving a minimum of 4 GB of RAM. If you assign lower settings you may end up with performance and operating system errors. However, if you are installing an operating system with a 32-bit architecture, then you may allocate less RAM.
After we pass this stage, a Virtual Machine with the settings we specified is being created.
After the VM is created, you can install the operating system normally by running the created VM.
At this point, our operating system is now ready for use. Next is the installation of tools and software that we will use during dynamic analysis.
We need to make some configuration changes on our Virtual Machine to be able to use it for malware analysis.
Since we will analyze malware on our VM, we do not want antivirus software to delete the malware we have installed for analysis. We should turn off Windows Defender which comes active by default in Windows operating systems.
You should go to Windows Defender settings and disable all active settings. The feature that instantly scans and deletes the malware you have installed to analyze is “Real-time protection”. Make sure you turn this feature off.
You can open the Local Group Policy Editor application by searching for “edit group policy” in the start menu. Alternatively, you can access the Local Group Policy Editor application by searching for “gpedit.msc” or by running it through “Search>Run” function on Windows.
To disable Windows Defender using the Local Group Policy Editor application, you must access the policy below.
“Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus”
Here, you should double-click the "Turn off Microsoft Defender Antivirus" policy and set it to "Enabled".
You should also disable the "Monitor file and program activity on your computer" policy under "Real-time Protection".
Some malicious software makes various checks in order not to work in analysis environments. One of these checks is to check the hostname. Since most sandboxes have hostnames such as "Sandbox", "Malware", "Cuckoo" …, malware is programmed not to run on systems with these hostnames.
You should make your VM look like a normal user's system as much as possible so that you can avoid anti-analysis techniques. Specifying a random name as the hostname will allow you to help avoid such checks.
To change the device name, you must select “Settings → System → About” and then click the “Rename this PC” button.
The malware we are going to analyze may be taking advantage of vulnerabilities in the operating system. In order for the malware to run as normally as possible, we need to turn off the automatic updates of our virtual operating system.
You can turn off automatic updates through the group policy settings.
You can open the Local Group Policy Editor application by searching for “edit group policy” in the start menu. Alternatively, you can access the Local Group Policy Editor application by searching for “gpedit.msc” or by running it through the “Search>Run” function on Windows.
You should then access the policy below.
“Computer Configuration > Administrative Templates > Windows Components > Windows Update”
After accessing the relevant policy, you should set the policy named "Configure Automatic Updates" to "Disabled".
4. Disable Hidden Extensions
You may have seen the attackers try to trick their victims by changing the file extensions. How could they do this?
Windows operating systems are set to hide known file extensions by default. In other words, a file named "Chrome.exe" will appear as "Chrome" by default. Attackers name their malicious software as "Photo.jpg.exe", causing the user to see the file as "Photo.jpg". When the user thinks that this file is an image file and opens it, the malware will start to run.
In order not to get confused with this during our analysis, we need to fix it so that the extensions that are hidden by default are always shown.
For this, we need to open the application named “File Explorer” and access the settings menu by clicking the “File” and then “Change folder and search options” buttons from the top menu.
Then you should save the settings by unchecking “Hide extensions for known file types” from the “View” tab.
5. Show Hidden Files and Folders
Malware aims to prevent the user from detecting their files by hiding them. By default, showing hidden files and directories will enable us to perform a more comfortable analysis.
Let's open the application called File Explorer and open the settings menu with the help of "File" from the top menu, then click "Change folder and search options".
Then, let's check the "Show hidden files, folders, and drives" from the "View" tab and save the setting.
New versions of Windows have an anti-exploit security mechanism called ASLR (Address Space Layout Randomization). We won't get into ASLR too much in this training, but you may want to disable this feature at this stage as it will come up in the future.
You can disable this setting with the help of Registry. Access the following registry by opening the Registry Editor application.
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”
Then create a “REG_DWORD” type key named “MoveImages”.
These settings will eventually disable the ASLR feature.
