cdbee59f8144be30634bf4994d51e1a0 — A Beginner‘s Malware Diary 2

If you are someone who suddenly jumps into this jungle, here is a time tunnel to the previous article.

After finishing simple static analysis, we have to do further analysis to see how the program actually works and what behaviors make it malicious.

Environment Setup

Before we actually conduct the dynamic analysis, several things have to be done beforehand. First of all, we have to assure the virtual machine is unable to connect with Internet by host network card. Otherwise, the virus may cause infection to other hosts who are in the same LAN.

The settings of guest OS

The config of network adapter

In my case, I use VMware Fusion as the virtualization platform and the methods of settings on different platforms are varied.

Let’s go to the setting of virtual machine and choose Network Adapter. In the menu, choose the option Private to my Mac. Once finish the setting, we can restart the guest OS then the new setting will work out. What Private to my Mac does is to virtualize a new network interface that separates private LAN between host OS and guest OS. The new private LAN, so called VMNet, is used for creating a private virtual LAN among guest OSes.

As we have already known, one of the most common way for malware to spread is through USB, CD-ROMs or other peripheral devices. To prevent the spreading, it is better to remove those devices from a virtual machine.

To remove CD-ROM, just go to CD/DVD(SATA) in the menu and click remove CD/DVD Drive.

The setting in the CD/DVD (SATA)

The icon of CD/DVD(SATA) is wiped out after we remove CD/DVD Drive

Remove USB is very similar to the above instruction. Go to USB & Bluetooth from the setting panel and choose Remove USB Controller and everything just works fine. 😆

The menu in USB/Bluetooth setting

After the controller is removed, the USB/Bluetooth panel should look like this

Before Malware Activated

Explore Processes

Even a user does not actually run a software, there are many processes running in the background in OS and not easy to be seen by users. Before we activate the malicious executable, it is a good idea to see what processes are running in the clean OS.

Here, we are going to introduce a new tool Windows’ Process Explorer which can monitor the working status of processes and observe the relation between them. Most of processes are under a process named wininit.exe, which is a system process that initializes many critical services like Local Security Authentication Subsystem Server (a.k.a Lsass.exe), Local Session Manager (a.k.a Lsm.exe) and Service Control Manager (a.k.a Services.exe). The svchost.exe processes are also beneath wininit.exe and are managed by Service.exe.

The current process running on the machine

Now, we open Process Monitor and record all system calls conducted by the processes for 10 minutes. Then, we can save the monitor result in a log file. There are two advantages of this method for analysis: first, we are able to use some simple inferential statistic techniques to see the normal behavior pattern of a clean OS. Second, we can easily compare the patterns between original record and the processes record that is generated after malicious code is activated.

Record Processes

First of all, we load the record with pandas in jupyter notebook and there are 7 columns in the dataframe. They are Time of Day, Process Name, PID, Operation, Path, Result.

The appearance of the process log

Then we can combine each PID and its corresponding name; There are 59 processes working in this short period of time. For examples: the PID 4 is always reserved for InitialSystemProcess in Windows. Explorer.EXE is the file manager application. svchost.exe is an implementation of shared service process whose job is to host one to multiple Windows Services. The idea of “shared” means that the process can group multiple Windows Services to reduce resource consumption (ex: Services use the same DLL). In addition, the malware often pretends that it is a “svchost.exe” such that user is not easy to identify it among other system processes. conhost.exe is regarded as an interface between Windows Explorer and the Command Prompt.

PIDs and their services’ name

Then we combine the processes and their operations and plot them up. We use time as x axis, operations as y axis and different colors of circles for different processes. As the below picture illustrates, most frequently used operations are at the bottom of the chart. (Sadly, the chart is not cleared enough after upload, so I crop a part of it for demonstration)

The visualized result of all the processes and their operations

The crop of the previous plot

According to the chart, operations RegQueryValue, RegCloseKey, RegQueryKey, CreateFile, QueryDirectory and CloseFile are used frequently. In addition, operation UDPSend is used frequently too but it’s not cropped in the picture. Next, we are going to count how many times the processes conduct the operations.

CreateFile is a Windows API that creates or opens file and IO devices. The processes used the API are following:

The processes use CreateFile operation

The given figure shows us the wmiprvsi.exe, PID: 1512, has the highest number of calls. The process provides a standard way to request a state and data of Windows.

In windows, software accesses registry to get the latest configuration during runtime. In our record, operations like RegOpenKey and RegQueryValue are highly used. Looking deeper, the processes using RegOpenKey frequently call RegQueryValue a large amount of times too. These processes seem to repeat an action: They retrieve keys from the registry and access corresponding value of the keys.

The processes use RegOpenKey operation

The processes use RegQueryValue operatio

Networking

Since a high portion of malwares are internet required to connect their C2 servers, the analysis of network behaviors becomes significant vital. Just like we have done in processes monitoring, we record network traffics in the clean system as a reference for the comparison when the system is infected.

