Lab: Malware Analysis
Required Virtual Machines
See here for instructions on setting up virtualbox for this class.
infosec-netvirtualbox network, as specified at the top of the above link, before importing the VM! It's not the end of the world if you don't, but it does require some extra work.
This lab uses the following VMs:
- Windows 10
In this lab, you will prod at and run live malware called WannaCry. You will be fine as long as you follow instructions. Please talk to me if you are scared.
Take a gander at the reading assigned for the malware topic, listed on canvas. It is library access to the first introductory chapter of “Practical Malware Analysis – The Hands-On Guide to Dissecting Malicious Software” by Michael Sikorski and Andrew Honig. The book is accessible for beginners such as yourself, and is also a handy reference for more advanced analysts.
Analyze the Malware
In this lab, you’ll WannaCry. This program made international headlines last summer when it wreaked havoc across the world before being disabled by malware analyst Marcus Hutchins.
WannaCry is ransomware that encrypts the victim’s files and demands ransom in order to decrypt. But due to a programming error, WannaCry does not decrypt victim’s files even after the ransom is paid.
Confirm VM settings for great safety and much assurance
It is possible for WannaCry to “escape” the VM and spread to a wider network if two conditions are met:
- The virtual machine has a network adapter that gives it access to other machines on a network, and
- The other machines on that network are not patched against WannaCry’s spreading mechanism.
For #2 – This version of WannaCry uses the EternalBlue exploit to spread. Eternal Blue was developed by the NSA, and stolen and leaked by Shadow Brokers, and subsequently picked up by North Korean agents and used in WannaCry. Microsoft issued a patch for EternalBlue in March 2017. If you are running Windows and have installed updates since then, you’ll be fine.
For #1 – WannaCry will not spread to your host unless you changed the defaults on the Windows VM I distributed and set up a host-only network adapter. If you did, you should panic, and undo that. In theory, I think that WannaCry could reach out over the NAT adapter and attempt to exploit servers on the public internet – but mercy on any public server that is still vulnerable to WannaCry. They would have been infected many times over by now.
The WannaCry executable is zipped up in an encrypted folder on your desktop called “LIVE MALWARE WannaCry.exe”. However, ignore this folder, this zip contains only the “loader” or “encrypter” component. The “worm” component – the part that spreads wannacry around to other hosts – is a separate executable that I forgot to include on the VM. So, let’s grab it.
Make sure that Windows Defender is disabled.
Download the worm + loader executable from here (look for the
Extract the malware by right-clicking the folder, choosing
Extract all..., and entering the password
infected. This will create a new folder called “24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip”, inside of which is a
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exefile. Do not run this file yet!
This is the dropper and spreader only. Technically, it performs no encryption. It has stashed inside of it the wannacry encryptor. Its job is to drop the encryptor on a host, run it, and then scan the network and infect as many other machines as it can.
- Open a
cmdterminal via the Windows searchbar. Therein, do the following:
cdto navigate into the extracted folder containing
- Hash the exe using the
- Google the hashes to see what comes up.
Go to VirusTotal.com and either search for the hash, or upload the
.exefile. If you do the latter, click the “View last analysis” button. Both approaches should return the same results.
VirusTotal.com can run files and URLs through a barrage of antivirus programs to detect malicious files. This can be much more effective than checking a file against only one or two detection programs. However, people who create viruses also use this site to see whether their malicious code flags, and tweak the code until it comes up clean. It is not uncommon for a piece of malware to only turn up a few hits in VirusTotal.Question: What does Ad-Aware report this hash to be?
Browse to the website Reverse.it (now owned by hybrid-analysis), and click on “Select file,” and upload the WannaCry worm file (the .exe) or search for its hash. Reverse.it will check the hash of the file against previously analyzed files. Select any of the Note the wide range of information that this site provides about the executable. Examine the IP address that this malware attempt to access – see the “Network Analysis” section (accessible via the menu on the right-hand side), and then the “Contacted Hosts” section. Keep this IP address in the back of your mind somewhere.Question: What IP address does the spreader attempt to access?
Now we will manually perform some of the analyses that reverse.it performs, in order to get a hands-on feel for the work involved.
Static Analysis is usually the first step in malware analysis. It involves gathering as much information as possible from a potential malware file and determining its functionality, purpose, and identifying traits to the greatest degree possible. Static analysis does not involve running the malware file, and thus is less risky than dynamic analysis. However, caution must be used here (and in all stages of analysis), as certain analysis tools may execute the malware without warning.
Using the Strings Program
As its name implies,
strings is a command-line tool that will parse through a file and pull out any character strings in either ASCII or Unicode.
The result of running this tool can tell you many things about potential malware:
- Error messages can give telling information about the functionality of a program.
- IP addresses that the program will call to.
- Windows built-in library function files (DLLs) that the program will try to access.
In this lab, we will use several tools from a set of tools developed in 1996 which still rocks called sysinternals.
stringsfrom here and extract the downloaded zip file.
