Malware Investigations

How do you know if an unknown program is evil?

  • Suspicious isn't necessarily malicious

  • Oddly named executables aren't enough, might still be benign

How can you determine indicators?

  • Someone might have reverse engineered it already

  • But not always … and sometimes signatures change

We might see a running process that is suspicious, but whether it is malicious is unknown. For example, an oddly-named process that is not flagged by antivirus. Since suspicious isn't necessarily malicious, you would need to investigate the unknown process.

When investigating malware, two main methods are used:

  • Behavioral analysis, which involves monitoring how the malware interacts with its environment using specialized tools

  • Direct code examination with debuggers and disassemblers.

Online Analysis Sites

Online analysis sites like VirusTotal can quickly check potentially suspicious software by scanning it with multiple antivirus tools.

Hybrid Analysis lets you upload a file and choose a virtual machine (e.g., Windows 10, Windows 11) to observe its behavior.

Practicing Good Hygiene

When investigating malware, always adhere to strict security practices to prevent accidental spread or negative exposure for your organization.

Never investigate malware directly on your primary system due to the risk of it escaping. Ideally, use an air-gapped system and wipe it after each use, though this is often impractical during an incident.

For malware investigation, using a virtual machine with host-only networking is common. Despite this, maintain good security practices on the host, such as enabling firewalls and keeping the system updated. When transferring data, use USB drives for air-gapped systems or folder sharing features in virtualization tools, but only enable these temporarily to minimize risks.

Basic Attributes

PS C:\> Get-FileHash file           # Calculate the SHA256 hash of a file on Windows
PS C:\> strings file                # View ASCII and 16-bit little endian Unicode strings
$ strings file                      # View the ASCII strings on Linux
$ strings -e l file                 # View 16-bit little endian Unicode strings on Linux

One of the first things to do when investigating malware is to calculate a cryptographic hash sum. To calculate a SHA256 hash for a Windows file with PowerShell, you can use this command:

Get-FileHash file

You can also add the argument -Algorithm SHA1 to calculate a SHA1 hash instead. On Linux, the equivalent command is:

sha256sum file

Monitoring the Environment

A common malware investigation strategy is monitoring its interactions with the environment, which is faster and partially automatable compared to code analysis, though it may miss certain details.

The basic strategy for monitoring malware is as follows:

  1. Set up the environment, including configuring monitoring tools (temporarily disable them until ready).

  2. Take a snapshot if using a virtual machine.

  3. Enable monitoring tools and take the first snapshot (if applicable).

  4. Run the malware.

  5. Interact with the malware to understand its behavior.

  6. Use commands like Stop-Process to terminate it if needed.

  7. Disable monitoring tools and take the second snapshot (if using one).

  8. Review the output and compare snapshots if applicable

Snapshot vs. Continuous Recording

Some malware monitoring tools take snapshots of the environment at specific points, allowing comparison before and after the malware runs. Others continuously record the environment, logging activity from when the malware starts to when it's stopped for later analysis.

Continuous reporting tools provide more data than snapshot tools, capturing events like file creation and deletion that snapshots might miss. While they offer greater detail and insight, the large volume of data can also be overwhelming.

Regshot

Regshot is a Windows tool that records snapshots of the registry and file system at two points, highlighting changes such as added, removed, or modified registry keys and files. It's simple to use and provides a clear summary of the differences.

  • Run Regshot as an administrator, check the "Scan dir" box, and add directories to scan for file system changes.

  • Prepare the malware to run, but don’t execute it yet. Set everything up, minimizing system changes to reduce irrelevant data in the comparison. If using a virtual machine, take a VM snapshot.

  • Take the first Regshot snapshot by clicking "1st Shot | Shot."

  • Run the malware and interact with it if needed, then terminate it.

  • Take the second snapshot by clicking "2nd Shot | Shot."

  • Click "Compare" to review the changes between snapshots.

