Introducing Intelligence Into Your Malware Analysis

Introducing Intelligence
Into Your Malware Analysis
Presented by
Brian Baskin
Advisory Practice Consultant
RSA Incident Response
5 Jun 14

# whoami
• Consultant with RSA IR/D team
• Digital Forensics for 15 years
• Incident Response for 10 years
• Personal Blog: www.GhettoForensics.com
• Co-Author: Dissecting the Hack

Where do we start…
• Many attack analysis methods are outdated
• Emphasis on system-by-system analysis
• Teams are broken up by specialized skills

Skill Segregation
Memory AnalysisNetwork Analysis
Dynamic AnalysisStatic Analysis

Difficulty in Current Processes
• Skill-Based Approach vs. Indicator-Based
• Going down rabbit holes that do not help
overall security posture
• You do not need to deep dive every sample!
• Difficult to segregate and emphasize
critical indicators in reports

The Cyber Kill Chaintm

Relevance of the Cyber Kill Chain
Each chain link has indicators that
can be potentially extracted or
deduced from malware analysis
Use to:
• Identify Indicators
• Collect Indicators
• Reuse Indicators

What Indicators?
Go Beyond the IOCs
• File MD5s
• URLs, IPs
Intel Indicators
• Encryption keys
• Campaign Identifiers
• Evidence of custom tools
• Who is performing the attack

Relevance of the Cyber Kill Chain
– Signs of intelligence gathering
– Technical exploit used in attack
– Transfer method
– Vulnerability on victim system
– Entrenchment/Persistence artifacts
– Data collection, network beacon
– Actor-issued commands, exfil, lateral movement

Fishing for Indicators
– Carrier themes
– Buffer overrun, RCE, malicious Flash w/in DOCX
– Email, Watering Hole, P2P, USB
– CVE-2010-3333, CVE-2012-0158, etc
– File / Registry / File artifacts
– DNS, HTTP beacons
– RAR archives, psexec, pwdump

Reconnaissance – Decoy Details
http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html

Reconnaissance – ExifTool
ExifTool Version Number : 9.36
File Modification Date/Time : 2010:10:08 07:15:54-04:00
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.6
Linearized : Yes
Encryption : Standard V2.3 (128-bit)
User Access : Extract
Tagged PDF : Yes
XMP Toolkit : 3.1-701
Producer : Acrobat Distiller 8.1.0 (Windows)
Company : Dell Computer Corporation
Source Modified : D:20101001111200
Creator Tool : Word8墁 Acrobat PDFMaker 8.1
Modify Date : 2010:10:08 09:35:31+09:00
Create Date : 2010:10:01 20:12:17+09:00
Metadata Date : 2010:10:08 09:35:31+09:00
Document ID : uuid:c425871d-1bc1-4ccc-8235-ce20615daded
Instance ID : uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32
Subject : 4
Format : application/pdf
Creator : Arlene Goldberg
Title : President Clinton Event Request Form
Page Count : 5
Page Layout : OneColumn
Author : Arlene Goldberg

Weaponization – Hex view of .DOC file
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 {rtf1{shp{*s
0010 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 hpinst{sp{sn p
0020 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 Fragments}{sv 1
4130 33 63 35 35 65 35 66 35 64 63 32 30 38 30 30 65 3c55e5f5dc20800e
4140 38 63 37 66 64 66 66 66 66 36 33 33 61 35 63 36 8c7fdffff633a5c6
4150 34 36 66 36 33 37 35 36 64 36 35 37 65 33 31 35 46f63756d657e315
4160 63 36 31 36 63 36 63 37 35 37 33 36 35 37 65 33 c616c6c7573657e3
4170 31 35 63 36 31 37 30 37 30 36 63 36 39 36 33 37 15c6170706c69637
4180 65 33 31 35 63 36 39 36 66 37 33 37 39 37 33 30 e315c696f7379730
4190 30 7D 7D 7D 7D 5C 61 64 65 66 6C 61 6E 67 31 30 0}}}}adeflang10
41A0 32 35 58 58 58 58 59 59 59 59 7A 78 77 76 71 74 25XXXXYYYYzxwvqt
4620 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 F4 ....ÿþýüûúùø÷öõô
4630 F3 F2 F1 F0 EF EE ED EC EB EA E9 E8 E7 E6 E5 E4 óòñðïîíìëêéèçæåä
4640 E3 E2 E1 E0 DF DE DD DC DB DA D9 D8 D7 D6 D5 D4 ãâáàßÞÝÜÛÚÙØ×ÖÕÔ
4650 D3 D2 D1 D0 CF CE CD CC CB CA C9 C8 C7 C6 C5 C4 ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ
4660 C3 C2 C1 C0 BF BE BD BC BB BA B9 B8 B7 B6 B5 B4 ÃÂÁÀ¿¾½¼»º¹¸·¶µ´
4670 B3 B2 B1 B0 AF AE AD AC AB AA A9 A8 A7 A6 A5 A4 ³²±°¯®¬«ª©¨§¦¥¤