For convenience, add the
C:\bindirectory to your cmd
pathwhich will let you run the commands in that directory without having to reference the entire path to their location. Run the following from a Powershell terminal (windows searchbar > “powershell”):
[Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\bin", [EnvironmentVariableTarget]::User)
Now run the strings program to see a list of options and commands. From a new cmd prompt opened after adding
c:\binto the path, confirm that you can run
Look at its options.
cmdprompt in the directory where
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exeis located, run the following:
strings -n 12 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe > output.txt notepad output.txt
The “-n” option means “minimum string length.”
You may recognize this strings output from the Reverse.It report.
Use tab-completion to fill out that filename, for crying out loud. Do not copy-paste. If you keep copy-pasting, I will turn all code-snippets on my site into screenshots to spite you.
Also, a convenient shortcut to opening a windows shell in a certain directory is to use Windows Explorer (the graphical file explorer thing) to navigate to where you want to go, then right-click in the white area in that directory listing, and choose “Open PowerShell window here”. PowerShell can do everything a
cmdprompt can do, and more.
Search through output.txt (ctrl+f) for a
http://url. This url is the “killswitch” domain which, when registered, blocked the wannacry spreader from doing its thing. See the comic on this page to understand in four simple comic panels the facepalm reason why that functionality is even in the spreader in the first place.Question: What is the killswitch domain for this worm?
Resource Hacker is another useful tool that can often pull information from a malware sample without executing the malware. Windows application development tools will set values in this section, but developers can override and set whatever information they want, if they so desire. Regardless, examining the values can sometimes give hints about and insight into the malware.
- Download “Resource Hacker” from here, and install it. Open “Resource Hacker” by searching for it from the windows search bar.
- Load the wannacry worm into resource hacker.
Navigate through the folder tree structure to see information about the malware.
Examine the “Version Info” node, and look at the “FileVersion”. This can be helpful to track to note versions of malware that may be floating around.Question: What FileVersion does this malware claim to be?
lol and look at the CompanyName, FileDescription, and LegalCopyright. Cheeky North Koreans.Question: What is the name of the company that this malware claims is its author?
Applications can embed applications within their resource section, which is accessible via the navbar on the left under the
Rtree. The loader stores the wannacry encryptor here. When the loader runs, if the killswitch is not triggered, it will extract the embedded resource payload, install it, and run it. Let’s extract it manually and play with it, eh?
- Expand the “R” node and right-click the star range. Choose
Save Resources to a BIN file(a BIN file is another name for a
.exein windows). Save it where you like. This is the wannacry encryptor. If you run this, say goodbye to your vm files. Rename it to be
wannacry.exefor your convenience, if you feel like it.
- Expand the “R” node and right-click the star range. Choose
Strings again, this time on the wannacry encryptor
From a cmd prompt in the directory where your newly extracted wannacry.exe is located, run the following:
strings -n 12 wannacry.exe > output.txt notepad output.txt
Read through the output.txt file and look for sensical strings. Some malware can use “packing” tricks to make it harder for malware analysts to perform static analysis (read more about it here). “Packing” is a form of compressing that is sometimes also combined with encryption. If this malware were “packed”,
stringswould find no sensical text inside. If it is not packed, you will see English words which are names of windows functions or custom that the malware may call internally.Question: Is this malware likely "packed", or is it "unpacked"?Consider. If you did not know what this malware did, what would seeing calls in the
stringsoutput to windows functions such as "CryptDecrypt", "CryptEncrypt", "CryptDestroyKey", and "CryptImportKey" tell you? Dadgum right, got ransomware on our dadgum hands.
Analyzing DLLs with Dependency Walker
A few Dynamic Linked Library (dll – the windows function library calls) appeared when we ran the Strings program above. We can use another program, Dependency Walker, to obtain more information about those dlls and their use by the malware. Dynamic linking is an area that gives a great deal of insight into how a program functions, and it is of particular importance to malware analysis.
Download Dependency Walker from http://www.dependencywalker.com/. Extract the zip file contents, and run
depends.exe. When the program loads, use the “open” button on the top-left and load wanncry.exe.
There’s a lot of information here, so let’s step through it.
- The top-left pane shows all of the DLL files that are called by the WannaCry program.
- The top-right pane shows the functions that are called by the selected DLL.
- The right-middle pane shows all possible functions that could be called by the selected DLL, along with their ordinal values; a function can either be called by its name or by the ordinal value, so if you see an ordinal value called you can use this list to check its functionality. Calling functions by ordinal allows a program to call the function without ever using its name in the code. It can be a useful obfuscation technique.
- The bottom two panes show additional information.
