Chapter 14
Examining DNS Entries To examine whether the malware is trying to communicate with any specific domain name
1. First, they need to run the suspect file on the forensic workstation (in this case, it is a Windows forensic workstation) 2. Next, they need to open the command prompt on the workstation and run the command ipconfig /displaydns. This will display all records stored on the DNS cache, which includes all recent and attempted visits to websites, FTP servers, etc. 3. Investigators then should carefully review all DNS records in order to detect any unknown/suspicious domain name 4. If any suspicious/unknown domain name is found after execution, they can examine it further on websites offering online malware scanning services like hybrid analysis. It can help them ascertain whether it is really malicious.
some of the documentations that an investigator should prepare before analyzing any executable file
1. Full path and location of the file 2. MAC-timestamp 3. The system information where file was stored, including the OS version, file system, user accounts, and IP address 4. References to the file within the file system or registry 5. Who found the file and when 6. Details of forensic investigation tools
the steps to analyze a suspicious PDF file
1. Testing the file with PDFiD to review PDF keywords In the initial step, you need to test the suspect PDF file with PDFiD tool to look for any malicious components within it. To do this, open a new terminal on the Linux workstation and run the command python pdfid '<path to the suspect PDF file>'. The tool will then display the structure of the file including its contents, such as header, objects and any scripts present in it. The analysis of a PDF file named infected.pdf, as depicted in the screenshots below, shows that it contains a JavaScript and might execute an action when opened. 2. Finding Suspicious Objects with PDFStreamDumper In the next step, you can use tools like PDFStreamDumper to know more about the internal elements of the suspect PDF file, such as the objects, streams, or any obfuscated scripts embedded in it. After opening the file using PDFStreamDumper, you can start reviewing the objects one by one, along with their stream details to identify any malicious component. The analysis of the fifth object in the infected.pdf file by PDFStreamDumper shows that it contains a JavaScript header, with its data stream starting from the sixth object Scanning the sixth object for readable strings, as presented in the screenshot below, shows that it uses util.printf () function which can display the gathered system data. 3. Scanning the File for Exploits Now, scan the suspect PDF file for any available exploit on the PDFStreamDumper tool. To do this, select the Exploits_Scan button from the toolbar, which would prompt the tool to compare the file against a number of signatures of some known PDF exploits and present the output in a Notepad file. 4. Learning about the CVE-ID Go to the website https://cve.mitre.org browse the available CVE list to know more about CVE IDs found within the suspicious PDF file. Further examination of the CVE ID CVE-2008-2992 reveals the utilprintf() function is a vulnerability found in PDF files that can allow attackers to run an arbitrary code on the system, leading to a buffer overflow attack.
Monitoring IP Addresses To determine whether a file, which is suspected to be a malware, is trying to call out any remote/malicious IP addresses, investigators need to do
1. They need to run the Wireshark tool on the Windows forensic workstation that will display all traffic being passed over the network. 2. With Wireshark running in the background, they must execute the file which is suspected to be a malware on the workstation. 3. Then, they should monitor the live network traffic to see if there are any suspicious activities. 4. If they come across any remote/unknown IP address that the workstation is trying to connect to, it should be marked as unusual. 5. Finally, they should examine the IP address obtained over online malware scanning tools to determine whether it is malicious.
Online malware scanning
After the hash value of a suspect file has been generated, investigators can compare it to online malware databases to find the recognized malicious code. This process simplifies further investigation by offering a better insight of the code, its functionality, and other important details.
Event ID 7036 and 7040
Any malicious program might also disable vital Windows protection services, such as Windows Defender, Windows Firewall, or antivirus solution, to maintain persistence on the target system. Monitoring events 7036 and 7040 would enable an investigator to look for any such suspicious activities. Examining Windows Event Logs As a forensic investigator, you need to execute the malware on the Windows workstation to determine and analyze the set of Windows events that are triggered by its activities. For demonstration purpose, we executed a malware named payload.exe. As a result, multiple event IDs were generated on Windows Event Viewer.
