# OT Lab4 (Malware Analysis)
###### tags: `Malware Analysis` `Satana`
### Task 1: Set up your environment.
1. Prepare and secure malware analysis environment for example FLARE VM. Make sure that VM uses a HOST ONLY network adapter.
2. Use any virtualization environment, better to use the latest version (check repo and official website).
3. Or you can create a Virtual Machine and set it up as a malware analysis environment.
Due to some networking issues with KVM, I switched my environment to Virtual Box and reinstalled everything as done previously.
### Task 2 - Let’s get some malware
1. Download some malware/ransomware from the Internet (for example, TheZoo repo).
Please be careful when you run them, THESE ARE REAL MALWARE.
I pulled thezoo repository form github and selected Satana Ransomware as malware to investigate.
2. Select at least two malware that you want to analyze in a malware analysis environment.
**Name**: Satana
**Family**: Trojan, Ransomware
**Hash**:
- **MD5** : 108756f41d114eb93e136ba2feb838d0
- **SHA1**: 8c6b51923ee7da2f4642c7717db95fbb77d96164
- **SHA256** : b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c
Satana is similar to the [Petya and Mischa bundle](https://en.wikipedia.org/wiki/Petya_and_NotPetya) and works in two modes.
The first mode behaves like Petya, a dropper (that is a typical PE file) writes to the beginning of the infected disk a low-level module which is a bootloader with a tiny custom kernel.
The second mode behaves like typical ransomware and encrypts files one by one (just like Mischa).
### Task 3 - Static Analysis
1. Use any tool for static analysis of your selected malware (for example, Ghidra, IDA, Binary Ninja, Hopper, Radare2, ...).
In order to accomplish this, I followed the steps below, investigating the binary with **Cutter**.
#### Overview
With this have basics informations on the binary:
- 32 bits PE files format
- Non stripped
- Executable
- All binary mitigations techniques such as Stack canary, NX bit and PIE are disabled
- offset and size of each file section
The PE format section contained in Satana are:
- TEXT read only code and static strings (of absolute origin)
- DATA initialized data (of absolute origin)
- RSRC section contains the resources used by the executable, such as icons, images and menus.
- RELOC The base relocation table contains entries for all base relocations in the binary.
#### Functions
A list of complete functions embedded in the malware
These functions implement the following libraries
Below, we have an overview of the previous implemented library, to which functions they are linked and what tasks they are use to accomplish by the malware.
- **ntdll.dll** or dll dynamic link library. These entry points convert calls to Nt and Zw routines into system calls that are trapped to kernel mode.
- **ws2_32.dll** library is used to handle network connections.
Probably used to connect to a C2 server
- **Advapi32.dll** is a part of the advanced API services library. It provides access to advanced functionality that comes in addition to the kernel. It is responsible for things like the Windows registry, restarting and shutting down the system, starting/stopping and creating Windows services, and managing user accounts.
- **mpr.dll** is a module containing functions used to handle communication between the Windows operating system and the installed network providers.
- **msvcrt.dll** is the generic C runtime library on Microsoft Windows that has shipped alongside Windows.
- **Kernel32.dll** library handles memory management, input/output operations, and interrupts.
- **shell32** is a Dynamic Link Library (DLL) providing many functions of the Windows Shell, the graphical user interface (GUI) for Windows that includes the desktop, Start Menu, Autoplay, and Taskbar etc...
- **user32.dll** implements the Windows USER component that creates and manipulates the standard elements of the Windows user interface, such as the desktop, windows, and menus.
#### imports
Here we have an overview of the previous implemented library and what tasks they are use to accomplish by the malware.
#### Strings
These strings contains text data and are not associated with a code page. Their code page value is 0
The following for example helped figure out which functions are embedded in the malware.
#### Targeted files extensions
The ransom targets all the files with the following extensions and encrypts them.
I also discovered these extensions when investigating the strings dumped in the binary.
### Execution flow
As soon as it started running, the main executable is deleted and a new sample is created inside the %temp% folder.
Then started writing the malicious bootlocker code to the beginning of the disk.
The contact data relevant to each client is stored in the registry.
It called **OutputDebugString** function to output debug information. It might be under a developing stage.
