Lately I’ve been running into malware that doesn’t play nicely with analysis websites like CWsandbox or Norman. I needed to find indicators of infection for a mariposa variant and both sites would not analyze it. It appears that it needs the presence of both the .exe and its specially crafted desktop.ini before it will execute. Since you can only submit one file to these websites, I needed to do the analysis on my own. When doing this type of analysis, we are just looking at the changes it made to the system and not specifically determining the capabilities of the software.
The first thing you need to do is make sure you have a system that mirrors your environment, this is easier if you have a standard desktop build. When possible I try to use VMWare for my analysis machine. Depending on the malware, this may not work. I’ve had good results with uninstalling VMware tools and not having malware detect it running in a VM. One of the easier ways for malware to detect a VM environment is checking for VMware tools/ drivers. This may also help prevent a VMware exploit as many of these exploits use the Vmware tools to accomplish this.
Once you have removed VMware tools, you will want to install any tool that you will use for analysis. I’m going to cover Process monitor today as its quick and easy for what I was trying to do. Once your tools are installed, take a snapshot of the system. If you are going to let your malware actually connect to the Internet to pull down secondary tools, it’s a good idea to use TOR or better yet use a different internet pipe rather than your corporate network. You could also use a sandnet like TRUMAN, but that is out of scope for this post.
Capturing network traffic can also be useful in tracking down infections. Process Monitor also keeps track of network connections, but I like to do this on the host rather than the guest for a couple of reasons:
- Prevents malware detecting the network card in promiscuous mode.
- Smaller foot print on machine.
1. Start your network packet capture tool. I like to set the capture interface to the guest virtual NIC, but on most system the primary interface will capture all the traffic.
tcpdump -nni eth1 host 192.168.1.1 -w infection.pcap
-nn (tells tcpdump not to convert to names )
eth1 (is the interface I want to capture traffic from)
host 192.168.1.1 (capture all traffic from VM ip address)
-w switch says write to file
2. Start Process Monitor
It will automatically start collecting data.
3. Run Malware
Depending on the malware, it will have multiple stages that may take a while for the infection to be completed.
4. Stop tcpdump and Process Monitor (3rd button from Left or CTRL+E). Disable the Network Card from the VM or Pull the network cable.
We want to setup display filters to determine what files and registry keys were created.
Click on the filter button. (Or Ctrl + L)
The top row has a bunch of drop-down menus that allows you to select what you want to filter.
Select Operation from the first Column.
Select each of the keys individually below and click add. Additionally, you can export the data into csv format and do filtering using a spreadsheet.
(UPDATE) Addition filters to add based on this post.setbasicinformation setdispositioninformationfile regdeletekey regdeletevalue regcreatekey
To get a better look at what processes the malware spawned you can add these to the filter:
Partial list of files that were written during infection by this version of mariposia.
Partial list of registry keys that were written during infection by this version of mariposia.
When trying to find indicators of infection, you generally want to look for ways the malware stays persistent on the machine. This malware variant adds an executable file in the recycle bin to start-up at winlogin.
You may need to infect your VM a couple of times to get enough information about how it’s randomizing its name. Now you can take this info and add it to a HIPS like OSSEC or a script to query all your computers in a domain.
For /f %i in (filename with computer to search.txt) do Reg query “\\%i\hklm\software\microsoft\Windows NT\CurrentVersion\winlogon” /v taskman >winlogonreg.txt
Then you can search the results file (winlogon.txt) for any computer that has Recycler in it, as no valid item should start from recycler when you log into the system.
Once analysis is completed, be sure to revert your VM back to the snapshot before the infection.
With the pcap file you created, you’ll want to analyze it using wireshark or tcpdump. There are a couple of quick things you will want to look for:
- DNS lookups (This will allow you to search your DNS logs for anyone querying the same DNS records as your infected VM).
- Data exfiltration traffic (Most malware these days send information it collects back to some type of command or data collection server.).
- Track down infected hosts using flows or firewall logs based on identified traffic.
- If you are comfortable with writing IDS rules, writing rules for this traffic will also help pick-up future infections once the other server are taken offline.