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 7B 5C 72 74 66 31 7B 5C 73 68 70 7B 5C 2A 5C 73 {rtf1{shp{*s
0010 68 70 69 6E 73 74 7B 5C 73 70 7B 5C 73 6E 20 70 hpinst{sp{sn p
0020 46 72 61 67 6D 65 6E 74 73 7D 7B 5C 73 76 20 31 Fragments}{sv 1
The actual exploit in use (CVE-2010-3333) noted
also by the pFragments string. Used to initiate
the loading of shellcode.

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
4130 33 63 35 35 65 35 66 35 64 63 32 30 38 30 30 65 3c55e5f5dc20800e
4140 38 63 37 66 64 66 66 66 66 36 33 33 61 35 63 36 8c7fdffff633a5c6
4150 34 36 66 36 33 37 35 36 64 36 35 37 65 33 31 35 46f63756d657e315
4160 63 36 31 36 63 36 63 37 35 37 33 36 35 37 65 33 c616c6c7573657e3
4170 31 35 63 36 31 37 30 37 30 36 63 36 39 36 33 37 15c6170706c69637
4180 65 33 31 35 63 36 39 36 66 37 33 37 39 37 33 30 e315c696f7379730
4190 30 7D 7D 7D 7D 5C 61 64 65 66 6C 61 6E 67 31 30 0}}}}adeflang10
41A0 32 35 58 58 58 58 59 59 59 59 7A 78 77 76 71 74 25XXXXYYYYzxwvqt
Shellcode of the attack. Mostly unique, but many
shared aspects between malicious carrier files
Uses multi 4-byte “eggs” as markers for
shellcode or malware payload

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
4620 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 F4 ....ÿþýüûúùø÷öõô
4630 F3 F2 F1 F0 EF EE ED EC EB EA E9 E8 E7 E6 E5 E4 óòñðïîíìëêéèçæåä
4640 E3 E2 E1 E0 DF DE DD DC DB DA D9 D8 D7 D6 D5 D4 ãâáàßÞÝÜÛÚÙØ×ÖÕÔ
4650 D3 D2 D1 D0 CF CE CD CC CB CA C9 C8 C7 C6 C5 C4 ÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄ
4660 C3 C2 C1 C0 BF BE BD BC BB BA B9 B8 B7 B6 B5 B4 ÃÂÁÀ¿¾½¼»º¹¸·¶µ´
4670 B3 B2 B1 B0 AF AE AD AC AB AA A9 A8 A7 A6 A5 A4 ³²±°¯®¬«ª©¨§¦¥¤
Actual malware payload, encoded. By finding
null spaces, this can be identified as a
decrementing single-byte XOR (FF>00). Routine,
and starting byte of key, can be unique to
attacker.

Weaponization – ExifTool
ExifTool Version Number : 9.36
File Modification Date/Time : 2010:10:08 07:15:54-04:00
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.6
Linearized : Yes
Encryption : Standard V2.3 (128-bit)
User Access : Extract
Tagged PDF : Yes
XMP Toolkit : 3.1-701
Producer : Acrobat Distiller 8.1.0 (Windows)
Company : Dell Computer Corporation
Source Modified : D:20101001111200
Creator Tool : Word8墁 Acrobat PDFMaker 8.1
Modify Date : 2010:10:08 09:35:31+09:00
Create Date : 2010:10:01 20:12:17+09:00
Metadata Date : 2010:10:08 09:35:31+09:00
Document ID : uuid:c425871d-1bc1-4ccc-8235-ce20615daded
Instance ID : uuid:2b9f24a5-1e10-40c0-9d92-9a74bae84d32
Subject : 4
Format : application/pdf
Creator : Arlene Goldberg
Title : President Clinton Event Request Form
Page Count : 5
Page Layout : OneColumn
Author : Arlene Goldberg

