SlideShare a Scribd company logo

Sandbox vs manual analysis v2.1

Michael Gough, profile picture
Michael Gough

The document compares malware sandboxes with manual analysis, highlighting that manual analysis can often yield more detailed and precise results. It discusses methods used by malware to evade detection in automated sandboxes and emphasizes the effectiveness of manual analysis, particularly in identifying indicators of compromise. The author also explores tools and techniques for enhancing malware detection and response within a cybersecurity framework.

Technology
Related topics:
Incident ResponseMalware Analysis Guide
1 of 50
Downloaded 81 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Are malware sandboxes as good as manual analysis? Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
Define Sandbox • A VM you build to evaluate malware • An on premise virtual malware analysis like Cuckoo sandbox • A specific malware analysis eco-system like RemNUX • A cloud based malware analysis like Payload Security/ Reverse.IT, Lastline, Malwr.com, etc. • Email Gateways like FireEye, Cisco AMP, etc. • Web Proxies like FireEye, Lastline, etc. • Advanced features in Firewalls like Palo Alto WildFire • And of course anything you specifically build MalwareArchaeology.com
Ways to bypass Automated Sandbox Analysis MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Look for indicators of a VM • VM Tools • Registry keys • Hardware (is virtual not real) Look for ‘Recent Files’ • Have you opened several misc. documents Processor related indicators • Some API calls take MUCH longer on a VM MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Password protected files • Can’t scan what you can’t access MalwareArchaeology.com
How do the malwarians evade sandbox analysis? OLE~ • Embed OLE objects and the sandbox may not know where to click to execute the payload MalwareArchaeology.com
How do the malwarians evade sandbox analysis? URL’s in the document • Can be anywhere in the document MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
How do the malwarians evade sandbox analysis? Time • The automated sandbox gave up • So did our email “Advanced Malware Protection” But WE did not • +LOG-MD caught it all MalwareArchaeology.com
Manual Analysis rules • We detonate everything in a lab that fits a pattern like ‘has a password’ and anything that comes back ‘unknown’ or ‘look incomplete MalwareArchaeology.com
Manual Analysis rules MalwareArchaeology.com
Manual Analysis rules • We even found persistence MalwareArchaeology.com
Time to disclose a Cloud provider that has had a serious flaw ;-) MalwareArchaeology.com
Hey, I got a FAX!!! • Typical Phish • A FAX.. SERIOUSLY? • So 90’s… • Word Doc attached • Date: 08/30/16 • Time: 11:15am MalwareArchaeology.com
Simple Manual Analysis • 7-Zip • Contains Macros MalwareArchaeology.com
Simple Manual Analysis • Strings or Type • Shows a Macro • “Document_Open” shows autorun when the document is opened MalwareArchaeology.com
Simple Manual Analysis • OfficeMalScanner – Seems malicious MalwareArchaeology.com
Email Gateway MalwareArchaeology.com • Date: 08/30/16 • Time: 12:02pm • 47 Mins later, another copy CLEAN ???
And a couple more… • Clean??? MalwareArchaeology.com VawTrak
Even AV actually caught it • Same Day ! • McAfee knew MalwareArchaeology.com VawTrak
Simple Manual Analysis • In 1 minute or less I was able to tell this Word DOC is malicious with very basic analysis – 7Zip, Strings & OfficeMalScanner • To be certain the file is bad, we could detonate it in a lab or an online solution • Let’s see what the fancy pants Cloud and Sandbox solutions say about it • By the way, auto processing your documents to the cloud may contain PII ;-( MalwareArchaeology.com
VirusTotal • VT Score 28/53 • Date: 9/8/16 • 8 Days later • AV has a Sig • Clearly BAD MalwareArchaeology.com
Unknown??? MalwareArchaeology.com • This is obviously bad Word Doc, same as the others • This one had the added benefit of an embedded OLE object • Still easily bad • This one was KOVTER
Let’s see what a Cloud analysis shows MalwareArchaeology.com
Reverse.IT MalwareArchaeology.com
Reverse.IT MalwareArchaeology.com
Reverse.IT MalwareArchaeology.com
Artifacts / Indicators • What do we want to get out of any analysis? – URL’s What websites were visited – IP’s Communications – Filenames What files were added – Directories used Where does it live – Autoruns used How does it launch – Config changes What changed – Metadata Details – Signed Digital Signatures – Behavior What actually happened – Network info Traffic behavior - Net Flow MalwareArchaeology.com
Artifacts / Indicators • Why do we want this data? • We need to know who else got infected – The IP’s and URL’s • What was added • What was changed • So we know whether to – Re-image – IF we can clean it up MalwareArchaeology.com
Let’s look at another Manual analysis MalwareArchaeology.com
Artifacts URL’s • A little script I run during analysis • And… • Google MalwareArchaeology.com
Process Artifacts • What launched • Linked processes – Bad EXE calls WinHost32.exe MalwareArchaeology.com Creator ID Process ID Process Name Sandbox Found
Artifacts IP’s • What talked to Whom • Wait… WinHost32 did not show up in the Cloud Analysis MalwareArchaeology.com
File & Dir Artifacts • Files involved • Directories involved MalwareArchaeology.com
Persistence • Run Key created MalwareArchaeology.com
Artifacts - Sysmon • What loaded the image • Signed or not • Hashes MalwareArchaeology.com
• Another little script I run MalwareArchaeology.com
Let’s compare Manual to Cloud MalwareArchaeology.com
Artifacts / Indicators – URL’s – IP’s – All Filenames – All Directories used – Autoruns used – Config changes – Metadata – Signed – Behavior MalwareArchaeology.com No/Yes Yes No Yes Some Yes Some Yes No Yes No Yes Yes Yes Yes Yes No Yes Cloud Manual
Sandbox or Manual? • Paid solutions work better than Free ones • Many samples failed to execute due to VM aware • Not as much detail as you can get yourself (IMHO) • You CAN do as good a job, or better as sandbox solutions • Sandbox solutions are good for multiple samples after you have evaluated one using manual analysis so you can compare results • You may, or will have to super harden VM sandboxes to make them look and act like a normal system MalwareArchaeology.com
So what do we use for manual analysis? MalwareArchaeology.com
Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • WhoIs lookups of IP Addresses called • SRUM netflow data (Win 8.1 & 10 64bit) • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
MalwareArchaeology.com Future Versions – In the works! • PowerShell details • AutoRuns report • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now