As we implemented in the previous steps, we should disable the Windows Firewall to prevent the security mechanisms from interfering with the malicious software we analyze.
Access Windows Defender Firewall settings via the control panel. You can access these settings using the search bar in the top menu of File Explorer. If you copy and search the following path in this search bar, it will take you to the Windows Defender Firewall settings.
“Control Panel\System and Security\Windows Defender Firewall\Customize Settings”
After accessing the Defender Firewall settings, select "Turn off Windows Defender Firewall" and save it. This will disable the Firewall.
You should make your VM look like a normal end-user operating system as much as possible so that the malware you are analyzing is not caught by anti-analysis techniques.
Since there are no precise instructions or settings for this, it's totally up to you to make your analysis VM look like a normal end-user's computer. We can recommend the following tips to implement on your VM to establish this similarity:
Installing browsers frequently preferred by end-users such as Chrome and Firefox, Leaving files in different directories that will be of interest to the attacker, Changing the desktop background, To ensure that some files are found in the Downloads directory by downloading small applications through the browser
We need to prevent our malware from spreading to different devices via network connection. Thanks to the private networks provided by virtualization software, we can prevent malware from infecting different devices.
For this, you must click on the "VM" menu in the top menu of VMware Workstation and select "Settings".
You should select the "Custom" setting by selecting "Network Adapter" from the left menu in the window that opens.
Your operating system may be affected functionally or become unusable after you analyze malware or ransomware on your system. When you want to analyze a new malware after running and analyzing another malware, you do not want your operating system to get affected by the changes that was made by the old malware you analyzed.
In such cases, you can take advantage of the Snapshot feature of virtualization software.
Snapshot is a feature that allows you to take a snapshot of your Virtual Machine and return to this backup later.
Our VM has been configured for malware analysis and the applications that we will be using in the analysis have been installed into it. At this stage, you can take a Snapshot and then switch to the same analysis environment with your clean VM.
To take snapshots, you can access the screen where you manage Snapshots by clicking the "VM" menu in the top menu of the VMware Workstation application and clicking "Snapshot" -> "Snapshot Manager".
Then you can take a snapshot of your VM by clicking the "Take Snapshot" button. That's how easy it is to take snapshots.
File Name: e-Archive Dekont.exe
MD5 Hash: 7a0093c743fc33a5e111f2fec269f79b
SHA256 Hash: 722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088
Because our monitoring tools list all the activities that have been done since the time the malware was run, we should run these tools before executing the suspicious program we have. Otherwise, we will not be able to see malicious activities on these tools even though they carry out malicious software activities.
Let's run our tool called 'Process Hacker' to see the process activities. Because we will run the malware by clicking on the desktop, we will see the process belonging to the malware under the explorer.exe process, so we need to pay special attention to it.
To see the file activities, run the tool called “Procmon” in the SysInternals toolkit. This tool allows us to see process, file, registry and network activities. However, since there are so many logs, it can be difficult to read and conclude meaningful results. (Yes, even if you don't see it, your OS really works that much in the background!)
Run RegShot to see registry activities. Take a shot by pressing the “1st shot” button before running the malware. This process will take some time.
You can use Wireshark and Fiddler to see network activities. Fiddler will suffice, as the malware we reviewed communicates over the HTTP protocol.
Now that we have completed the necessary preparations before running the malware, you can run the malware on your VM.
For a better understanding, we will examine the process, network, registry and file activities separately. After reviewing these activities, we will create a timeline.
After allowing enough time for the malware to perform its activity, let's take the second shot by pressing the "2nd shot" button from the Regshot tool.
As we mentioned earlier in our training series, there are some advantages of detecting process activities first. Since we will encounter a lot of logs and activities, the first step we need to do is to detect the processes belonging to the malware.
When we examine the processes occurred over Process Hacker, we see that only one process belonging to the malware is running.
However, things are not always as they seem! Since Process Hacker only shows the processes that are running momentarily, the malware may have created a child process at a time we did not monitor and terminated it later.