Reconnaissance / Weaponization Collection
• EXIFTool
• http://www.sno.phy.queensu.ca/~phil/exiftool/
• OfficeMalScanner / RTFscan
• http://www.reconstructer.org/code.html
• Cerbero PE Insider / PE Explorer
• http://icerbero.com/peinsider
• http://www.heaventools.com
• Revelo / Malzilla / PdfStreamDumper
• http://www.ntcore.com/exsuite.php
• http://malzilla.sourceforge.net
• Malware Tracker Doc/PDF Scanners
• https://www.malwaretracker.com

Delivery – Email Attack
http://contagiodump.blogspot.com/2011/06/may-31-cve-2010-3333-doc-q-and-adoc.html

Delivery – Watering Hole Attack
http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-
active-malware-attack-ms-warns/

Delivery – Watering Hole Attack
• Function names appear random, but can
actually be hardcoded and shared across
multiple attacks
• Referenced filenames can also be used as
indicative of an attack

Exploitation
CVE-2014-1761 (MS14-017)
http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-
attackers

Exploitation
CVE-2014-1761 (MS14-017)
http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-
attackers
• Metadata (ismail) copy/pasted multiple times
• Shellcode stored as ?u-##### Integer-casted
Unicode bytes
• If RTF & # of same Metadata fields > 2 & “?u-”

Delivery / Exploitation Collection
• VirusTotal
• https://www.virustotal.com
• Jotti
• http://virusscan.jotti.org
• URLQuery
• http://urlquery.net
• Joe Sandbox URL Analyzer
• http://www.url-analyzer.net
• YARA / SignSrch Rules

Installation
Typical domain of forensics
• File system activity
• Registry activity
• Entrenchment / Persistence
• Anti-Forensics

Installation – Collection Tools
• Noriben
• https://github.com/Rurik/Noriben
• CaptureBAT
• Cuckoo Sandbox
• Web-based:
• Anubis - https://anubis.iseclab.org
• Eureka! - http://eureka.cyber-ta.org
• Malwr - https://malwr.com
• ThreatExpert - http://www.threatexpert.com

Noriben v1.6 (Beta – Stable release in Aug)
Processes Created:
==================
[CreateProcess] Explorer.EXE:1432 > ”%UserProfile%Desktopmalware.exe" [Child PID: 2520]
[CreateProcess] malware.exe:2520 > "C:WINDOWSsystem32cmd.exe" [Child PID: 3444]
[CreateProcess] services.exe:680 > "C:WINDOWSSystem32svchost.exe -k HTTPFilter" [Child PID: 3512]
File Activity:
==================
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357L
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357U
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned]
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-
500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46]
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357L
[New Folder] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357U
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357@ [MD5:
d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned]
[CreateFile] malware.exe:2520 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357n [MD5:
cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess] [VT:42/46]
[CreateFile] services.exe:680 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357@ [MD5:
d1993f38046a68cc78a20560e8de9ad8] [VT: Not Scanned]
[New Folder] services.exe:680 > C:RECYCLERS-1-5-18$fab110457830839344b58457ddd1f357U
[DeleteFile] cmd.exe:3444 %UserProfile%Desktopmalware.exe