More Related Content

PDF
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
PDF
Logging for hackers SAINTCON
Michael Gough
 
PDF
RMISC logging for hackers
Michael Gough
 
PDF
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
PDF
Email keeps getting us pwned v1.1
Michael Gough
 
PDF
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
PDF
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Logging for hackers SAINTCON
Michael Gough
 
RMISC logging for hackers
Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 

What's hot (20)

PDF
Mw arch mac_tips and tricks v1.0
Michael Gough
 
PDF
Sandbox vs manual malware analysis v1.1
Michael Gough
 
PDF
What can you do about ransomware
Michael Gough
 
PDF
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
PDF
Malware Management - HouSecCon 2014
Michael Gough
 
PDF
Commodity malware means YOU
Michael Gough
 
PDF
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
PDF
Logging for Hackers v1.0
Michael Gough
 
PDF
Logging for Hackers - What you need to know to catch them
Michael Gough
 
PDF
Email keeps getting us pwned v1.0
Michael Gough
 
PDF
Info sec is not daunting v1.0
Michael Gough
 
PDF
Windows IR made easier and faster v1.0
Michael Gough
 
PDF
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
PDF
Detecting WMI Exploitation v1.1
Michael Gough
 
PDF
The top 10 windows logs event id's used v1.0
Michael Gough
 
PDF
Finding attacks with these 6 events
Michael Gough
 
PDF
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
PDF
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
PDF
You can detect PowerShell attacks
Michael Gough
 
PDF
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Michael Gough
 
What can you do about ransomware
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Malware Management - HouSecCon 2014
Michael Gough
 
Commodity malware means YOU
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Logging for Hackers v1.0
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Email keeps getting us pwned v1.0
Michael Gough
 
