NTU Malware Reverse HW 2 write up

# NTU Malware Reverse HW 2 write up ###### tags: `NTU_MR` `Malware Reverse Engineering and Analysis` `NTU` [TOC] ## Task 1 執行勒索病毒`Dharma`與Process monitor並截圖`Dharma`的Process Tree，並分析說明每個Process行為 ![](https://imgur.com/vzb9g9O.png) Ans: * `Conhost.exe`: It’s defined by Microsoft and is normally legal and safe. Working on `Win7`, `Win8`, and `Win10`. The main function of this PE file is to let Command Prompt and Windows File Explorer can interact. The other function is to support users who can drag the file or folder to the command prompt directly. Most of the time, it’s a safe file that even repeats execution many times. However, in some circumstances, the viruses will pretend a `conhost.exe` file to use massive memory or store it in the wrong folder.[1] ![](https://imgur.com/xQayXgX.png) * mode.com: MODE sets the mode of operation for devices or communications. It can be used to set the mode for printers, monitors, or the serial interface. It can be used to prepare and select code pages and to redirect printer output to the serial interface.[2] You can see in the command below that the virus wants to select code page #1251.[3] ![](https://imgur.com/wA1k8hF.png) * `vssadmin.exe`: To display current volume shadow copy[4] backups and all installed shadow copy writers and providers. Applied to `Win10` and other server-type OS. As the website said, this program will not execute automatically when the operating system startup. These kinds of programs are normally malware, such as viruses, `trojan horses`, and spyware.[5] ![](https://imgur.com/PckhSra.png) * `mshta.exe`: It’s an executable file in Windows and this element is the object that starts the Microsoft HTML application. This application mainly executes a `.hta` file and runs a script in Windows.[6] * There is a growing trend for attackers to heavily utilize tools that already exist on a system rather than relying totally on their custom malware. Using `.hta` files or its partner in crime, `mshta.exe` is an alternative to using macro-enabled document for attacks and has been around for a long time. It is a tool so flexible it even has its cell on the `MITRE ATT&CK matrix`.[7] ![](https://imgur.com/Lsnv5ve.png) * `rundll32.exe`: It mainly executes the libraries in a `.dll` file with 32-bits.[8] ![](https://imgur.com/QMWZzw9.png) * The `autorun` technique is as below. The `ransomware` will set the value in the `autorun` registry that will execute when the computer startup automatically. It’ll execute the `RegSetValue` function to set itself in the `autorun` key (snapshot is as below). ![](https://imgur.com/DqrZhJo.png) ![](https://imgur.com/eYQNEgK.png) ## Task 2 請解釋`MITRE ATT&CK`中的 `T1490: Inhibit System Recovery`的Technique為何？如何偵測與防禦，並且在`Dharma`勒索病毒中找到攻擊的指令截圖 Ans: * As you can see below, it executes this command line which will delete or remove built-in operating system data and turn off the services that mainly to recover a corrupted system. This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[9] That is, it’ll increase the difficulty that recovering your files with data rescue software or services. * So, how to detect? There’re 4 types of techniques to detect this process such as • Use process monitoring to monitor the execution and command line parameters • using the Windows event logs, • monitoring the status of services involved in a system recovery or • monitoring the registry for changes associated with system recovery features The mitigation is data backuping or considering technical controls to prevent the disabling of services or deletion of files involved in the system recovery. ![](https://imgur.com/L3ACypk.png) ## Task 3 執行勒索病毒`Sodinokibi`與Process monitor並找到`MITRE ATT&CK`中的 `T1490: Inhibit System Recovery`的Technique攻擊的指令截圖證明 Ans: * It’ll get a window object named `Win32_shadowcopy` and delete the backup files for each object just like Dharma. It just encrypts the command and bypasses the malware defender. ![](https://imgur.com/kIofmwM.png) ## Task 4 執行勒索病毒`Sodinokibi`與Process monitor並將它所使用的`MITRE ATT&CK`的Technique列於下表(不夠請自行新增表格欄位) Ans: * As [10, 11] mentioned, the techniques that `Sodinokibi` has used are as below. But I can not actually find the event by process monitor of my poor usage skill. |Technique名稱|Technique說明| |:---------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Command and Scripting Interpreter | The macro in the Word document downloads and runs the `Sodinokibi` executable. After execution, it runs the following command using `cmd.exe`. `REvil` has used `PowerShell` to delete volume shadow copies and download files.| | Inhibit System Recovery| `REvil` can use `vssadmin` to delete volume shadow copies and credit to disable recovery features. At first, this command runs `vssadmin.exe` to delete all volume shadow copies on the system to prevent recovery. Then, it uses `bcdedit.exe` twice to disable automatic Windows recovery features by modifying boot configuration data. | | Data Encrypted for Impact| `REvil` can encrypt files on victim systems and demands a ransom to decrypt the files. Like most `ransomware`, `Sodinokibi` encrypts files and adds a random extension such as `test.jpg.1cd8t9ahd5`.| ## Reference 1. 蒂姆費舍爾. 什麼是Conhost.exe？. Available from: https://zhtw.eyewated.com/%E4%BB%80%E9%BA%BC%E6%98%AFconhost-exe%EF%BC%9F/. 2. mode.com in Microsoft. Available from: https://home.csulb.edu/~murdock/mode.html. 3. MS-DOS and Windows command line mode command. Available from: https://www.computerhope.com/modehlp.htm. 4. Volume Shadow Copy Service. Available from: https://zh.m.wikipedia.org/wiki/%E7%A3%81%E7%A2%9F%E5%8D%80%E9%99%B0%E5%BD%B1%E8%A4%87%E8%A3%BD%E6%9C%8D%E5%8B%99. 5. vssadmin.exe in Microsoft. Available from: http://startup.filedict.com/vssadmin-vssadmin-exe-8854-8860/. 6. mshta.exe Microsoft (R) HTML 主應用程式. Available from: https://win10.support/zh_tw/mshta-exe-microsoft-r-html-%E4%B8%BB%E6%87%89%E7%94%A8%E7%A8%8B%E5%BC%8F/. 7. What Is Mshta, How Can It Be Used and How to Protect Against It. Available from: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/. 8. rundll32:Rundll32.exe是什麼？. Available from: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjAps7IlYX7AhWqQfUHHbylBOAQFnoECBUQAQ&url=https%3A%2F%2Fwww.easyatm.com.tw%2Fwiki%2Frundll32&usg=AOvVaw2fLPE4XLV2J1RaPX3e0fo4. 9. Inhibit System Recovery. Available from: https://attack.mitre.org/techniques/T1490/. 10. A brief history and further technical analysis of Sodinokibi Ransomware. 2020; Available from: https://www.picussecurity.com/resource/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware. 11. REvil. 2020; Available from: https://attack.mitre.org/software/S0496/.