At this point, the Procmon tool comes to our rescue. If you press the "Show Process Tree" button in the top menu, procmon will show the process tree it has created for you during the time it has recorded.
The process tree provided by Procmon completes this shortcoming of Process Hacker, as it also includes terminated processes.
When we go over the the image above, we see that the first process we run (9076 PID) runs the tool called “schtasks.exe” belonging to Windows Task Scheduler (PID 4800) and then runs its own malware (7944 PID) again.
Before moving on to other activities, let's examine the schtasks.exe process. Schtasks.exe is a tool that enables the Task Scheduler to be used via the command interface in the Windows operating system. Attackers ensure persistency by adding their own malware to scheduled tasks with the help of Task Scheduler.
In order to see what kind of scheduled task the attacker added, we must click on the "schtasks.exe" (4800 PID) in the process tree of procmon and examine its details.
When we examine the command-line arguments, we see that a scheduled task named "Updates\VbxFiQYCyFDgGL" has been created. However, the information of the scheduled task except for its name is in the XML file located at the following path:
“C:\Users\Amanda\AppData\Local\Temp\tmpCCF2.tmp”.
Click here to get information about the command-line arguments of the tool named Schtasks.exe.
When you try to access the relevant file, you can see that the file is deleted. But don't worry, this scheduled task is now saved so we can see it through the Scheduler Task.
On the Trigger tab, you can see in which situations this scheduled task added by the attacker will run. As it can be seen on the screenshot above this scheduled task will run at log on.
You can see what action will run on the Actions tab. You can see on the above screenshot that the malicious software named “VbxFiQYCyFDgGL.exe” prepared by the attacker will run when this scheduled task runs.
This is how we have detected the scheduled task that the attacker added.
We detected malware processes (9076, 4800, 7944 PIDs) with the help of Procmon. Next, we need to detect the network, file and registry activities of these processes.
You filter down the processes with PID values of 9076, 4800, 7944 on Procmon. However, there is an easier method. When you right-click on the top parent process of the malware and press the "Add process and children to Include filter" button, procmon will create these filters for you.
Since the malware we examined communicates over the HTTP protocol, you can detect the connections it establishes very easily using the Fiddler tool.
After running the malware, you can see that the process named “e-archive dekont.exe” on Fiddler communicates with the domain “5gw4d[.]xyz”.
When we examine the registry activities, you can see that the keys under HKLM\Software\WOW6432Node\Microsoft\Windows\CurrrentVersion\Uninstall are queried. There are settings under this key that are left by the applications installed in the system for uninstall. It is often preferred to enumerate this key to detect applications installed on the system by attackers.
To detect malware file activities, disable the other three activities in the top menu of procmon.
You can enter a filter with Operation=CreateFile to see file creation activities.
When we examine the logs, we see that an executable file named "VbxFiQYCyFDgGL.exe" is written under the "C:\Users\Amanda\AppData\Roaming" directory.
When we look at the hash of the application named “VbxFiQYCyFDgGL.exe” with the tool called HashMyFiles, we see that it is actually the same file as the file we analyzed first. We see that the malware has copied itself to a different folder.
When we examine the file activities further, we see that the malware reads the files to steal information from applications such as Firefox, Chome, Thunderbird. We have determined that the malware we have is information stealer.
Now that we have completed the malware analysis, we can combine the information we have gathered. We have detected that:
- the malware has copied itself to the "C:\Users\Username\AppData\Roaming" directory with the name "VbxFiQYCyFDgGL.exe",
- has used Task Scheduler to ensure persistence,
- has enabled its own malicious application to run at every logon by creating a scheduled task with the name "VbxFiQYCyFDgGL"
- communicates with the command & control server, the command control address is “5gw4d[.]xyz/PL341/index.php” and it communicates over the HTTP protocol,
- discovers the applications installed in the system with the help of the key under the "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" registry key,
- steals sensitive data from applications such as Chrome, Firefox, Thunderbird.