Info sec is not daunting v1.0
Michael Gough
 
Windows IR made easier and faster v1.0
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Detecting WMI Exploitation v1.1
Michael Gough
 
The top 10 windows logs event id's used v1.0
Michael Gough
 
Finding attacks with these 6 events
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
You can detect PowerShell attacks
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Ad

Viewers also liked (14)

PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PDF
Eyeo festival redux
thas naseemuddeen
 
PPT
2 introduccion al direccionamiento
Alexander Hernandez
 
PDF
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Michael Gough
 
PDF
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Juan Salas Santillana
 
PPTX
An Organizational Story: Salesforce Lightning Design (Nalini Kotamraju at Ent...
Rosenfeld Media
 
PDF
Windows logging workshop - BSides Austin 2014
Michael Gough
 
PPTX
Tipos de malware
panda_emilly123
 
PDF
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Stratesys
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
PPTX
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Ryan G. Murphy
 
PDF
Ask a Malware Archaeologist
Michael Gough
 
PDF
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
Eyeo festival redux
thas naseemuddeen
 
2 introduccion al direccionamiento
Alexander Hernandez
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Michael Gough
 
Técnicas para el desarrollo de malware funcionamiento de los antivirus y sandbox
Juan Salas Santillana
 
An Organizational Story: Salesforce Lightning Design (Nalini Kotamraju at Ent...
Rosenfeld Media
 
Windows logging workshop - BSides Austin 2014
Michael Gough
 
Tipos de malware
panda_emilly123
 
Caso Éxito SAP & Stratesys - Penguin Random House Grupo Editorial - JUL2014
Stratesys
 
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Carbon Black Threat Report: Non-Malware Attacks and Ransomware Take Center St...
Ryan G. Murphy
 
Ask a Malware Archaeologist
Michael Gough
 
What Is Next-Generation Endpoint Security and Why Do You Need It?
Priyanka Aash
 
Ad

Similar to Sandbox vs manual analysis v2.1 (20)

PPTX
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
PDF
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
PDF
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
PDF
My InfoSec journey led me to create my own IR tools, how, and why you should too
Michael Gough
 
PPTX
Basic Dynamic Analysis of Malware
Natraj G
 
PPTX
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
PPTX
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
PDF
When Security Tools Fail You
Michael Gough
 
PPTX
Basic malware analysis
Cysinfo Cyber Security Community
 
PDF
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith Jones, PhD
 
PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
PDF
CNIT 126: Ch 2 & 3
Sam Bowne
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
PPTX
Malware analysis
Prakashchand Suthar
 
PDF
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
PPTX
Malware analysis as a hobby (Owasp Göteborg)
Michael Boman
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
PDF
Intro2 malwareanalysisshort
Vincent Ohprecio
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
grecsl
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
My InfoSec journey led me to create my own IR tools, how, and why you should too
Michael Gough
 
Basic Dynamic Analysis of Malware
Natraj G
 
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
When Security Tools Fail You
Michael Gough
 
Basic malware analysis
Cysinfo Cyber Security Community
 
Keith J. Jones, Ph.D. - Crash Course malware analysis
Keith Jones, PhD
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
CNIT 126: Ch 2 & 3
Sam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Malware analysis
Prakashchand Suthar
 
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
Malware analysis as a hobby (Owasp Göteborg)
Michael Boman
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
grecsl
 
Intro2 malwareanalysisshort
Vincent Ohprecio
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Approach and Philosophy of On baking technology
30anthuong17
 
Teaching material agriculture food technology
LiaRayya
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation theory and applications.pdf
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

