# NCS Lab 10
## Team
Egor Osokin
Kamil Rizatdinov
Rufina Talalaeva
## Cooperation
Since this task was really hard for us, our team cooperated with the team of **Danil Usmanov**, **Max Kureikin** and **Olga Chernukhina**. It is essential to be mentioned that 5 of us are Mac OS users. To solve this task we decided to install Ubuntu 20, VirtualBox, Cuckoo and all packages on one Windows laptop with enough RAM that we have and use it in turn.
## Task 1 - Preparation
1. **Prepare and install a sandboxing solution Сuckoo.**
We followed the [tutorial](https://utopianknight.com/malware/cuckoo-installation-on-ubuntu-20/) you provided in order to install cuckoo. We replaced the `eth0` network interface with `enp0s2`, as this was the appropriate one.
2. **Use any virtualization environment, better to use the latest version. Oracle VirtualBox is the default choice.**
We installed VirtualBox for this lab.
3. **Create a Virtual Machine (for example, Windows 7 SP1 x64) and set up it with your sandboxing solution. Make sure that VM uses a HOST ONLY network adapter.**
We used the [.ova file of Windows 7 x64](https://drive.google.com/file/d/1ZyYzkHR_F_cqCgdc1C8WemIVhqtQ5wjg/view) that you provided. Thanks a lot!
We forgot to turn on the virtualization on our laptop, that's why got this mistake, but solved it successfully.
After setting up everything together, we finally were able to run sandboxing solutions:
## Task 2 - Let’s get some malware
1. **Download some malware/ransomware from the Internet (for example, TheZoo repo). Please be careful when you run them, THESE ARE REAL MALWARE.**
We decided to use [TheZoo repo](https://github.com/ytisf/theZoo).
3. **Select at least two malware that you want to analyse in the sandbox VM that you prepared in the Task 1.**
We did running of the following ones:
* [Ransomware.Petya](https://github.com/ytisf/theZoo/tree/68817f0afd70dbdc94e81372162e5bfce062c5da/malwares/Binaries/Ransomware.Petya)
* [Ransomware.TeslaCrypt](https://github.com/ytisf/theZoo/tree/68817f0afd70dbdc94e81372162e5bfce062c5da/malwares/Binaries/Ransomware.TeslaCrypt)
* [Ransomware.WannaCry](https://github.com/ytisf/theZoo/tree/68817f0afd70dbdc94e81372162e5bfce062c5da/malwares/Binaries/Ransomware.WannaCry)
## Task 3 - Sandbox Analysis
### Ransomware.Petya
1. **See what kind of traces, artifact, connection does your sandbox VM manage to detect.**
Petya infected result:
Petya report:
P.S. We didn't understand why Cuckoo report showed only 2.4 out of 10 points, what means that there are only signs of malicious behaviour. However we saw what this malware did with the OS, and it's very dangerous.
2. **Try to analyze the behavior of the malware, and then try to write about what the malware does and what is the goal of the malware.**
We can understand from the running proccess that Petya causes the operating system to trigger a Bluescreen of Death stopping any process at that point and shutting the operating system down.
Once the system has been shut down and restarted the ransomware encrypts the Master Boot Record and we see this red screen with the request to purchase the key in the darknet to get the encypted files back.
3. **Does the malware have some sandbox detection? If yes, try to defeat/detect the techniques that are used for that.**
Petya does not have any sandbox detection, because it ran till the end successfully.
4. **Try to use other online tools (for example, any.run , hybrid analysis, ...), figure out if these online platforms will manage to detect more artifacts than what you have found.**
We performed hybrid analysis. [Here](https://tinyurl.com/y3fy2v7e) you can find a report.
Here we can see that a lot of Anti-Virus systems have detected that it is really dangerous malware.
Here we can see the techniques that have been used to detect the malware.
On this screen we can see what this malware does with the computer. We can see that it interacts and writes to the primary disk partition.
### TeslaCrypt
1. **See what kind of traces, artifact, connection does your sandbox VM manage to detect.**
TeslaCrypt running proccess:
Script running:
Restart of the operating system:
We can see that everything is okay and no files are corrupted:
Cuckoo didn't produce any reports, so we used:
Report forced generation using `cuckoo process cuckoo1` (report generation started at 23:50 and ended in 00:27):
Despite of no suspicious behavior was mentioned by us, the Cuckoo report assessed the malware as dangerous one - `6/10 points`:
* We can see basic information:
* Connection with Tor Hidden Services, Stopping the Firewall,injected processes and etc.
* Analyzer Log
* suspicious strings=> we can conduct that this is file encryption and demanding the money.
* From network analysis we did not find anything suspicious:
* inject exes
In addition, we had problems with memory lack:( :
2. **Try to analyze the behavior of the malware, and then try to write about what the malware does and what is the goal of the malware.**
We wasn't able to see the consequences of the malware, so for this question we used [this](https://easychair.org/publications/open/l6hl) link.