Identifying file dependencies
Any software program depends on various inbuilt libraries of an operating system for performing specific actions in a system. Investigators need to find the libraries and file dependencies, as they contain information about the runtime requirements of an application. contain information about the internal system files the program needs to function properly, the registration process, and location on the machine. Investigators need to check if they can find and examine these files as they can provide information about malware in a file. File dependencies include linked libraries, functions, and function calls. An investigator should know the various DLLs used to load and run a program as these may allow them to guess what a malware can do upon execution. For instance, programs store the import and export functions in kernel32.dll file. Investigators should look for DLLs with different names or misspelled DLLs, or functions of the DLLs to identify malicious DLLs. Investigators can use tools such as Dependency Walker for this purpose.
Fileless Malware
As the name suggests, this kind of malware do not use any file to infect a system. There are different variants of this malware group. Some might come packaged as device firmware and live in the memory, which help them run even after disk formatting, OS reinstallation, and system reboot. Attackers also use built-in Windows features and authorized applications, such as PowerShell, command prompt, and Windows Management Instrumentation, to install and execute such malware on any system. Thus, such attack can easily bypass application whitelisting processes as it uses only approved applications. The absence of any physical file also enables attackers to evade security programs and continue the attack. refers to a type of malicious program that generally does not depend on any file to operate. Thus, it can infect computers without leaving any trace, which makes its operations stealthier. This malware resides only in the memory of the system and uses built-in tools on Windows operating systems to perform malicious activities. Consequently, these attacks can easily evade detection by traditional security solutions. Even though the term suggests the absence of any executable file, it is only partially true. Attackers can deploy with an actual file as the initial attack vector. However, it is the techniques used during execution stage that make quite different from a traditional malware. might leverage exploits for running malicious commands or run scripts directly in the memory using legitimate tools, such as Command Prompt and Windows PowerShell. Attackers leverage exploits for running malicious commands, or launch scripts using legitimate tools like Windows Powershell to load and execute the payload in the memory directly without writing any file to the disk. it helps attackers perform malicious activities while staying off the radar. Some of the examples of include Asharoth, Poweliks, Operation Cobalt Kitty, and Poshspy.
Phishing Email/Malicious Documents
Attackers can also embed malicious macros in the form of a VBAscript or JavaScript in a Microsoft Office document (Word, PowerPoint, Excel) or PDF, and use social engineering techniques to get the users run the macros on their systems. Here, the attack initiates with a document or file but transforms into a fileless threat when the malicious scripts are executed directly to the memory using whitelisted tools like PowerShell. Code Execution Fileless threats use various code execution techniques as given below: ▪ Code Injection Fileless threats can make use of various code injection techniques, such as process hollowing and reflective DLL injection, that load the shellcode directly to the memory without writing any file to the disk. In process hollowing, a code injection technique used by SOREBRECT ransomware, a legitimate process is created by the malware in a suspended state. The malware then extracts the contents of the legitimate process and replaces it with a malicious code. When the process resumes, it runs the malicious code disguised as an authorized process. In reflective DLL injection, the malicious code loads up a DLL or dynamic-link library in a running process on the host system. Thus, the DLL is loaded from the memory and not from the disk. Fileless threats like EternalBlue use the reflective DLL injection technique to infect computers.
Achieving Objectives
Attackers can leverage fileless threats to bypass security solutions and achieve a variety of objectives, such as data exfiltration, credential stealing, reconnaissance, cyber spying, etc.
Windows Registry
Attackers can store the malicious scripts in the Windows AutoStart registry keys so that they are loaded and executed whenever the machine is restarted.
Monitoring Windows Services
Attackers design malware and other malicious code in such a way that they install and run on a computer device in the form of a service. A malware might spawn Windows services that allow attackers remote control to the victim machine and pass malicious instructions or apply rootkit techniques to manipulate registry keys and avoid detection. As many Windows services run in the background to support processes and applications, the malicious services are invisible even when performing harmful activities on the system and can function even without any intervention or input. These malicious services run as a SYSTEM account or other privileged accounts, which provides more access than the user accounts. This makes them more dangerous than a common malware and executable code. Attackers also try to trick users and investigators alike by naming the malicious services with names similar to that of genuine Windows services to avoid detection. Investigators need to trace the malicious services initiated by a malware during runtime analysis using tools that can detect changes in services. Investigators can use tools like Windows Service Manager for this purpose.
Social Engineered Clickjacking
Attackers inject malware into legitimate-looking websites to trick users into clicking them. When clicked, the malware embedded in the link executes without the user's knowledge or consent.