Spend some time looking through the different DLLs.Question: Under ADVAPI32.DLL, find BCRYPT.DLL. What is function for ordinal value 37, i.e., the 37th function from the top?Bcrypt.dll is a family of functions, documented and listed [here](https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/). Bcrypt.dll is not the same as the blowcrypt family of algorithms that we studied earlier in the semester. bcrypt.dll lamely refers to "bestcrypt", a.k.a "Cryptography: Next Generation (cng)" (see [here](https://stackoverflow.com/questions/9711568/does-winapis-bcrypt-h-actually-support-bcrypt-hashing)). It is the built-in Windows way to perform encryption. And yes, that means that Wannacry is lamely using Windows functions, instead of making their own functions, to encrypt all the things. Lazy son of a guns.
Dynamic Analysis of WannaCry
Now we come to the fun part. Dynamic Analysis is used to gather information about a file that could not be gathered during static analysis. Dynamic Analysis is inherently riskier than static analysis, as it involves investigating malware as it runs, or the state of the host machine after the malware has executed. The drawbacks of dynamic analysis are that (1) malware may behave differently in a VM environment if the malware detects that it is in such a setting; (2) malware may behave differently depending on available network and Internet connections, and (3) running malware may potentially expose the host or other hosts on a network to risk, as mentioned previously. But don’t worry about #3, you’ll probably be fine!
Grab some more sysinternals tools:
You can get basic information from Task Manager in Windows, but Process Monitor allows you to track every action of a given process. Be warned that Process Manager generates a lot of data, all of which it stores in RAM. So, it may quickly fill up the memory of a VM and crash it if left to run for a long time.
No one in their right mind uses Process Monitor without applying some filters. We will apply filters soon to the gigantic pile of data pouring in.
- Launch Process Monitor. From within Process Monitor, launch the Process Tree (
- With Process Monitor running, run the
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe. OH NO YOU ARE UNDER ATTACK. Or are you?
- Stop Process Monitor from collecting (
Capture Eventsto toggle). Examine the Process Tree. Note the entry for
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe. Right-click it and
Add Process to Include Filter. Back in the main process monitor view, we are now looking at only events associated with our malware worm.
In the icon menu on the top of Process Monitor, deselect all icons in the far-right section except for the third from the right – the one with two computers and who-knows-what-shape on top of them. This will filter to show only network calls. This should at least one TCP Reconnect operation. This is the loader calling out to the killswitch domain. If the call resolves successfuls, then the malware immediately exits without doing anything else (eyeroll @ DPRK).Question: What was the value of the "Result" field for the calls to 22.214.171.124?
Disable Network Adapter and run dropper again
The worm won’t killswitch if we don’t have an internet connection! Before we proceed, disable the VM’s network adapters. To do this, from the VM’s top-bar menu, select “Devices” > “Network” > click “Connect Network Adapter” to disconnect it. Verify that you do not have internet access from within the VM before proceeding.
Open Process Monitor again. Do the following from the menu options:
- Filter > Reset Filter
- Edit > Clear display
- File > Capture Events (to enable capturing)
With Process Monitor running, right-click
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exeand choose “Run as Administrator.” OH NO YOU ARE UNDER ATTACK. YES THIS TIME YOU REALLY ARE. TIME TO CRY.
The dropper installed the file stored in its R resource section into the
C:\Windows\directory, naming it
tasksche.exe, and then ran it. This is the wannacry encryptor.Question: What is the sha256 hash of
Well, what does this encryptor do? It scans through the entire drive for files with interesting file extensions, and it encrypts them, storing an encrypted version of the decryption key in header info in the file itself. The encrypted variants of all of your precious files have a
tasksche.exeshows that it is looking for files with the following extensions:
.der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf .sln .suo .cs .cpp .pas .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc
It then pops up an annoying notification about your ransomed state which will continue to pop up every sixty seconds or so. Best way to deal with that popup is to not “X” it out, but rather, drag it to a corner of your screen, almost out of sight.
Right-click one of the encrypted files on your desktop, and “Edit in Notepad++” to examine the contents. What used to be plaintext aint so plain anymore, ‘tis it? The first 8 bytes of any file encrypted by wannacry are always the same. This is wannacry’s “magic number” You can see it in notepad++ or in a hex examiner such as HxD (installed on the VM).Question: What is the magic number for a wannacry-encrypted file?
Decrypting the WannaCrypted files
Just kidding. You can’t.
Actually, you can with two long-shots.
A decryption tool exists which can extract the prime numbers from memory which were used in the encryption. However, huge caveats: it relies on a Windows encryption implementation bug that only only works for Windows OS versions less than 10, (e.g., XP through 7), and “it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).”
Also, there’s a chance that if you pay the ransom, you will get a response… but, “Those who do shouldn’t expect a quick response – or any response at all. Even after payment, the ransomware doesn’t automatically release your computer and decrypt your files, according to security researchers. Instead, victims have to wait and hope WannaCry’s developers will remotely free the hostage computer over the internet. It’s a process that’s entirely manual and contains a serious flaw: The hackers have no way to prove who paid off the ransom.” Sigh.
In September 2018, the US Justice Department indicted a North Korean agent who participated in the WannaCry and Sony hacks.