Command and Control (C2)
http://<DOMAIN>/kys_allow_get.asp?name=getkys.jpg&ho
stname=HOSTNAME-192.168.1.120130623SCRyyy
http://<DOMAIN>/web/movie.swf?apple=8A969692D8CDCDD0
D0D0CCD0D0DACCD0D0D0CCD0D1D7CD958780CD96878F92CC879A
87E2E2E2E2
256-byte seemingly random beacons:
00000000 F9 B5 A0 96 DE 35 E0 33 F8 BD 9C 49 E2 3E E4 EF ùµ –Þ5à3ø½œIâ>äï
00000016 D6 FD 8D 60 03 22 A0 52 0E FC 0B C9 35 70 9A AC Öý•`." R.ü.É5pš¬
00000032 34 16 95 67 90 CB F5 34 76 F5 DC 99 04 73 7E E2 4.•gËõ4võÜ™.s~â
00000048 FB 90 45 82 65 3A AC 44 C0 EC 0A 6A E0 6E 90 B7 ûE‚e:¬DÀì.jàn•·
00000064 0D CC BF EC 5E 6B 32 6F 08 84 09 8E 46 C9 3C 48 .Ì¿ì^k2o.„.ŽFÉ<H
00000080 75 CD 21 56 0C 0B A9 E4 96 37 D9 64 93 33 D7 43 uÍ!V..©ä–7Ùd“3×C
00000096 BA E0 A1 C8 CB BB A7 4B D3 ED AF 4D 1C 28 87 FD ºà¡ÈË»§KÓí¯M.(‡ý
00000112 65 33 97 8D 20 3D 88 B6 B5 CE 10 CA CC 4D 27 76 e3—=ˆ¶µÎ.ÊÌM'v
00000128 63 19 63 7B ED 98 EE 0A 6A 5D 71 AC B9 10 BD C6 c.c{í˜î.j]q¬¹.½Æ
00000144 A7 9A 86 EB 17 D0 97 E7 86 D5 9A FD D4 12 27 01 §š†ë.Ð—ç†ÕšýÔ.'.
00000160 4E 6A 20 D8 B0 55 02 E8 1C 44 9C 35 8F AC C4 0A Nj Ø°U.è.Dœ5•¬Ä.
00000176 0A 19 70 E3 4C E6 B9 3B 6B C1 73 E2 1B C0 27 CD ..pãLæ¹;kÁsâ.À'Í
00000192 BF 5D E8 6E 68 02 27 50 5D C6 35 EB F5 44 8C 45 ¿]ènh.'P]Æ5ëõDŒE
00000208 B7 B4 08 D6 BE B0 9E 3E F8 D8 A9 79 EC D3 19 50 ·´.Ö¾°ž>øØ©yìÓ.P
00000224 19 5F 22 BE 00 A8 36 6B FA 35 9E BF 3F 86 E1 F4 ._"¾.¨6kú5ž¿?†áô
00000240 EF CB 33 09 48 5D A8 05 8C 57 A1 CC E8 F4 6B 31 ïË3.H]¨.ŒW¡Ìèôk1

Command and Control (C2) Identification
DeepEnd Research Library of Malware
Traffic Patterns

Command and Control (C2) Collection
• WireShark
• FakeNET
• practicalmalwareanalysis.com/fakenet
• Netcat
• Known C2 Clients
• Commodity RAT / Custom RAT
• Python / Perl
• On-the-fly C2 clients

• Host an array of known and custom-
made C2 servers
• If you think malware is known, let it beacon
against that server and check for a
handshake
• Extract victim info from beacon handshake
and move on to the next sample!

• What if you can get all intel-based artifacts
without even running it?
• Search for configuration data, decrypt, and
archive.
• Extract:
• Beacon domains
• Beacon ports
• Campaign IDs
• Mutexes
• And all statically!

• Configuration Dumpers (Static)
e.g. github.com/MalwareLu/config_extractor/
$ config_jRAT.py malware.jar
port=31337
os=win mac
mport=-1
perms=-1
error=true
reconsec=10
ti=false
ip=www.malware.com
pass=password
id=CAMPAIGN
mutex=false
toms=-1
per=false
name=
timeout=false
debugmsg=true

What if it’s encrypted?!
• Reverse once to determine decryption routine
They keep changing encryption!
• Look for its decrypted structure in memory
• Write YARA rule targeting that structure
• Dump from memory
• Encryption routine is easy to change, decrypted
structure typically stays the same