Dropper
Attackers need to install the malware program or code on the system to make it run, and this program can do the installation task covertly. The dropper can contain unidentifiable malware code that antivirus scanners cannot detect and can download additional files needed to execute the malware on a target system.
How Fileless Attack Happens via Websites
Attackers often use social engineering techniques to spread fileless infections: ▪ Such fileless threats might arrive via a spam email which contains a link to an exploit-hosting malicious website. ▪ When the user visits that website, the exploit kit starts scanning the machine for vulnerabilities, such as any outdated Flash or Java plugin. The exploit kit might also download Flash or Java on the user's machine to load the actual payload. ▪ If the Flash plugin is found to be outdated, the exploit loads it up on the user's machine, which in turn invokes PowerShell or any other admin tool built into Windows that can pass instructions via command line. ▪ As a result, the malicious script with the final payload, which contain a typically larger command line, is downloaded via PowerShell from the C2 server and executed directly in the memory. ▪ The payload can then perform data exfiltration, credential theft, or damage. ▪ Fileless threats can also achieve persistence by creating AutoStart registry entries depending on the goal of the attacker.
Blackhat Search Engine Optimization (SEO)
Blackhat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, doorway pages, page swapping, and adding unrelated keywords to get a higher search engine ranking for their malware pages.
Components of malware
Crypter Downloader Dropper Exploit Injector Packer Payload Malicious Code Blackhat Search Engine Optimization (SEO) Social Engineered Clickjacking Malvertising Compromised Legitimate Websites Drive-by Downloads Domain Shadowing Mouse Hovering Obfuscator Fileless Malware
General Rules for Malware Analysis
During malware analysis, the investigators should pay greater attention to key features of a malware and should not try to observe every detail as malware is dynamic and may change its properties. In difficult and complex sections, investigators should try to gather a general overview. Investigators should try different tools and approaches as they yield different results in different situations. Even though various tools and techniques have similar functionalities, a different approach or a different angle may provide a different result. As investigators adopt new malware analysis techniques, malware authors and attackers also try to find new evasion techniques to thwart analysis. Investigators must be able to identify, understand, and defeat these aversion techniques.
Windows Management Instrumentation (WMI)
Fileless malware like cryptocurrency-miners also abuse WMI, which is commonly used for automating system administration tasks, to achieve and maintain persistence. In this case, attackers store the malicious scripts in the WMI repositories that are periodically triggered via WMI bindings.
Script-based
Fileless malware often use scripts in which the binaries or shellcodes are obfuscated and encoded. Such script-based attacks might not be completely fileless. It often comes embedded in a document as an email attachment. Once the document is opened, the embedded script runs in the memory, thus turning into a fileless operation. The script then invokes whitelisted applications, such as PowerShell, mshta. exe, JavaScript, WScript, VBscript, etc. to connect to one or more malicious websites to download more scripts to deliver the actual payload. All these operations occur in the memory, which makes it difficult for the traditional antivirus solutions to detect them. Fileless threats like Kovter and FAREIT uses script-based techniques to avoid detection.
Memory Exploits
Fileless malware use a variety of techniques to load and execute themselves directly in the memory. Some of those inject malicious codes into a legitimate Windows process to avoid detection. Fileless threats also abuse whitelisted tools like Windows Management Instrumentation, PowerShell, Command.exe, PsExec, etc. to take over the memory and privileges of legitimate processes.
How Fileless Attack Happens via Documents
Fileless threats can abuse the scripting capabilities of applications like Adobe Reader and Microsoft Office to launch an attack. In this attack chain: ▪ Attackers embed malicious macros in the form of Visual Basic (VBA) scripts or JavaScripts within Microsoft Word/PowerPoint/Excel documents or PDFs. Such malicious documents are often spread as an attachment in phishing emails. In some cases, these spam emails also contain a link to download the document. ▪ Once downloaded and opened, it prompts the user to click "Enable Editing and then "Enable Content" buttons on the document. ▪ This enables the macros embedded in the document run the scripts automatically and invoke Windows utilities like PowerShell to download and execute the actual payload in memory. These scripts, which are interpreted and executed by PowerShell, are typically encrypted and obfuscated, making it difficult for any investigator to detect the main keywords that trigger their execution. ▪ The malware can then create a scheduled task to allow the malicious script to run at regular intervals, thus allowing the payload to exfiltrate data and/or perform other malicious activities on the compromised machine. Emotet is a type of fileless malware that often works as a downloader or dropper for other banking trojans. It generally spreads via spam emails that contain an attachment such as PDF, and office documents which include the malware, or a website link that downloads the malware on the suspect's machine.
