Category Archives: Malware Analysis

Filtering with Process Monitor

For anyone performing dynamic (live) analysis of malware, an essential tool to have at hand is Windows Sysinternal’s Process Monitor. So why is this a must for malware analysis? The website describes the tool best:
“Proces Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry, and process/thread activity”
It monitors as much or as little activity as you want. It can be used as a very detailed timeline for malware execution, or set to display the activity associated with a targeted process. Plus, all of the output can be exported out to a file for later viewing, which makes life pretty simple.
With that being said, the output from Process Monitor can be a bit overwhelming (to say the least) if you don’t know how to use it. This is due to the fact that hundreds of events can occur per second, and letting malware run for 10-15 minutes will produce hundreds of thousands of events that are logged. Thankfully PM has a range of filters that can include or exclude data from the output.

Filters to Include:

  • WriteFile/CreateFile: These operations are recommended when doing malware analysis. They include events that write and create files, although, I have a few comments about this (I will mention it in the IRP_MJ_CREATE portion)
  • Process Create/Process Start: These operations will include processes that are created and started during execution
  • RegCreateKey/RegDeleteKey: This operation will include registry keys that are created and/or deleted by a process
  • RegSetInfoKey: This operation (in association with RegCreateKey) is where the value for the registry keys get set (Autorun keys will be created, then the value can be found here to see what malicious process it points to)
  • TCPConnect/TCPReceive: These operations will include any TCP connections that malware may try to start while it’s running
  • Load Image: This operation will show what dll’s are loaded during malware execution

Filters to Exclude:

  • Procmon.exe/Procmon64.exe: These will exclude any events related to Process Monitor
  • Profiling: This is an automatic filter built into Process Monitor. Keeping this excluded takes out a lot of unnecessary noise in the logs.
  • Add filters to exclude any monitoring tools or AV running

Additional Filtering Tips:

  • Go to Tools > Process tree to see the processes that are stemmed from the execution. To filter on these, right-click the parent process and select “Add Process and Children to Include Filter”
  • Filter by Operation contains WriteFile
  • Filter by Path contains <malicious executable> to see where it gets saved
  • Filter by Path contains “\Run” to see any registry edits to the numerous AutoRun keys
With these filters, most of the unwanted noise is taken away, and events related to malware are pinpointed. The best part about this, is that even though events are filtered, if/when you go to export, you have an option to export ALL events, not just the filtered ones. After analysis (after logging is turned off) filtering by process name or PID is helpful for narrowing down what a malicious executable does. There’s also the option for highlighting certain events/processes to help point them out.
All-in-all, Process Monitor is a powerfully overwhelming tool unless you know how to utilize it for all it’s worth. It takes a good amount of time, practice, and experience to narrow down exactly what you want to get out of the logs (it took me about 6 months), but using these filters is a good start for dynamically analyzing malware

MoVP

Volatility (in chemistry) — the property of changing readily from a solid to a vapor
Volatility (in finance) — a measure of price variation over time
Volatility (in technology field) — when memory loses its contents when the device is turned off
Volatility (in computer forensics) — an open source set of forensic tools used to extract artifacts from memory used for incident response and malware analysis
Volatility (in Corrie’s world) — being easily excited and excitable…about the next 4 weeks

This month, Volatility (the forensic kind) is starting the Month of Volatility Plugins (MoVP) where they are releasing new plug-ins every day in anticipation for the new release of Volatility 2.2. According to the blog, “Each plugin will describe a brand new capability exclusive to Volatility that deals with analyzing Windows or Linux RAM dumps for malware infections or compromises.”

Sound pretty neat. They’ve only released three new plugins, and already it looks pretty neat. Take a look!

http://volatility-labs.blogspot.com/2012/09/month-of-volatility-plugins-movp.html

Malicious PDF Triage

Today was the first time I was able to analyze malicious PDFs. I previously knew nothing about how to treat these potential infections, but learned the tactics through research.

Malicious PDFs usually spread through spam emails, depending on uneducated users to open the PDF attachment. The PDFs will generally execute malicious code when opened, exploiting a vulnerability in an outdated version of Adobe Reader or Java to open a backdoor into the system. From there, the infection will call home every so often, waiting for instructions by an attacker.

Therefore, handling these files are a bit different than playing around with a malicious executable or dll. Standard static analysis tools (like PE Explorer, PEiD) do not support PDF files. Uploading the file to VirusTotal also showed no results. Everything I previously had known about static analysis did not apply in this case. Fortunately, there are a series of free tools out there that will help identify what kind of PDF you’re looking at. Disclaimer: Tools used by Didier Stevens can be found here

I started off by using a tool called PDFiD by Didier Stevens. This tool is really helpful in determining the strings within a PDF. It’s a python script, so it has to be run in command line (Python also needs to be installed). In command prompt, navigating to the directory where the script is stored, running “pdfid.py filename.pdf” will give you the output (for Mac python is pre-installed, so the command would be “python pdfid.py filename.pdf“)

The output will look similar to what you see above — the object string on the left and the number of instances it’s found on the right. The objects/strings to pay attention to are boxed in red. The /Page string tells you how many pages the PDF is. *Most malicious PDFs are only one page in length* The /JS and /JavaScript strings will tell you if there’s JavaScript embedded. *In this case, it’s 0, but if there is an instance of JavaScript, this is a red flag and requires further investigation* The /AA and /OpenAction functions are equally as important, because an instance of this would allow the JavaScript within the PDF to execute without user interaction.

Now, lets say there was an instance of JavaScript embedded with the PDF. How do we pull this out? Fortunately, Didier Stevens also has another python tool called PDF-Parser, which will pull apart the objects that make up a PDF file and display them (I would suggest having the output save to a text file for easier viewing. The results can be a bit overwhelming, but if you know what you’re looking for, a simple Control+F in the text file for /JavaScript will make life easier) Running the command “pdf-parser.py filename.pdf > filename.txt” will do this for you. You will then be able to determine what the JavaScript does, and how that relates to the opening of the PDF file.

A tool I found later down the road called PDFScope will combine the functionalities of pdfid and pdf-parser into one GUI that separates results by tabbed functions. It’s pretty nifty and easy to use to quickly get everything you want to know into one place.
Another interesting tool is part of the PDF Toolkit (Pdftk). Using the switch data_dump with the tool will pull all the metadata for the file.

 

The timestamps are represented as yyyymmddhhmmss (so in this case, the file was created on 7/24/2012 at 00:28:27 [12:28:27am]) The PDFID’s are MD5 hash values for the information within the metadata to help identify the data. Also, in this case the Title is different than the Filename — something to keep in mind.

In the case I dealt with today, there was no fun JavaScript or other red flags of a malicious document. The only off-setting qualities was that it was one page in length, and was discovered in a series of spam emails. In this case, this was just a phishing email. It basically said that so-and-so’s email was pulled in an international drawing, the ONLY won $2,000,000, and to claim the prize you needed to send all this information (including copies of passport and license) to a guy in Belgium (he clearly stated he’s in Belgium…email actually came from the Netherlands).

Even though the file was “boring”..it was still a great day learning about all this!