Download - Automating malware analysis
![Page 1: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/1.jpg)
Automating Malware Analysis
![Page 2: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/2.jpg)
Who am IMonnappa K A
Member of Cysinfo
Info Security Investigator @ Cisco
Reverse Engineering, Malware Analysis, Memory Forensics
Email: [email protected]
Blog: http://malware-unplugged.blogspot.in Twitter: @monnappa22
LinkedIn: http://www.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
![Page 3: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/3.jpg)
Execute malware in a controlled/monitored environment Monitors file system, registry, process and network activity Outputs the results in mutiple formats Examples of Sandboxes
◦ Cuckoo Sandbox◦ ThreatExpert◦ Anubis◦ CWSandbox
Sandbox Overview
![Page 4: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/4.jpg)
To determine: The nature and purpose of the malware Interaction with the file system Interaction with the registry Interaction with the network To determine identifiable patterns
Why Sandbox Analysis?
![Page 5: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/5.jpg)
Sandbox Architecture
Reports
Controller
Reports Artifacts
PCAPS
Host Machine Analysis Machine (VM)
LaunchSample
Samples
Sub
mit
Monitoring tools
![Page 6: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/6.jpg)
Automates static, dynamic and Memory analysis using open source tools Written in python Can be run in sandbox mode or internet mode In sandbox mode it can simulate internet services (this is the default
mode) Allows you to set the timeout for the malware to run (default is 60
seconds) Stores final reports, pcaps, desktop screeshot , and malicious artifacts
for later analysis
Custom Sandbox – sandbox.py
![Page 7: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/7.jpg)
Takes sample as input Performs static analysis Reverts VM to clean snapshot Starts the VM Transfers the malware to VM Runs the monitoring tools ( to monitor process, registry, file system,
network activity) Executes the malware for the specified time
Sandbox.py (working)
![Page 8: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/8.jpg)
Stops the monitoring tools Suspends the VM Acquires the memory image Performs memory analysis using Volatility framework Stores the results (Final reports, destkop screenshot, pcaps and malicious
artifacts for later analysis)
Sandbox.py (working contd)
![Page 9: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/9.jpg)
Video Demo (Analysis of Prolaco)
![Page 10: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/10.jpg)
Executing the sample prolaco.exe
Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem
![Page 11: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/11.jpg)
Disables Security ProductsPrevents the security products from running by looking for the security products and deleting its registry key value
![Page 12: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/12.jpg)
Sends SpamThe malware sends spam invitation mails to the some of the organizations
![Page 13: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/13.jpg)
Hides the processProcess id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique
![Page 14: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/14.jpg)
Hides Process from security toolHides the process from process explorer
![Page 15: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/15.jpg)
Detecting the hidden processComparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process
prolaco.exe (pid 1080)
pslist psscan
![Page 16: Automating malware analysis](https://reader035.vdocuments.mx/reader035/viewer/2022062503/58f2bd231a28ab127b8b45a1/html5/thumbnails/16.jpg)
Dumping the hidden processDumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden
process