The goal of the malware is to encrypt user's files on the hard disk. It has the following process:
1. Encrypt files (some, or all)
2. Change their extensions to an unknown one
So, as your files are encrypted, you lost your personal information. Then, after your first opening of a CWD utility, the randomware prints the BTC address to which you should deposit your money. Or, it places a `.txt` file with that address
4. **Does the malware have some sandbox detection? If yes, try to defeat/detect the techniques that are used for that.**
As far as we saw, it has the sandbox detection. The core damage of the malware is file encrypting. In example videos like [this](https://www.youtube.com/watch?v=j3_BuduZKcI), all files were encrypted after the running. However, after submitting the ransomware binary to the cuckoo, and a restart of the VM, we didn't find any encrypted files. Out theory – it detected the fact of sandboxing, and didn't perform any actions. As for the defeating, we didn't come up with any ideas and switched to another virus.
5. **Try to use other online tools (for example, any.run , hybrid analysis, ...), figure out if these online platforms will manage to detect more artifacts than what you have found.**
We performed hybrid analysis. [Here](https://tinyurl.com/y3cffso8) you can find a report.
Here we can see the techniques that have been used to detect the malware:
On this screen we can see what this malware does with the computer. We can see that it deletes volume snapshots, contacts Tor hidden services and modifies auto-execute functionality by modifying values in regystry, as well as writes data to remote processes.
### WannaCry
1. **See what kind of traces, artifact, connection does your sandbox VM manage to detect.**
Running WannaCry:
Result of WannaCry:
Cuckoo report:
* Basic info, signs of malicious behaviour and again low score - `3.8/10`:
* Communicating to hosts that in future are marked as dead:
* Import of libraries:
2. **Try to analyze the behavior of the malware, and then try to write about what the malware does and what is the goal of the malware.**
As it prints out, the malware encypted files on our VM, and showed it directly to us changing the background image. So, it's a ransomware which encrypts the files, and waits for the money in order to provide user with decryption tool.
As we found out in the [report](https://easychair.org/publications/open/l6hl), it also encrypts the canary files.
3. **Does the malware have some sandbox detection? If yes, try to defeat/detect the techniques that are used for that.**
As can be seen on the screenshots, the malware wasn't able to detect the sandboxing, and encrypted files on our VM.
5. **Try to use other online tools (for example, any.run , hybrid analysis, ...), figure out if these online platforms will manage to detect more artifacts than what you have found.**
We performed hybrid analysis. [Here](https://tinyurl.com/y5789nrq) you can find a report.
Here we can see the techniques that have been used to detect the malware:
On this screen we can see what this malware does with the computer. We can see that it deletes volume snapshots and disables startup repair, as well as writes data to remote processes.
## Task 4 - Static Analysis
1. **Use any tool for static analysis of your selected malware (for example, Ghidra, IDA, Binary Ninja, Hopper, Radare2, ...).**
For this task, we used the following online tools
* [https://manalyzer.org/](https://manalyzer.org/)
* [Hidrid analysis](https://www.hybrid-analysis.com/)
2. **Try to see if there are some artifacts that dynamic analysis did not manage to find, for example a peace of code that did not run inside the sandbox VM.**
As an example, I tool the Petya ransomware from [here](https://github.com/ytisf/theZoo/blob/master/malwares/Binaries/Ransomware.Petya/)
#### Manalyzer
For whatever reasons, the web-site concluded it is a PDF. Hovewer, report from VirusTotal clearly stays it is Petya.
Interesting thing – we can find the all the third-party functions which are used by Petya
#### Hybrid Analyzer
Again, this analyzer rates the file as 100/100 threat score. Consequently, it definetely has some malware database
### Ghidra
Static analysis by hand is very hard for us, because Petya's size is too big. We found some system calls, but not many. We find the [way](https://github.com/55-AA/fetch_syscalls) to automate this, but wasn't succeded in the installation step.
4. **Try to describe which method is better (Sandboxing V.S. Static analysis) is better, and which one is more useful in which case.**
Each method fits different requirements, and the final choice should depend on the environment a lot. Let's elaborate on some Pros/Cons of both, which we found out during this lab
* Sandboxing
* **Pros**: We can see the malware impact in the real time. So, we have an opportunity to analyze the memory and filesystem dump of the machine before it, and after.
* **Cons**: Hardware and knowledge requirements. Hard to set up and be sure it works. If sandboxing isn't properly configured, the malware possibly can get over to the host machine
* Static
* **Pros**: easy if using web-sites. Using them, it can be done in a few clicks. Also, we don't need to run the malware, so no damage will be done by our actions. If we analyze using Ghidra, we can find the functions which were not executed during the dynamic analysis, so we study the virus in details
* **Cons**: hard if meant to be done by hands. Really. Analysis of some virus Ghidra requires a great level of education and knowledge. If we use web-sites, the number of details in the report is highly depends on the particular tool, and it's out of our control.
Google Drive
Gist
Clipboard
Sign in with Wallet
