During part one we created the environment to perform dynamic malware analysis with REMnux toolkit. Then the malware was executed and all the interactions with the network were observed and captured. Essentially, the malware was executed in a disposable virtual machine and all the traffic – including SSL – was intercepted.
Now, to further acquire information that would help us answering the questions made during part 1, it would be relevant to observe what happens at the system level.
Below recipe involves running Process Monitor from Sysinternals. Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity, In parallel we run a packet capture with Wireshark on the disposable machine or we run tcpdump on REMnux. These tools will be started before malware executed and stopped moments after the infection. Then we will import this data – pcap and procmon – into ProcDOT. ProcDOT is a free tool created by Christian Wojne from CERT.at. It runs on Windows or Linux and is installed on REMNux This tool has the capability to parse the Procmon data. Then correlates it with the pcap and transforms the data into a picture. This enables malware visual analysis. This method can be of great help for a effective and efficient dynamic malware analysis. The steps using part 1 model are:
- Restore the VMware snapshot.
- Start Process Monitor (need to be installed beforehand) and configure Columns fields to be compatible with ProcDOT.
- Start Wireshark or tcpdump on REMnux and start capturing traffic.
- Copy the malware to the virtual machine and run the malware.
- Stop the wireshark capture and export the traffic into PCAP.
- Stop the Process Monitor capture and export the results into CSV.
- Move the PCAP and CSV file to REMnux.
- Power off the infected machine.
- Execute ProcDOT and import the procmon and pcap data.
- Select the process and render the analysis.
- Run trough the animation to understand the timing aspects.
The picture below demonstrate the result (for the sake of size elements such of registry key and paths have been removed):
This visualization technique is very helpful in order to determine in a very quick way what the malware does. The graph produced by ProcDOT is interactive and you can play an animation of it in order to determine in which sequence the events occurred. In this case several relevant events happened. You can easily observe that:
- The executable torrentlocker.exe starts execution and invokes a new thread id 1924
- The thread id 1924 creates a new suspicious file named 01000000
- Thread id 1924 creates a new process named “explorer.exe” with pid 1928
- This new process creates several actions including
- A suspicious executable file is created under c:\windows named izigajev.exe
- A new AutoStart registry key is created invoking the just created executable file
- The file Administrator.wab is read and data written to it.
- A new process name vssadmin.exe is invoked
By looking at this sequence of events we can conclude that the malware performs process injection by injecting its malicious code into a benign process. Creates a copy of itself and drops it into Windows folder. Maintains persistence by adding the dropped executable into the auto start registry key and creates several suspicious files.
A very simple, fast and effective method that can speed up the malware analysis. Using this visual analytic technique and the one described on part one you can gather indicators that could now be used to identify the malware in motion (network) or at rest (file system/registry) across your network. Further they could be used to augment existing security controls and find additional infected systems.
Thank’s for this great tutorial. Just a question about this lab, do you allow the infected machine (ie the malware) to interact with the C&C server or do you just intercept packets without really contacting the server?
If you don’t, I think you can still identify the malware on the system because it will modifies it for persistence, but I think there is a lack of context since the malware will probably not execute a potential “second stage” downloaded from a server.
Hi, normally yes, I allow the malware to connect back to the C&C but always via Burp and in parallel I normally also capture the traffic with tcpdump. Note that, I don’t suggest you use your home Internet connection to do this. So, after capturing the requests and the responses, I can re-use them in case the C&C goes down or it uses some technique to uniquely identify the systems. The REMnux/Burp setup to perform this operation is outlined in the Part 1 of this article with the difference that I use two interfaces on REMnux (one connected to the internet and another to the infected system) to be able to route/inspect the traffic at will.