A snapshot of wireshark

There are several ip addresses displayed. 255.255.255.255 is a broadcast address and is used for DHCP cllients to find their servers. 127.255.255.255 is a loopback address and host the service named Browser Service, a network features of Windows which allow different Windows hosts in the same LAN to share information over Network Neighborhood. The VMNet virtualizes a private LAN and assign an IP address 172.16.95.136 to our Guest OS. The 172.16.95.255 is the broadcast address in the virtual LAN. 239.255.255.250 is the multicast address of Simple Service Discover Protocol (a.k.a SSDP) in IPv4. The last one, 224.0.0.252, similar to 239.255.255.250, is a multicast address for Link-Local Multicast Name Resolution protocol (a.k.a LLMNR). So sum up, there is no a host communicating with our system over the Internet. The system is absolutely isolated.

The address listed in wireshark

Registry

The last step before we run the malware, we should take a snapshot for our registry.

Take snapshot with Regshot

Malware is Activated

Passing through all sort of setting and understanding some basic info, we are finally going to do the most exciting experiment, running the malware.

To execute the binary, we can easily add the extension name .exe after the malware and execute it as administrator.

Execute the malware as administrator

A simple click can trigger a big disaster.

Once we activate the malware, it has done many malicious things. Before every software starts running, it needs to register itself to the registry in Windows such that it can be authorized to run. In other words, it has to make some modification in the registry. Thanks for the Regshot, we can simply compare the state of registry before the malicious code starts and afterward.

The statistic about registry keys and values are modified

The comparison results enumerated in the file

In addition, something interesting can be seen in the Process Explorer. We have seen strings in the image with command string (check previous article). Because the malware unpacks itself when it is activated, we can see many special strings that are not seen in static analysis.

Compare strings of the malware in the disk and in the memory

Based on the above observation, the malware actually does an action called process replacement, which runs a process on the system and write malicious executable into the memory space. Hence, we know that the malware import many additional modules dynamically. To see what modules are called by the malware while it is running, we use Dependency Walker to do profiling.

Before Profiling

After Profiling

The profiler loads modules one by one and put them into their corresponding parent module; If a parent module is not found, the module will be put at the root level of Module Dependency Tree View where is the top left part of Dependency Walker view. Interestingly, except SECHOST.DLL, the modules EXPLORERFRAME.DLL, TIPTSF.DLL, SFC.DLL and SFC_OS.DLL are newly discovered and are put at the root level of the view.

Not only the registry becomes different, there is some suspicious network traffic captured by wireshark too. The below screenshot shows abnormal name query to www.sina.com.cn. Due to no Internet connection, the software is not able to communicate with world outside.

Wireshark captures the abnormal name query to sina.cn

Sadly, we are not able to see the outcome when the application successfully connects to its wanting host if there is no Internet connection. But the thing will be changed if we use FakeNet to simulate an “Internet” environment such as DNS Server, HTTP Server etc.

The screenshot when Fakenet is running

The capture of the malware’s sneaky network traffic

The Fakenet’s DNS Server received a DNS request www.sina.com from cdbee59f8144be30634bf4994d51e1a0.exe. Furthermore, we discover more domain names we haven’t seen before: since Fakenet played a trick to the malware, it believes it can reach www.sina.com so it continued to request other domain names www.163.com and coll.elevatorbigdata.com to Fakenet’s DNS Server. After the three domains are requested, the HTTP Listener on port 80 suddenly received a HTTP GET from the malware!!! It makes us so interested about what kind of information it was trying to grab from the http server.

The trace of DNS queries in the traffic

Fakenet is so handy that it saved all traffic in the .pcap file. We clearly see that after the three domains were resolved, TCP connections were established to the three hosts stimulated by the Fakenet DNS. Every time the DNS server was queried, it always answered IP address 192.0.2.123 to the malware.

HTTP connection started (No. 142) after TCP connection with coll.elevatorbigdata.com was built

After the TCP connection to coll.elevatorbigdata.com was built, A suspicious HTTP GET request with complex parameters was sent out.

The malware’s GET request to coll.elevatorbigdata.com:9018

The parameters in request URI Query

Open up the HTTP GET packet, we can see the host is coll.elevatorbigdata.com:9018; URI is /supp.aspx and its query has 10 parameters. The extension name in URI shows that the service running on port 9018 is a .NET service. The User-Agent of the malware is WinHttp which is Windows Http Service. Hence, we can determine that this malware, no doubt, is designed for Windows.

Fakenet’s response to HTTP GET

What did our fake service reply the GET request? Well, it sends malware a default HTML page. Clearly, this “You are connecting to the Fakenet” is definitely not the expected response for the malware so the it did not continue further tasks. Don’t feel disappoint about the result, because in future we can do more advanced configuration to change Fakenet’s default response.

Wait … we haven’t checked what system calls were used by the malware after activation. Let’s write couple lines of code.

The malware’s system calls

It seems there is no abnormal behaviour in the point of view of system calls. How a pity!

THE END

Thanks for your precious time. In the next chapter, we are going to start disassembly to the malware.