Regshot Output

----------------------------------
Files added: 16
----------------------------------
C:\Users\mike\AppData\Local\Temp\7ZipSfx.000\smss.com
C:\Users\mike\AppData\Local\Temp\7ZipSfx.000\otjguv.com
C:\Users\mike\AppData\Local\Temp\7ZipSfx.000\bytrea
C:\Users\mike\AppData\Local\Temp\7ZipSfx.001\vsmss.com
C:\Users\mike\AppData\Local\Temp\7ZipSfx.001\itjguv.com
C:\Users\mike\AppData\Local\Temp\7ZipSfx.001\ooytrea
C:\Users\mike\AppData\Local\Temp\7ZipSfx.002\umss.com
C:\Users\mike\AppData\Local\Temp\7ZipSfx.002\stjguv.com
C:\Users\mike\AppData\Local\Temp\7ZipSfx.002\ltrea
C:\Users\mike\AppData\Local\Temp\7ZipSfx.003\yotrol.dat
C:\Windows\Prefetch\B71C43A127DFC1F5906F7C6CA98FF-E6F4D17D.pf
C:\Windows\Prefetch\CERTUTIL.EXE-A864005A.pf
C:\Windows\Prefetch\CMD.EXE-2EB3E6E2.pf
C:\Windows\Prefetch\SMSS.COM-91BE788F.pf
C:\Windows\Prefetch\USMSS.COM-9FB7A7F2.pf
C:\Windows\Prefetch\SMSS.COM-ADB0D755.pf

Here's an example of Regshot output. It shows files created by the malware in C:\Users\mike\AppData\Local\Temp. The .pf files listed are Prefetch files, which weren't created by the malware but were generated as a result of it running. Prefetch files help Windows speed up program startup by tracking memory pages used during launch. From an investigative viewpoint, they reveal when and where a program was last run.

Process Monitor

Process Monitor is a Microsoft tool for real-time monitoring of registry, file system, network, and process activities, including profiling events. You can filter information by toggling activity categories using the five buttons for registry, file system, network, process, and profiling.

When reading Process Monitor output, the Operation, Path, Result, and Detail columns are where information about what the process was doing is displayed.

Under the Tools menu, several options summarize activity categories. The Process Activity Summary provides a count of the registry, file, and network areas used by each process. The Registry Summary shows distinct registry keys accessed and how often. The File Summary does the same for files, and the Network Summary lists visited network addresses. The Profiling Events option summarizes process exits, including execution time, CPU, and memory usage.

One of Process Monitor's more useful summary tools is the Process Tree. You can activate it by clicking Tools -> Process Tree to see visually which processes spawned other processes. What makes this especially nice is that unlike Task Manager, this view will also show processes that are no longer running.

Analyzing Code

Another way to investigate malware is by analyzing its code. IDA Pro is a leading tool for code analysis and reverse engineering, featuring a disassembler, debugger, extensive plugin support, and compatibility with various CPU and memory architectures. It also includes the Hex-Rays Decompiler for converting binaries into readable C-like code.

Lab 1.4: Malware Investigation

Scenario

This lab assumes we're already familiar with the first two parts of the scenario ( Lab 1.2: Network Investigation and Lab 1.3: Memory Investigation) before continuing here.

We know from the previous two labs that a malware named analytics.exe was installed using analyticsinstaller.exe.

Calculate Basic Properties

First let's open a PowerShell prompt with administrative privileges and calculate the MD5 and SHA256 hash sums of AnalyticsInstaller.exe file.

PS C:\Tools\falsimentis> Get-FileHash -Algorithm MD5 AnalyticsInstaller.exe
PS C:\Tools\falsimentis> Get-FileHash -Algorithm SHA256 AnalyticsInstaller.exe

Examine Malware Strings

Let's use Sysinternals' strings utility to find ASCII and Unicode strings of 10+ characters.

PS C:\tools\falsimentis> C:\tools\sysinternals\strings.exe -n 10 .\AnalyticsInstaller.exe

There are some strings worthy of note:

  • First the URL http://www1-google-analytics.com:8088/analytics.exe . In the Network Investigation lab we discovered that the attackers used ports 8090 and 80. Port 8088 is an additional port that we can investigate.

  • The registry key Software\Microsoft\Windows\CurrentVersion\Run is an AutoStart Extensibility Point (ASEP) and is a common method used by malware to persist following a reboot.