Configuration Dumpers (Memory)
E:VMs> vol.py -f WinXP_Malware.vmem pslist
Offset(V) Name PID PPID Start
---------- -------- ------ ------ --------------------
0x81efc550 java.exe 1920 660 2013-09-18 22:23:10
E:VMs> vol.py -f WinXP_Malware.vmem memdump -p 1920 -D dump
Writing java.exe [ 1920] to 1920.dmp
E:VMs> vol.py -f WinXP_Malware.vmem yarascan -p 1920 –Y “SPLIT”
Owner: Process java.exe Pid 1920
0x2abadbec 53 50 4c 49 54 03 03 03 69 70 3d 77 77 77 2e 6d SPLIT...ip=www.m
0x2abadbfc 61 6c 77 61 72 65 2e 63 6f 6d 53 50 4c 49 54 09 alware.comSPLIT.
0x2abadc0c 09 09 09 09 09 09 09 09 70 61 73 73 3d 70 61 73 ........pass=pas
0x2abadc1c 73 77 6f 72 64 53 50 4c 49 54 0e 0e 0e 0e 0e 0e swordSPLIT......
0x2abadc21 53 50 4c 49 54 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e 0e SPLIT...........
0x2abadc31 0e 0e 0e 69 64 3d 43 41 4d 50 41 49 47 4e 53 50 ...id=CAMPAIGNSP
0x2abadc41 4c 49 54 10 10 10 10 10 10 10 10 10 10 10 10 10 LIT.............
0x2abadc51 10 10 10 6d 75 74 65 78 3d 66 61 6c 73 65 53 50 ...mutex=falseSP

Configuration Dumpers (Memory)
http://www.ghettoforensics.com/2013/10/dumping-malware-
configuration-data-from.html

Actions
Reconnaissance
• Network sweeps
Privilege Escalation
• pwdump#, mimikatz, keyloggers
Exfiltration
• Keyloggers
• Directory Listings
• Archives (rar –hp | rar –p)
Remote Execution
• psexec

Actions
Malware C2
• Decrypt/Decode Malware communications
beyond a simple beacon
Requires:
• Reversing C2 code from malware
• PCAP of traffic to compromised system
• MITRE ChopShop or equivalent tool

Enumerating Indicators
• Hashes (MD5, fuzzy, imphash, …)
• File
• PE sections
• PE imports
• Entrenchment / Persistence
• File locations
• Registry keys (*Run*, Shimcache)
• C2 communication
• Hashes, sizes
• Dynamic vs static bytes

Collecting Indicators
• Store results in database
• RTIR / CRITS
• Custom-programmed
• Per-incident data archives
• Emails, files
• Residual artifacts
• Memory dumps
• PCAPs / Proxy logs

Reusing Indicators
Do analysis once, reuse indicators
• Static Signatures
• YARA
• SignSrch / ClamSrch
• Dynamic Signatures
• CybOX/STIX/MAEC
• IOCs
• Network Signatures
• Snort
• ChopShop

Static Signatures – YARA
rule CoreFlood_ldr_decoder
{
strings:
$strRegKey = "MlLrqtuhA3x0WmjwNM27"
$strAPI = "3etProcAddr"
$codeSub_85BA = { 81 EA BA 85 00 00 }
$codeXOR_85BC = { 05 BC 85 00 00 }
condition:
all of ($str*) and any of ($code*)
}

Static Signatures
Write multiple signatures for each file
• Write a sig for each notable item
• Catches subtle modifications
• Detect when capabilities change
PDB string
Unique strings
Encryption routines
MATH!

Make Indicators Intelligent
Indicators are just a raw set of data
Intelligence comes through:
• Grouping indicators
• Indexing all edges (files) AND vertices (activity)
• File1 is a dropper, File2 is a driver
• File2 is a binary resource of BIN222 in File1
• File2 is stored as encrypted (XOR by 0xBB)
• File1 drops File2

Example: Attack 1

Example: Attack 2

Correlate the Attacks

Take-Aways
• Standardize on a signature format (YARA, IOC,
STIX)
• Write as many signatures as possible for each
item to track variations over time
• Try to automate, e.g. cuckoo2STIX
• Spend downtime reanalyzing old incidents with
new data / intel

Take-Aways
• Use VirusTotal Intelligence
• Create feeds for YARA to find new variants
• Acknowledge weaknesses of Cyber Kill Chain
• It focuses on initial and holistic attack flow
• Simplistic design means everything is thrown into
Actions
• It doesn’t scale to varied and orchestrated attacks

Questions/Comments?
Brian.Baskin@RSA.com

Introducing Intelligence Into Your Malware Analysis

Introducing Intelligence Into Your Malware Analysis

More Related Content

What's hot (20)

Viewers also liked (7)

Similar to Introducing Intelligence Into Your Malware Analysis (20)

Recently uploaded (20)

Introducing Intelligence Into Your Malware Analysis

Editor's Notes