Scenario

You got a malware sample named stage 1.exe. Your task is to analyze it and uncover its behavior. How do you approach this?

• Static Analysis
  • Manual Reverse Engineering
  • Programming binary analysis
• Dynamic Analysis
  • Network behavioral tracing
  • Run-time system behavioral tracing(File/Process/Thread/Registry)
  • Symbolic Execution
  • Fuzzing

In this scenario, you are going to analyze the given malware with tools that we provide. These tools help you perform static and dynamic analysis. (See the tutorial at the end of this document for how to use them.)

Objective

• Identify the Command and Control (C2) server that the malware connects to.
• Understand how the malware communicates with the C2 server.
  • URL and Payload
• Discover the malicious activities carried out by the malware
  • Attack activities

Tasks

• Make sure that no malware traffic goes out from the virtual machine
  • However, allow updates (stage 2) and Linux payload downloads (stage 3)
• Since the original C2 server is dead, you will need to reconstruct it.
  • Use provided tools to rebuild the server and uncover hidden malware functions
• Analyze:
  • Network traffic on the host, and figure out the list of available commands for the malware
  • Network traffic and program trace of the host, and figure out what malware does
• The questions are in assignment-questionnaire.txt. Read them and write down your answers there.

Secure Experiment Environment

A secure environment is critical for safely analyzing malware. Running malware in an insecure environment (e.g., your base project VM) may lead to serious damage.

• You may not
  • Encrypting your file during a ransomware analysis
  • Infecting machines in your corporate network during a worm analysis
  • Creating a tons of infected bot client in your network during a bot/trojan analysis
• The solution
  • Use a Virtual Machine (VM) and Virtual Network
  • Apply strict network rules to control malware traffic
  • Provide a Windows XP VM as a safe testbed(See tutorials for setup and usage)

Network Behavior Analysis

Tools (all tools for this and later analysis are pre-installed, see tutorials on how to use)

• Wireshark - Network Protocol Analyzer
• Cuckoo - Capturing & Recording inbound/outbound network packets

What you are looking for

• What kind of messages is the malware trying to send?
• Where is it trying to send them?
• What does the message format look like?

Tracing Analysis

• What the malware might do when it gets commands

Tools

• Cuckoo
• Procmon (in ProcessMonitor folder of windows testbed VM)

What you are looking for

• What System calls or APIs does the malware use?
• Does it create, read, or write any files?
• Does it modify registry entries?

CFG Analysis

• How the malware is structured

Tools

• Cuckoo
• CFG tools

What you are looking for

• Which code paths exist, and how different functions and decisions are connected.
• Identify where the malware interprets incoming commands and initiates malicious actions

Symbolic Execution

• What to send from fake C2 server to make the malware react

Tools

• symbolic executor and solver

Workflow

• Instead of feeding real inputs, you use symbolic variables.
• Symbolic execution walks the CFG, collecting constraints at each decision point.
• Finally, it solves these constraints to find a real command string that would drive the malware into executing a target function.

Reconstruct C2 Server

• After CFG analysis + symbolic execution, reconstruct the C2 server
• The tool for reconstructing the C2 server is already on the VM
• It runs nginx and php script
  • This will look like ~/tools/c2-command/stage*-command.txt
  • Your job is to add your commands to the relevant *.txt file
    • The command that leads the execution from 405190 to 40525a is "$insert" (note: the name of the command you see may vary)
    • Then, type "$insert" and save the file.
    • Important: be sure to put the '$' character before your commands, even if stage* - command.txt says that it's optional
    • The order of commands in the file does not matter - they'll run in a random order
      • Note: This means that if you want to run only a particular command, you'll need to remove, or comment out the other commands in your file