Malicious Website
Fileless threats may also arrive from exploit-hosting websites that look like legitimate business pages. When the user visits such a page, the exploit kit starts scanning for vulnerabilities, such as any outdated Flash or Java plugins. If successful, it invokes Windows native tools like PowerShell to download and execute the payload directly in the memory without writing any files to the disk. Fileless threats coming via websites can also use script-based programs such as PowerShell, Macros, JavaScript, VBScript, etc. The initial script might be used for code injection, or to get connected to other malicious sites to download more binaries/scripts to deliver the actual payload.
Persistence
In general, fileless malware is not persistent in nature. As it is memory-based, restarting the system would remove the malicious code from the memory and stop the infection.
Observing Runtime Behavior
In this approach, investigators monitor the malicious activities of the specimen as it runs on the system. Observing the malware in a runtime environment enables investigators to see how it interacts with the system and the network in real-time, which helps them detect its actual functionality and purpose. Observing runtime behavior of a malware sample refers to the execution of the malware on forensic workstation and observing its operations in real-time to understand its intent and functionality. Executing the malware on the forensic workstations enables investigators to observe in real-time how the malware unpacks itself, the malicious operations it performs on the registry, system files and kernel resources, and whether it tries to establish any communication with the external environment, such as the network. This enables investigators to detect and understand the behavioral characteristics of the malware under examination. They can record and gather real-time information on the dynamic behavior of different types of malware samples, which can be very useful in enforcing preventive measures against malicious threats.
Event ID 7045 and 4657
Installation of any new service is generally a planned event. An attacker might try to maintain control over the infected system by creating a persistent malicious service that remains even after the system is rebooted. The attacker can also create a persistent malware mechanism by modifying certain registry keys, which enables him/her to insert the malicious payload into the list of programs that are executed on system reboot, such as Windows startup programs. Hence, if any unexpected service installation or anomalous registry key modifications are identified via event ID 4697 and 4657, it should be considered suspicious and investigated further. Note: In case of Windows Server 2016 and 2019 operating systems, enabling Security System Extensions in Advanced Audit Policy Configuration will generate event ID 4697, which is same as event 7045.
The most common ways an attacker can send a malware into a system
Instant messenger (IM) applications such as ICQ or Yahoo Messenger have a provision for transferring text messages and files. Internet Relay Chat (IRC), on the other hand, is a chatting service that allows multiple users to connect with each other and exchange data and files over the internet Removable Devices can propagate through corrupted removable media, such as pen drives and CD-ROMs. When a user connects corrupted media devices to a computer system, the malware automatically spreads to the system as well. CDs, DVDs, and USB storage devices such as flash drives or external hard drives come with Autorun support, which triggers certain predetermined actions in a system on connecting these devices. Attackers exploit this feature to run malware along with genuine programs by placing an Autorun.inf file with the malware in a CD/DVD or USB. Email and Attachments Invaders adopt a mass mailing technique to send out a large number of email messages, with the malware attached as a file or embedded in the mail itself. When the user opens the email, the embedded malware automatically installs onto the system and starts spreading. On the other hand, a malware sent as an attachment requires the user to download and open the attached file for it to become active and corrupt the system. Some email clients such as Outlook Express automatically execute attached files. Invaders also place links for malicious websites in the emails along with enticing messages that lure the victim into clicking the link. Most of the web clients detect such messages and sort them into harmful category. If the user clicks on such links, the browser will navigate to a harmful website, which can download the malware on to the system without the user's consent. Browser and Software Bugs Users do not update the software and applications installed on their system. These elements of a system come with various vulnerabilities, which attackers capitalize on to corrupt the system using a malware. An outdated web browser may not be able to identify if a malicious user is visiting a malicious site and cannot stop the site from copying or installing programs onto the user's computer. Sometimes, a visit to a malicious site can automatically infect the machine without downloading or executing any program. Bluetooth and Wireless Networks Attackers use open Bluetooth and Wi-Fi networks to attract users to connect to it. These open networks have software and hardware devices installed at the router level that could capture the network traffic and data packets, and find other account details, including usernames and passwords. File Downloads Attackers masquerade malicious files and applications with icons and names of costly or famous applications. They place these applications on websites and make them freely downloadable to attract victims. Further, they create the websites in such a way that the free program claims to have features such as an address book, access to check several POP3 accounts, and other functions, to attract many users. Network File Sharing (Using NetBIOS) If the users share a common network with open ports, then the malware can propagate from a corrupted system to other systems through shared files and folders.