  • The cmd.exe /c rd c:\ /s /q command is used to recursively delete files and folders starting at the root of the file system. Since the ransom note mentioned the loss of files, this could be a possible mechanism.

  • The powershell.exe command line has a Base64 encoded command, which is suspicious, especially since this is malware.

  • The cmd.exe /c start /max http://www.midnitemeerkats.com/note will display a copy of the ransom note, similar to what the CEO saw.

Malware authors can easily embed fake strings and hide real ones, so treat string outputs as suggestions.

Examine Registry and File System Changes

Let's examine the changes made by the malware installer using Regshot. Regshot takes snapshots of the registry and file system at two different times and shows the differences between them.

PS C:\tools\falsimentis> c:\tools\regshot\regshot_x64.exe

Regshot shows a configuration screen. It automatically scans the registry and optionally the file system for changes. Check the box labeled "Scan dir1[;dir2;dir3...;dir nn]" and enter "C:" in the field below, and take the first snapshot.

After the first snapshot has finished, let's run the malware file AnalyticsInstaller.exe .

PS C:\tools\falsimentis> .\AnalyticsInstaller.exe

After the malware installer finishes, we'll take the second snapshot.

Once the second snapshot has completed, let's click the Compare button to compare the two snapshots.

After Regshot compares the snapshots, it will open a text file summarizing the changes.

The following entries are noteworthy:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{13C9BAD0-D2BE-47C5-98D6-855F5A2DE223}\URI: "\Analytics Backup"

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{13C9BAD0-D2BE-47C5-98D6-855F5A2DE223}\Description: "Analytics Backup Service"

  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Analytics Client: "C:\Windows\System32\analytics.exe"

  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\File Saver: "cmd.exe /c start /max http://www.midnitemeerkats.com/note"

The first two entries relate to scheduling a task. The third entry runs C:\Windows\System32\analytics.exe at user logon, while the fourth opens a browser window with the ransom note at user logon.

In the Files Added section, the following entries are notable:

  • C:\Windows\Prefetch\ANALYTICSINSTALLER.EXE-E57CE4F0.pf

  • C:\Windows\System32\Tasks\Analytics Backup

  • C:\Windows\SysWOW64\AnalyticsBackup.bat

The first entry is from Windows Prefetch, showing the last run time and directory of a program, useful for timeline correlation. The second entry indicates a new scheduled task, and the third shows a batch file addition, which we can view with the Get-Content cmdlet.

PS C:\tools\falsimentis> Get-Content C:\Windows\SysWOW64\AnalyticsBackup.bat

This matches an earlier output from the strings command and likely indicates the recursive file deletion method used by the Midnite Meerkats.

Examine Process Activity

Let's use Procmon.exe to get detailed insights into the malware installer's actions.

Open Procmon and click the capture button (or press Ctrl+E) to stop capturing.

Next let's a filter for events related to AnalyticsInstaller.exe by clicking Filter -> Filter.

In the Filter dialog, change Architecture to Process Name, enter "AnalyticsInstaller.exe" in the input box, click Add, then click OK.

Now let's discard events that do not match the display.

Next before launching the malware installer, click the Capture icon to enable event capturing.

Now let's run the malware installer.

The error occurs because the scheduled task already exists and can be ignored.

After the malware installer finishes, click the capture icon again to disable event capture.

Examine Process Activity

Use Procmon to examine process activity by clicking the registry, file system, and network filter buttons to disable them. This removes their light blue background, showing only process activity.

Now let's look for process creation. To do this click Edit -> Find.

In the Find dialog, enter "Process Create" and click Find Next.

The first result shows a Process Create event for cmd.exe. Double-click the entry for more details.

The command line seems to launch a PowerShell process.

Even though we did not include cmd.exe in the lter, Procmon still captures process spawn activity in the Process Tree. To see this, close the Event Properties window, then click Tools | Process Tree.

As we can see AnalyticsInstaller.exe launched cmd.exe, which then started powershell.exe.

Remove the Malware Artifacts

Now let's remove the malware artifacts.

