Monday, 15 May 2017

Dyre - Malware Analysis

1. Installed a Windows7 machine in a Vmware Workstation in host-only mode.

2. Installed all needed analysis tools (behavioral / File system and registry monitoring)
File system and registry monitoring : ProcDOT
Process monitoring : Process Explorer and Process Hacker
Network monitoring: Wireshark
Change detection: Regshot (dynamic malware analysis tool)
BehavioralAnalysis Tool: CaptureBAT
   : Autoruns
 : RedDiff (To check RegDifference)
 : Sysinternals Tools
 : Notepad++
 : 101Editor
 : MAP Pack  ... Map (Malware analysis pack)

It will install several of this shell extensions MD5 hash / sub-strings / Submit to VT / VT check.

After installing CaptureBAT go to C:\Program Files\Capture and send CaptureBAT.exe to desktop.

Right click on the icon and take properties. Then add the following options in Target :

"C:\Program Files\Capture\CaptureBAT.exe" -c -n -l "C:\Users\W7\Desktop\batlog.txt"
and you can start it before malware execution.

    -c   capture any deleted or modified files
    -n   capture network activity
    -l   save output to a specified location (lowercase L)

3. Download the Malware :
      to virtual machine or transfer it to VM using some other sources.

4.  Unzip Dyre malware in a location. Zip file is comes with password "infected".
     Here this malware is spreading via a PDF file but with an extension .scr (Document-772976_829712.scr). But if you open it in 101Editor you can see that this is an exe file.

    Take a snapshot of the orginal system if you want before executing the malware.

Double click on this .scr file which looks like a PDF will execute the malware. If you want to know / check some details open 101Editor and drag and drop this file to the editor. And just check the
file header and you can see that it's a dos executable file.

HEX : 4D 5A   MZ
And also below we can see its a portable executable PE.

5.  Now we are going to execute the .scr file which will infect the system. Before that execute the CaptureBAT. Also make sure you are not connected to internet.
If you want you can run wireshark to capture network traffic. Run CaptureBAT as admin. You can see the command prompt waiting. Then execute the .scr file and wait for some 10-20sec.

Press ctrl+c to stop CaptureBAT and you can see the log file in the location specified. Analyse the log file for more details. it gives details regarding system behaviour when this malware infected.

You can also analyse the wireshark .pcap file for network related behaviour.
      Here in log file we can see the process which execute the .scr dyre malware.


   here we can see explorer.exe invoked .scr file

15/5/2017 12:53:40.548","file","Write","C:\Users\W7\AppData\Local\googleupdaterr.exe","C:\Program Files\Capture\logs\deleted_files\C\Users\W7\Desktop\Dyre(1)\Original\Document-772976_829712.scr"

here .scr file write some values into googleupdaterr.exe . So inorder to check whether file is infected or not we checked the file hash and we can see file hashes are same and it is infected.

    MD5 For googleupdaterr.exe : c2d73485095efdbd7ab625e469affb11
    MD5 for Document-772976_829712.scr : c2d73485095efdbd7ab625e469affb11

This file we can see as deleted in logs. To get the md5 has go to the CaptureBAT log folder and we can see the deleted file there and get md5 hash.

We can see the MD5 hash for both the files are same. That means the googleupdaterr.exe is updated with the malware.

15/5/2017 12:53:52.45","registry","SetValueKey","C:\Users\W7\AppData\Local\googleupdaterr.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate"

here we can see the googleupdaterr.exe created a registry key. This will make to run the malware as soon as the user logs into the system.

And also see in timestamp whether these data's are written sequentially or not.

IOC's Find in this are :  C:\Users\W7\AppData\Local\googleupdaterr.exe
MD5 Hash               : c2d73485095efdbd7ab625e469affb11
Registery entry      : HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate  

When analysing malware we can't rely on only one tools. Multiple tools we may need to run. We can now check some other tool.

Here we can check this MD5 hash value in some online sites like Virus Total or something we can come to know whether it is malicious or not.

6. Regshot :

      For getting mode idea about regshot just go through :

Here we launch a new vm from the old snapshot that we took earlier. Now launch RegShot Regshot-x86-Unicode.exe

Before infecting machine with malware, take "1st Shot" so you will have details about genuine windows files. After taking 1st Shot infect system with malware.

After infecting system with malware, wait for some time and take "2nd Shot" and after that "Compare" it with first shot.

Then we can see the Keys added / Values added / Values modified. In this also we ca see some noise because while installing exe we get some is normal. It can also scan a directory and check what all changes can happened.

7. Autoruns :

        Execute this tools in a fresh machine and you will get lot of details regarding system process / logon details / services / driver and much more. You will get lot of details in this tool, so better to "hide microsoft entries". This will filter some normal process.

After this execute the malware in the system and monitor the traffic. You can see diff colour's which shows diff levels of trust. If you found anything malicious you can delete the key from the registory.

No comments:

Post a Comment