Monitoring Processes
Investigators should perform process monitoring as it will help them understand the processes initiated and taken over by a malware after execution. They should also observe the child processes, associated handles, loaded libraries, and functions to define the nature of a file or program, gather information about processes running before execution of the malware, and compare them to the processes running after execution. This method will reduce the time taken to analyze the processes and help in easy identification of all processes started by the malware.
File fingerprinting
It examines the evident elements of the binary code, which includes processes at a document level. This process includes the calculation of cryptographic hashes of the binary code to recognize its function and compare it with other binary codes and programs from previous scenarios. data loss prevention method used for identifying and tracking data across a network. The process involves creating shorter text strings for the files called hash values. Unique hash values or fingerprints are developed using various cryptographic algorithms which utilize data such as strings, metadata, size, and other information. These fingerprints help investigators recognize files that are sensitive to tracking and identify similar programs from a database. Fingerprinting does not generally work for certain record sorts, including encrypted or password secured files, pictures, audio, and video, which have different content from a predefined fingerprint. The Message-Digest Algorithm 5 (MD5) is the most commonly used hash function for malware analysis. Investigators can use tools such as HashMyFiles to create a fingerprint of the suspect file as a part of static analysis. It is a GUI-based tool to calculate various hash values.
Malvertising
It involves embedding malware-laden advertisements in authentic online advertising channels to spread malware onto the systems of unsuspecting users.
Dynamic analysis
It involves the execution of a malware to examine its conduct and impact on system resources and network. It identifies technical signatures that confirm a malicious intent and reveals various useful information, such as domain names, file path locations, created registry keys, IP addresses, additional files, installation files, DLLs, and linked files located on the system or network. This type of analysis requires virtual machines and sandboxes to deter the spread of malware. Debuggers such as GDB, OllyDbg, WinDbg, etc., are used to debug a malware at the time of its execution to study its behavior. Both techniques are recommended to better understand the functionality of a malware, but differ in the tools used, and time and skills required for performing the analysis.
Static analysis
It is a basic analysis of the binary code and comprehension of the malware that explains its functions. Behavioral analysis or dynamic analysis deals with the study of malware behavior during installation, on execution, and while running. A general static scrutiny involves the analysis of a malware without executing the code or instructions. The process includes the usage of different tools and techniques to determine the malicious part of the program or a file. It also gathers information about malware functionality and collects technical pointers or simple signatures it generates. Such pointers include file names, MD5 checksums or hashes, file types, and file sizes. Disassemblers such as IDA Pro can be used to disassemble the binary file. Online Malware Scanning Investigators can scan binary code using online malware analysis tools. If the code under analysis is a component of a well-known malware, it may have been already discovered and documented by many anti-virus vendors. The documentation of such malware can provide important information, such as code capabilities and modus operandi of the attacks it has performed. VirusTotal is one such website which has the above-mentioned capabilities. As a forensic investigator, you can use tools such as Strings, ResourcesExtract, Bintext, and Hex Workshop to extract all types of strings from executable files. Ensure that the tool can scan and display ASCII and Unicode strings as well. Some tools have the capability to extract all the strings and copy them to a text or document file. Use such tools and copy the strings to a text file for ease of searching the malicious strings.
Exploit
It is a part of the malware that contains a code or sequence of commands to take advantage of a bug or vulnerability in a digital system or device. Attackers use this code to breach the system's security through software vulnerabilities to access information or install malware. Based on the type of vulnerabilities they abuse, different categories including local exploits and remote exploits.
Payload
It is a part of the malware that performs a desired activity when activated. have the tendency of deleting or modifying files, thereby affecting system performance, opening ports, changing settings, etc. as a part of compromising the security.
Malicious Code
It is a piece of code that defines the basic functionality of the malware and comprises commands that result in security breaches. It can take various forms like: o Java Applets o ActiveX Controls o Browser plugins o Pushed content
Obfuscator
It is a program that conceals the malicious code of a malware via various techniques, making it hard for security mechanisms to detect or remove it.