#### Encryption
Each file content is divided into 32 byte long chunks and encrypted separately. That’s why patterns of the original file are reflected in the encrypted content.
#### Command and Control service
This command and control server is used to collect the data on the victim computer
After encryption, it dropped a text file with a ransom message in the current user directory
It encodes all the files except one that is dropped in the current user directory as a ransom message.
This ransom contains :
- the email address to contact
- the Bitcoin wallet where to pay the ransom
- a generated code
2. Now try to use other online tools (for example, any.run, hybrid analysis, ...), upload themalware and see what artifact it detects.
##### Overview
Full report availble [here](https://any.run/report/b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c/adbf1102-94b7-4489-817e-aefc281333cf?_gl=1*11829be*_ga*MjExODM3MDE5NS4xNjUwODg5ODA0*_ga_53KB74YDZR*MTY1MDkxNjQyMC4yLjEuMTY1MDkxNjQ0OC4zMg..&_ga=2.34542437.537082670.1650889809-2118370195.1650889804)
#### Network Connections
#### processes details and behavior graph
#### files modifications
#### Indicators of compromise
#### Static informations
###### Mitre Att&ck
3. Compare the findings of both methods, and see if there are some artifacts that online tools did not manage to find, or vice versa. For example, a piece of code or information that helps you in your analysis.
After comparison many artifacts were found during analysis with any.run than in the static analysis.
For example:
- The Behavior activities
Designed as a process tree, it shows the different process and actions attempted by the malware since it was dropped on the target environment.
Each branch shows the different process, their specifications and all the modules that were used during his phase.
- Network behaviors activities
Even if during the static behavior analysis I did during the static analysis I found some network activities, they were not accurate as the one provided by any.run.
Above network activities provide more understanding of what happened during the attack.
We have more details about the process that launched the requests, the type of requests, the server contacted and more.
- Also the strings output where more parsed and debug during the dynamic analysis and thus provided more information, more understanding and facility for investigation
For example the first outlined field delete the shadow copies of backups in the hard disk by using vssadmin.exe with `Delete Shadows /All /Quiet` parameters.
The second is one of the email used by the attacker.
Below the encoding process shows how looks a file that has been encrypted.
- Dynamic analysis also provided a sample of Mitre Att&ck mapping
Full report availble [here](https://any.run/report/b38b4c1dcf6d6ecd1bbfc236b43c37c18044c2f42f11e5088384f4bd0751929c/adbf1102-94b7-4489-817e-aefc281333cf?_gl=1*11829be*_ga*MjExODM3MDE5NS4xNjUwODg5ODA0*_ga_53KB74YDZR*MTY1MDkxNjQyMC4yLjEuMTY1MDkxNjQ0OC4zMg..&_ga=2.34542437.537082670.1650889809-2118370195.1650889804)
4. Try to describe which method is better (Sandboxing V.S. Static analysis) is better, and which one is more useful in which case.
Static Analysis aims is to examine the executable without running it, looking for various informations on functionality.
It involves reverse-engineering the malware by loading it into a disassembler and looking at program instructions.
While the sandbox includes various tools that help at the same time:
- Analyze file behavior
- Extract resulting files of the malware being analyzed
- Automated user interaction
- Central management of multiple sandbox configurations
- PDF report generation organized by section
Taking in account the accuracy of analysis, the safety and number of gathered artifacts, it is better to choose a sandboxing environment for analysis but this require more time, more resources and costs than doing a static analysis.
### Task 4 - Mapping to ATT&CK mitre framework
### Bonus - Dynamic Analysis
1. You will be creating your own Dynamic Malware analysis Environment (i.e Cuckoo).
Using the steps listed [here](https://github.com/ForeGuards/Cuckoo-Installation-Guide/blob/main/installation.txt) I installed and launched Cuckoo sandbox with all the requirements.
2. Try to use some debugger to analyze the malware WHILE IT IS RUNNING, be careful where you will run this malware, the debugger that you select must have a remote debugging feature.
5. Try some debugger that will allow you to debug the whole operating system (for example, PyReBox).
7. What kind of benefit does this method have?
____
- https://www.theta432.com/post/malware-analysis-part-1-static-analysis
- https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
Sign in with Wallet
Connect another wallet