Sandbox vs manual analysis v2.1

  • 1. Are malware sandboxes as good as manual analysis? Michael Gough – Founder MalwareArchaeology.com Co-creator of MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of • Malware Management Framework • Several Windows Logging Cheat Sheets • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • @BrakeSec • @HackerHurricane and also my Blog MalwareArchaeology.com
  • 3. Malware evolves • So must we • Darwin says so • Evolve or die • Well… Evolve or get breached anyways • Getting breached means an RGE !!! – Resume Generating Event MalwareArchaeology.com
  • 4. Define Sandbox • A VM you build to evaluate malware • An on premise virtual malware analysis like Cuckoo sandbox • A specific malware analysis eco-system like RemNUX • A cloud based malware analysis like Payload Security/ Reverse.IT, Lastline, Malwr.com, etc. • Email Gateways like FireEye, Cisco AMP, etc. • Web Proxies like FireEye, Lastline, etc. • Advanced features in Firewalls like Palo Alto WildFire • And of course anything you specifically build MalwareArchaeology.com
  • 5. Ways to bypass Automated Sandbox Analysis MalwareArchaeology.com
  • 6. How do the malwarians evade sandbox analysis? Look for indicators of a VM • VM Tools • Registry keys • Hardware (is virtual not real) Look for ‘Recent Files’ • Have you opened several misc. documents Processor related indicators • Some API calls take MUCH longer on a VM MalwareArchaeology.com
  • 7. How do the malwarians evade sandbox analysis? Password protected files • Can’t scan what you can’t access MalwareArchaeology.com
  • 8. How do the malwarians evade sandbox analysis? OLE~ • Embed OLE objects and the sandbox may not know where to click to execute the payload MalwareArchaeology.com
  • 9. How do the malwarians evade sandbox analysis? URL’s in the document • Can be anywhere in the document MalwareArchaeology.com
  • 10. How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
  • 11. How do the malwarians evade sandbox analysis? Time • They wait you out • Your automated queue will just backup • How long can you wait? Or the automated sandbox wait? MalwareArchaeology.com
  • 12. How do the malwarians evade sandbox analysis? Time • The automated sandbox gave up • So did our email “Advanced Malware Protection” But WE did not • +LOG-MD caught it all MalwareArchaeology.com
  • 13. Manual Analysis rules • We detonate everything in a lab that fits a pattern like ‘has a password’ and anything that comes back ‘unknown’ or ‘look incomplete MalwareArchaeology.com
  • 15. Manual Analysis rules • We even found persistence MalwareArchaeology.com
  • 16. Time to disclose a Cloud provider that has had a serious flaw ;-) MalwareArchaeology.com
  • 17. Hey, I got a FAX!!! • Typical Phish • A FAX.. SERIOUSLY? • So 90’s… • Word Doc attached • Date: 08/30/16 • Time: 11:15am MalwareArchaeology.com
  • 18. Simple Manual Analysis • 7-Zip • Contains Macros MalwareArchaeology.com
  • 19. Simple Manual Analysis • Strings or Type • Shows a Macro • “Document_Open” shows autorun when the document is opened MalwareArchaeology.com
  • 20. Simple Manual Analysis • OfficeMalScanner – Seems malicious MalwareArchaeology.com
  • 21. Email Gateway MalwareArchaeology.com • Date: 08/30/16 • Time: 12:02pm • 47 Mins later, another copy CLEAN ???
  • 22. And a couple more… • Clean??? MalwareArchaeology.com VawTrak
  • 23. Even AV actually caught it • Same Day ! • McAfee knew MalwareArchaeology.com VawTrak
  • 24. Simple Manual Analysis • In 1 minute or less I was able to tell this Word DOC is malicious with very basic analysis – 7Zip, Strings & OfficeMalScanner • To be certain the file is bad, we could detonate it in a lab or an online solution • Let’s see what the fancy pants Cloud and Sandbox solutions say about it • By the way, auto processing your documents to the cloud may contain PII ;-( MalwareArchaeology.com
  • 25. VirusTotal • VT Score 28/53 • Date: 9/8/16 • 8 Days later • AV has a Sig • Clearly BAD MalwareArchaeology.com
  • 26. Unknown??? MalwareArchaeology.com • This is obviously bad Word Doc, same as the others • This one had the added benefit of an embedded OLE object • Still easily bad • This one was KOVTER
  • 27. Let’s see what a Cloud analysis shows MalwareArchaeology.com