Injector
It is a program that injects the exploits or malicious code available in the malware into other vulnerable running processes and changes the way of execution to hide or prevent its removal.
Packer
It is a software that compresses the malware file to convert the code and data of malware into an unreadable format. utilize compression techniques to pack the malware.
Downloader
It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet on to the PC. Usually, attackers install a downloader when they first gain access to a system.
Crypter
It refers to a software program that can conceal the existence of a malware. Attackers use this software to elude antivirus detection. encrypts the malicious file in a malware or the entire malware itself to avoid detection.
Event ID 4688
Malicious programs often include an.exe file into the filesystem to compromise a machine. Event ID 4688, which is generated whenever a new process is initiated, can help forensic investigators look for suspicious process names or process paths upon malware execution. Malicious process names are often misspelled, such as "scvhost.exe" instead of "svchost.exe," or "iexplorer.exe" instead of "explorer.exe." Any Windows process running from an unusual path should also be investigated, such as C:\Windows\svchost.exe instead of C:\Windows\System32\svchost.exe Process Creation After malware execution, you need look for event ID 4688 on Event viewer that shows malicious process name, its path, and the time of execution. Event 4688 is generated on Windows-based machines whenever a new process is initiated. Malicious programs often create new processes or inject themselves into processes already running on the system. Monitoring this event ID post the execution of the malware sample can help determine the processes created by the malware, if any. Note: To track events 4688 and 5156, Process Creation and Windows Filtering Connection auditing should be enabled on the system via Local Security Policy. To do this, type Local Security Policy on Windows Start Menu search and select Local Policies under Security Settings in the pop-up window that appears. Select Audit Policy and go to Audit Process Tracking, configure audit attempts by ticking both Success and Failure, and click OK. Auditing process tracking is now enabled.
Monitoring Port
Malicious programs open system ports to establish a connection with remote systems, networks, or servers to accomplish various malicious tasks. These open ports can also provide a backdoor for other harmful malware and programs. Investigators can find if the malware is trying to access a specific port during runtime analysis using a command line utility called netstat. Reviewing open port activity in real-time on the forensic workstation can help in understanding the network capabilities of the malware. For example, If the malware calls out to any remote system via port 25, which is the default port for Simple Mail Transfer Protocol (SMTP), it may be trying to establish a connection with an email server. Investigators can also use port monitoring tools that offer details, such as the protocol used, local address, remote address, and state of the connection. Additional features may include process name, process ID, remote connection protocol, etc.
Preparing Testbed for Malware Analysis
Malware analysis provides an in-depth understanding of each individual sample and identifies emerging technical trends from a large collection of malware samples. The malware samples are mostly compatible with Windows binary executables. There are different goals behind performing a malware analysis. It is very hazardous to analyze malware on production devices connected to production networks. Therefore, one should always analyze malware samples on a test bed.
Startup Keys
Malware authors also try to place their malicious executable file within the startup directory of the compromised system and create a shortcut entry on the location pointed by the Startup subkey which is set to execute the service automatically on each logon/reboot.
Monitoring Files and Folders
Malware can also modify the system files and folders to save some information on them. Investigators should be able to find the files and folders which a malware creates and analyze them to collect any important information stored in them. These files and folders may also contain hidden program code or malicious strings that the malware will schedule for execution at a specific time.
Monitoring Network Activities
Malware depends on the network for various activities, such as propagation, downloading malicious content, transmitting sensitive files and information, offering a remote control to attackers, etc. Some malware groups, such as trojans, worms, and bots, also manipulate the network configuration of the target computer to call out a specific URL, IP address, or domain name, and wait for further instructions from the attacker. Therefore, investigators should adopt techniques that can detect the malware artifacts across networks. For network activity monitoring, investigators can execute the malware on the forensic workstation and monitor the following aspects: ▪ IP addresses going from and connecting to the workstation ▪ Ports being opened on the workstation ▪ List of DNS entries recorded on the workstation Analyzing the data collected from these areas can help investigators understand malware's network artifacts, signatures, functions, and other elements. Network analysis is the process of capturing the network traffic and investigating it carefully to determine the malware activity. It helps to find the type of traffic/network packets or data transmitted across the network.