Unregister-ScheduledTask -TaskName "Analytics Backup"

Next, remove the malware artifacts in C:\windows\SysWOW64\analytics*

del C:\windows\SysWOW64\analytics*

Next remove the ASEP entries for the Analytics Client and File Saver properties.

Get-Item HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\
Get-Item HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | Remove-ItemProperty -Name "Analytics Client"
Get-Item HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | Remove-ItemProperty -Name "File Saver"
Get-Item HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\

Bonus Lab

Examine Network Traffic

Now let's start tcpdump to monitor for DNS requests.

sudo tcpdump -n -i eth0 udp port 53

The tcpdump command is explained as:

  • -n -> don't resolve host name or port numbers

  • -i eth0 -> monitor trac on the interface eth0

  • udp port 53 -> only capture trac destined for UDP port 53

Let's return to our Windows VM, open PowerShell as an administrator, and use Set-DnsClientServerAddress to set the DNS server to 10.10.75.1.

Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses ("10.10.75.1")

This command sets the DNS server address for the network interface named "Ethernet" to 10.10.75.1. When a device on this interface needs to resolve a domain name, it will send DNS queries to the server at 10.10.75.1.

10.10.75.1 is the IP address for the slingshot linux machine.

Next, let's launch the malware installer again.

After the malware installer completes, let's return to our Linux VM and stop tcpdump by pressing CTRL+C.

The output shows a DNS request from our Windows VM to the Linux VM, querying the host www1-google-analytics.com.

Let's configure the environment for the malware by updating the Windows VM's hosts file to redirect www1-google-analytics.com to 10.10.75.1, so we can intercept the request.

Add-Content C:\Windows\System32\drivers\etc\hosts -Value "10.10.75.1 www1-google-analytics.com"

Since the malware's connection type to www1-google-analytics.com is unknown, we need to restart tcpdump to capture all traffic.

sudo tcpdump -n -i eth0

Next let's return to the Windows VM and run the malware installer again.

.\AnalyticsInstaller.exe

Once the malware installer completes, let's return to our Linux VM and stop tcpdump by pressing CTRL+C.

A connection attempt to TCP port 8088 is made, but since no service is listening, a TCP reset is returned.

Let's set up a Netcat listener on TCP port 8088 with the nc command, as the malware installer is trying to connect to this port.

nc -nlvp 8088

The nc command can be summarized as:

  • -n -> don't resolve host names

  • -v -> displays verbose output

  • -l -> listen mode

  • -p 8088 -> listen on port 8088

Next let's switch back to the Windows VM and run the malware installer again.

.\AnalyticsInstaller.exe

Next let's return to the Linux VM and review the Netcat output.

This is an HTTP GET request for /analytics.exe. Let's stop the Netcat listener with CTRL+C and set up an HTTP server for the malware.

We have a copy of analytics.exe file in the current directory, so let's start the HTTP server.

python3 -m http.server 8088

Next let's switch back to the Windows VM and run the malware installer again.

.\AnalyticsInstaller.exe

Now let's go back to our Linux VM.

This indicates that the malware installer is trying to download analytics.exe. To confirm, let's check for analytics.exe in the C:\Windows\SysWOW64 directory on the Windows VM.

dir C:\Windows\SysWOW64\analytics*

When looking at evidence, consider how well it supports one theory and rules out others. Here, we see a normal HTTP GET request that seems to support the idea that malware downloaded the file. But this alone doesn't rule out other possibilities, like the malware using a request to mislead analysts. To be sure, you need more evidence, like network traffic and code analysis, before dismissing other theories.

Lastly, let's delete the DNS server settings for the Ethernet adapter.

Get-NetAdapter Ethernet | Set-DnsClientServerAddress -ResetServerAddresses

Next, let's clean the malware from the system.

Unregister-ScheduledTask -Confirm -TaskName "Analytics Backup" -ea SilentlyContinue
del c:\windows\syswow64\analytics* -ea SilentlyContinue
Get-Item HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | Remove-ItemProperty -Name "Analytics Client" -ea SilentlyContinue
Get-Item HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | Remove-ItemProperty -Name "File Saver" -ea SilentlyContinue

Last updated