:::success
# OT Lab 4: Malware Analysis
### Name: Daniil Sinelnik
:::
## Task 1
:::info
1. Use any virtualization environment, better to use the latest version.
2. Prepare and secure malware analysis environment, e.g. FlareVM or Remnux, etc. Make sure that VM uses a HOST ONLY network adapter.
3. Or you can create a Virtual Machine and set it up as a malware analysis environment.
:::
I have decided to use Windows machine and install VirtualBox and Remnux Linux distribution.
I have downloaded the appliance from [here](https://docs.remnux.org/install-distro/get-virtual-appliance).
## Task 2
:::info
1. Download some malware/ransomware from the Internet (for example, TheZoo repo).
2. Please be careful when you run them, THESE ARE REAL MALWARE.
3. Select at least two malware that you want to analyze in your malware analysis environment.
:::
I have selected: [this](https://github.com/ytisf/theZoo/tree/master/malware/Binaries/CryptoLocker_22Jan2014) and [this](https://github.com/ytisf/theZoo/tree/master/malware/Binaries/SpyEye)
<center>
Run `TheZoo` repo.
</center>
## Task 3
:::info
1. Use any tool for static analysis of your selected malware (for example, Ghidra, IDA, Binary Ninja, Hopper, Radare2, ...).
2. Now try to use other online tools (for example, any.run, hybrid analysis, ...), upload the malware and see what artifact it gathers.
3. Compare the findings of both methods, and see if there are some artifacts that online solution did not manage to find, or vice versa. For example, a piece of code or information that helps you in your analysis.
4. Try to describe which method is better (Sandboxing vs Static analysis) is better, and which one is more useful in which case.
:::
:::info
1. Use any tool for static analysis of your selected malware (for example, Ghidra, IDA, Binary Ninja, Hopper, Radare2, ...).
:::
:::info
2. Now try to use other online tools (for example, any.run, hybrid analysis, ...), upload the malware and see what artifact it gathers.
:::
I have decided to use Any Run service and dropped the file trough the VM with remnux OS to the web service.
## CryptoLocker malware
We will dive inside the each run of the executables here.
<center>
1st malware and it's description.
</center>
1. Drops the executable file immediately after the start.
2. Changes the autorun value in the registry.
3. Uses TASKKILL.EXE to kill process.
4. Reads the Internet Settings.
5. Reads security settings of Internet Explorer.
6. Starts itself from another location.
7. Executable content was dropped or overwritten.
8. Changes the autorun value in the registry.
<center>
2nd malware and it's description.
</center>
1. Changes the autorun value in the registry.
**Assumption:**
I'm not sure what it's doing for now, but i guess it's some sort of malware that will encode all you data inside your computer and will ask for money on some BTC account to get the key to decode the data. But it will never happen LMAO. Better dive into it via static analyses and get better understanding what it's doing.
## SpyEye malware
We will dive inside the each run of the executables here.
SpyEye has several zip files inside the target zip file. I have runned several of them and it showed the follows:
<center>
1st malware and it's description.
</center>
1. Changes autorun value in the registry.
2. Reads the Internet Settings.
3. Checks the proxy server information
4. Reads security settings of the Internet Explorer.
<center>
2nd malware and it's description.
</center>
1. Reads security settings.
2. Application runs itself.
3. Process drops legitimate windows executable.
4. Drops the source exe file after the launch of the malware.
<center>
3rd malware and it's description.
</center>
1. Application launched itself.
2. Reads security settings of the Internet Explorer.
3. Process drops legitimate windows executable.
4. The process checks if it is being run in the virtual environment.
5. Executable content was dropped or overwritten.
6. Drops the executable file immediately after the start.
Interesting that the 3rd malware that was ran not only drops the executable file but even checks if it's running on virtual machine or not.
**QUESTION:**
Is there any possibility to write such a malware that will have a possibility to get out of the VM and get access to the physical computer?
**ANSWER FOUND ON GOOGLE**
<center>
</center>
<center>
4th malware and it's description.
</center>
1. Runs injected code in another process.
<center>
5th malware and it's description.
</center>
1. Application was injected by another process.
2. Create file in the systems drive root.
3. Drops the executable file immediately after the start.
<center>
6th malware and it's description. On my view it's the most interesting.
</center>
1. Steals credentials from Web Browsers.
2. Runs injected code in another process.
3. Reads the Internet Settings.
4. The process executes via Task Scheduler.
5. Reads the computer name.
6. Checks supported languages.
This one is the most dangerous and steal the credentials from the browsers and i think that if it places itself in the scheduler.
**Assumption:**
If this malware was injected inside some game and packed as a torrent file, it could be easyly distributed trough the devices and infect many computers. If it will be some game packed with torrent file, and even if the game will be deleted, the malware won't be deleted at all. Since we are not available to ACTUALLY delete the data from the disk, hardware tells only to OS that this space of clusters on the disk is free in use, but in fact it's not until overwriting. The code of the malware still could be executad because of the `Task Scheduler`. And will be run as many times as the malware in clusters on the hard disks will be overwritten.
:::info
3. Compare the findings of both methods, and see if there are some artifacts that online solution did not manage to find, or vice versa. For example, a piece of code or information that helps you in your analysis.
:::
:::info
4. Try to describe which method is better (Sandboxing vs Static analysis) is better, and which one is more useful in which case.
:::
I think that Sandboxing is better for understanding before hand what does the binary or the exectuable malware file is doing to check and be ready for the consiquenses. Meanwhile Static analyses helps to figure out what is exactly happenning step by step.
In other words: Sandboxing helps to understand `WHAT` the malware is doing, meanwhile static analyses helps to understand `HOW` the malware is doing, what it's doing.
Sign in with Wallet
Connect another wallet