Registry/configuration tools
Malware infects the Windows registry and other configuration variables. These tools help identify the last saved settings
Identifying Packing/Obfuscation
Methods Attackers often use packers to compress, encrypt, or modify a malware executable file. It complicates the task of the reverse engineers in finding the actual program logic and other metadata via static analysis. Obfuscation also hides execution of the programs. When the user executes a packed program, it also runs a small wrapper program to decompress the packed file and then run the unpacked file. Investigators can use tools like PEiD to find if the file has packed programs or obfuscated code. This tool also displays the type of packers used in packing the program. Additional details displayed by it include entry point, file offset, EP Section, and subsystem used for packing. Finding the packer will ease the task of selecting a tool for unpacking the code.
Compromised Legitimate Websites
Often, attackers use compromised websites to infect systems with malware. When a non - suspecting user visits the compromised website, the malware secretly installs itself on the user's system and thereafter carries out malicious activities.
Event ID 4660 and 4663
Once executed, a malware might attempt to access, modify, or delete any files and folders from the compromised system. Investigators, therefore, should monitor event ID 4660, which is generated on the deletion of any object, which can be a kernel, file system, or registry object. As this event ID does not contain the name of the deleted object, investigators need to track event 4663, which confirms whether access right was actually exercised along with the name and type of the object, account name, and process name that accessed the object. Tracking event IDs 4663 is also useful for tracking other access request information, such as ReadAttributes, WriteAttributes, READ_CONTROL, etc.
Event 4660: Object Deletion
Once installed, the malware might attempt to delete files or folders that would trigger event ID 4660 on Event Viewer. The event description in the screenshot below shows the deletion of an object by malicious payload.exe process.
Performing strings search
Software programs include some strings that are commands for performing specific functions. Various existing strings can represent the malicious intent of a program, such as reading the internal memory or cookie data, etc. embedded in the compiled binary code. Investigators can search for such embedded strings to draw conclusions about the suspect file. Strings communicate information from the program to its user. Searching through the strings can provide information about the basic functionality of any program. During malware analysis, the investigators search for the common malicious string that could determine harmful actions that a program can perform. For instance, if the program accesses a URL, it will have that URL string stored in it. Investigators should be attentive while looking for strings, and also search for the embedded and encrypted strings in the suspect file, such as status update strings and error strings.
Investigators can monitor the runtime behavior of the malware in two ways
System Behavior Analysis Network Behavior Analysis
Windows AutoStart Registry Keys
The AutoStart keys within the Windows registry, which allow programs to be executed automatically upon system reboot or user login, are the most common locations targeted by malware to achieve persistence on any compromised machine.
Finding the portable executables (PE) information
The PE format stores the information required by a Windows system to manage the executable code. The PE stores metadata about the program, which helps in finding the additional details of the file, such as the unique number on UNIX systems to find the file type and divide information of the file format. For instance, Windows binary is in PE format and consists of information such as time of creation and modification, import and export functions, compilation time, DLLs, linked files, as along with strings, menus, and symbols. Portable Executable (PE) format stores the information required to install and run any executable program on a Windows operating system. The PE format contains a header and sections, which store metadata about the file and code mapping in an OS. Investigators can use the header information to gather additional details of a file or program.
Monitoring Windows Event Logs
The analysis of event logs, which store a detailed record of all the activities performed on the Windows OS based on auditing policies executed, can provide forensic investigators with valuable information while looking for signs of a malware attack on a specific system. Event logs can be found in the C:\Windows\System32\winevt\Logs folder in all Windows OS editions and are stored with.etvx extension. After executing the malware on the Windows forensic workstation, investigators can monitor the events triggered by its activities via Windows' built-in utility Event Viewer. They can examine these events in real-time based on specific details, such as event ID, event name, event description, etc., to extract data on how the malware is interacting with the system resources and use them for further analysis. Key Event IDs to Monitor While performing runtime analysis, investigators need to look at specific event IDs and corelate the event descriptions to any anomalous activities to understand the behavior of the malware.
Identifying packing or obfuscation methods
The attackers use packing and obfuscation by using jumbled structure or a packer to avoid detection. Investigators should find if the file includes packed elements and locate the tool or method used for packing it.