  • 31. Artifacts / Indicators • What do we want to get out of any analysis? – URL’s What websites were visited – IP’s Communications – Filenames What files were added – Directories used Where does it live – Autoruns used How does it launch – Config changes What changed – Metadata Details – Signed Digital Signatures – Behavior What actually happened – Network info Traffic behavior - Net Flow MalwareArchaeology.com
  • 32. Artifacts / Indicators • Why do we want this data? • We need to know who else got infected – The IP’s and URL’s • What was added • What was changed • So we know whether to – Re-image – IF we can clean it up MalwareArchaeology.com
  • 33. Let’s look at another Manual analysis MalwareArchaeology.com
  • 34. Artifacts URL’s • A little script I run during analysis • And… • Google MalwareArchaeology.com
  • 35. Process Artifacts • What launched • Linked processes – Bad EXE calls WinHost32.exe MalwareArchaeology.com Creator ID Process ID Process Name Sandbox Found
  • 36. Artifacts IP’s • What talked to Whom • Wait… WinHost32 did not show up in the Cloud Analysis MalwareArchaeology.com
  • 37. File & Dir Artifacts • Files involved • Directories involved MalwareArchaeology.com
  • 38. Persistence • Run Key created MalwareArchaeology.com
  • 39. Artifacts - Sysmon • What loaded the image • Signed or not • Hashes MalwareArchaeology.com
  • 40. • Another little script I run MalwareArchaeology.com
  • 41. Let’s compare Manual to Cloud MalwareArchaeology.com
  • 42. Artifacts / Indicators – URL’s – IP’s – All Filenames – All Directories used – Autoruns used – Config changes – Metadata – Signed – Behavior MalwareArchaeology.com No/Yes Yes No Yes Some Yes Some Yes No Yes No Yes Yes Yes Yes Yes No Yes Cloud Manual
  • 43. Sandbox or Manual? • Paid solutions work better than Free ones • Many samples failed to execute due to VM aware • Not as much detail as you can get yourself (IMHO) • You CAN do as good a job, or better as sandbox solutions • Sandbox solutions are good for multiple samples after you have evaluated one using manual analysis so you can compare results • You may, or will have to super harden VM sandboxes to make them look and act like a normal system MalwareArchaeology.com
  • 44. So what do we use for manual analysis? MalwareArchaeology.com
  • 45. Free Edition MalwareArchaeology.com • Audit your settings – Do you comply? • Harvest security relevant log data • Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations • Perform a full File Baseline of a system • Compare a suspect system to a Baseline or Dir • Perform a full Registry snapshot of a system • Compare a suspect system to a Reg Baseline • Look for Large Registry Keys for hidden payloads
  • 46. MalwareArchaeology.com • Everything the Free Edition does and… • More reports, breakdown of things to look for • Specify the Output directory • Harvest Sysmon logs • Whitelist Hash compare results • Whitelist Registry compare results • Create a Master-Digest to exclude unique files • WhoIs lookups of IP Addresses called • SRUM netflow data (Win 8.1 & 10 64bit) • Free updates for 1 year, expect a new release every quarter • Manual – How to use LOG-MD Professional
  • 47. MalwareArchaeology.com Future Versions – In the works! • PowerShell details • AutoRuns report • VirusTotal lookups of discovered files • Find parent-less processes • Assess all processes and create a Whitelist • Assess all services and create a Whitelist • VirusTotal lookups of unknown or new processes and services • Other API calls to security vendors
  • 48. So what do we get? MalwareArchaeology.com • WHAT Processes executed • WHERE it executed from • IP’s to enter into Log Management to see WHO else opened the malware • Details needed to remediate infection • Details to improve your Active Defense! • I did this in… 15 Minutes!
  • 49. Resources MalwareArchaeology.com • Websites – Log-MD.com The tool • The “Windows Logging Cheat Sheet” – MalwareArchaeology.com • Malware Analysis Report links too – To start your Malware Management program • This presentation is on SlideShare and website – Search for MalwareArchaeology or LOG-MD
  • 50. Questions? MalwareArchaeology.com You can find us at: • Log-MD.com • @HackerHurricane • @Boettcherpwned • MalwareArchaeology.com • HackerHurricane.com (blog) • MalwareManagementFramework.Org • http://www.slideshare.net – LinkedIn now