TryHackMe: Malware Analysis

Room: https://tryhackme.com/room/malmalintroductory

One of the sub-fields of cybersecurity that seems very interesting to me is Malware Analysis. Fortunately, TryHackMe has a set of rooms on being able to analyze malware. This will be my introduction into the field! I also have installed a custom VM by the name of REMnux which seems to be a leading malware analysis Linux Distro just in case I need it. I wanted it separate from my kali VM just in case in the future any malware tries to detonate in the box due to any rookie mistakes I made. This particular blog is going to be notes and key take-aways from the lesson.

Malware Campaigns

  • Targeted – malware created for a specific purpose against a specific target (i.e made for PoS machines at a retail store)
  • Mass Campaign – generic malware created to infect as many devices as possible

A malware that targeted Iran’s nuclear facilities in 2010 was stuxnet. The ransomware used in the MS17-010 EternalBlue attack was WannaCry.

Identifying a Malware Attack

Malware is generally obtrusive, i.e. it leaves many different signatures that could be used for identification, if you know where to look. The general process is as follows:

  1. Delivery
    • USB, PDF attachments, vulnerability enumeration
  2. Execution
    • Encryption = ransomware; recording or heavy ads = spyware
    • This is what malware analysis is all about
  3. Maintaining persistence (not always)
    • this allows the malware to stick around if you reboot or log out for maximum damage
    • can be a very noisy stage which would allow detection
  4. Propagation (not always)
    • this allows the malware to spread and infect others (like other computers on a network)
    • host discovery could be a sign of malware trying to propagate

These can generate loads of data such as in the case it needs to fetch remote files or contact a command server, network traffic would be crucial. Heavy file system interaction like read/writes and modification may be a sign of something like a ransomware or data exfiltration malware.

Two types of fingerprints:

  • Host-Based signatures: results of execution and persistence (such as encryption, additional software.etc)
  • Network-Based signatures: calls to external servers such as bitcoin addresses or command/control servers
    • Example for WannaCry/EternalBlue was the large amount of Samba protocol attempts

Static v Dynamic Analysis

  • Static Analysis – mainly looking at source code or signature analysis. Happens without executing the code
    • Tools used for this can be Dependency Walker, PeID, PE Explorer, PEview, ResourceHacker, IDA Freeware, WinDbg.
  • Dynamic Analysis – executing the code and observing what happens. Done within some sort of sandbox or container to prevent destruction to actual machine and for better visibility into what it does

Interactive Lab

We are given a windows machine with some tools pre-installed for further modules

Obtaining MD5 Checksums of Files

This box comes pre-installed with HashTab which adds a new tab to the properties pane that shows us possible hashes for a file:

HashTab in action

Verifying MD5 Sums

With the MD5 sums for the three files in Task 7 copied, we can run them through VirusTotal to see if they come back as known malware:

aws.exe: D2778164EF643BA8F44CC202EC7EF157 - Safe
Netlogo.exe: 59CB421172A89E1E16C11A428326952C - Safe
vlc.exe: 5416BE1B8B04B1681CB39CF0E2CAAD9F - Safe

Fortunately for us, all the MD5 hashes check out to be safe executables.

Identifying Compiler of Files

The next tool at our disposal is PeID, a tool which detects the most common packers, cryptors and compilers for PE files. The original website appears to have gone offline and there are still copies of the program floating around. If we use these on the files in /Tasks/Task 9/ we can see they are packed with Microsoft Visual C++ 6.0:

PeID in action

Strings

On windows, we can use the SysInternalsSuite/Strings.exe application to find strings in files. Similar to the already built in strings command on linux. In our case, with the 67844C01 binary we had, there was a practicalmalwareanalysis.com string in the file which seems useful. The next step is to import this same file into PE Explorer where we can see Imports, Exports, Headers and a bunch of other useful information about the file

Disassembly

Our last task is to open /Tasks/Task 13/install.exe with IDA Freeware and investigate the imports tab here to see how many times the msi Library is called, which in our case is 9.

Summary

Our final Task 14 walks us through doing it all ourselves for the /Tasks/Task 14/ComplexCalculator.exe

  • MD5 Checksum: F5BD8E6DC6782ED4DFA62B8215BDC429
  • VirusTotal Scan: 2 security vendors flagged this as a Trojan Malware!
  • Last String of strings: d:h:
  • PeID Packer: Nothing found *
    • This means the application probably uses a custom packer for obfuscation to prevent detection

Conclusion

This was a pretty good box that introduced us to a few tools but besides running the checksum through a VirusTotal checker, I still have much to learn about actually using these tools for malware analysis and what to actually look for in disassembly or debugging.

Comments

No comments available.

Leave a Reply

Your email address will not be published.