Log analyzers
The devices under attack record the activities of malware and generate log files. Log analyzers are used to extract log files
Spear Phishing Sites
The technique helps attacker mimic legitimate institutions such as banks, to steal passwords, credit card and bank account data, and other sensitive information.
Analyzing Suspicious MS Office Document
The use of MS office documents, such as Word document and PowerPoint presentations is widespread across organizations. However, attackers often these documents to install and spread malware. As a forensic investigator, you should be well-acquainted with the structure of a variety of MS office documents and should be able to analyze a suspect document with right tools to locate suspicious/malicious elements. 1. Finding Suspicious Components As the first step, you should analyze the suspect MS Office document with a python-based tool named oleid to review all components that can be labeled as suspicious/malicious. It is a tool that is used to examine OLE files. To use oleid, run the command oleid '<path to the suspect document>' on the Linux (Ubuntu) workstation. The screenshot below shows that the suspect Word document named infected_doc contains VBA macros. 2. Finding Macro Streams The next step is to detect the streams within the MS Office document which may contain malicious macros. You can use python-based tools like oledump to do this. Type python oledump.py '<path to the suspect document>'on the terminal and press Enter. This would prompt the tool to show the structure of the suspect document, including all the streams. If any stream within the document contains macros, oledump will place an uppercase M beside it for identification. In this Word document, as depicted in the screenshot below, stream 8 has been identified to store malicious macro codes. 3. Dumping Macro Streams Now, extract the contents of any particular macro stream with oledump by running the following command: python oledump.py -s <stream number> '<path to the suspect document>'. Here, the argument -s defines the stream number you want to view. The screenshot below shows the macro code stored in stream 8 of the Word document. 4. Identifying Suspicious VBA Keywords You can now use the olevba tool to view the source codes of all VBA macros embedded within the document and identify suspicious VBA keywords and obfuscation methods used by the malware. To use olevba, run the following command: olevba '<path to the suspect document>'. This will help them review the source codes of all VBA macros, detect if the document contains any auto-executable macros/obfuscated strings, and identify any indicators of compromise (IOCs), such as filenames, IP addresses, and URLs. The screenshots below show the analysis of the infected_doc file by olevba, which shows that it contains auto-executable macros that have shellcode and strings obfuscated with Base64 and dridex. Upon execution, these macros might download malicious files named test.exe and sfjozjero.exe from the internet and store them in the temp directory of the compromised system. The following URLs are identified as IOCs: o http://germanya.com.ec/logs/test.exe o http://germanya.com.ec/logs/counter.php Analyzing Suspicious PDF Document PDF documents are widely used for personal as well as business purposes. Attackers often use PDF files to hide malicious scripts, which get executed when users try to open them. As a forensic investigator, you must run several scans on a suspicious PDF file using different tools to identify whether it contains any malicious scripts and extract them to find their impact on the system as well as the network.
Event ID 5156
This event is generated when Windows Filtering Platform allows a connection between a program and another process on the same or any other remote computer via UDP or TCP ports. During dynamic malware analysis, this event ID can be the key to detecting the origin of attack.
Event 4663
This event is triggered at the same time as event 4660. Review this event ID to get more information about the object accessed, modified, or deleted by the malware. In the screenshot below, event description of this event ID confirms that the requested access DELETE was performed by "payload.exe" process. It also shows the deleted object name as "C:\personal folder\worksheet.txt" and object type as file. Note: To monitor file and folder deletion via Event Viewer, Object Access auditing should be enabled via Group Policy Management Editor. Auditing should also be enabled on specific files and folders that need to be monitored.
Mouse Hovering
This is a relatively new and unique technique used by attackers to infect systems with malware. Attackers send spam emails to target users along with a Microsoft PowerPoint file attachment with .PPSX or.PPS extension. When the users download and open the malicious file, they unknowingly enable the malware to run on their systems. The malware gets automatically executed with the simple action of users hovering their mouse pointers over any hyperlinked text or photo within the malicious file.
Domain Shadowing
This refers to a technique in which attackers gain access to domain account credentials via phishing and create multiple tiers of subdomains to perform malicious activities, such as redirecting users to landing pages that serve exploits. These subdomains, which direct traffic to malicious servers, are associated with trustworthy domains and do not affect the working of their parent domains in any manner. Besides, subdomains linked to a single domain are rapidly rotated by the attackers, which makes their detection quite difficult.
Drive-by Downloads
This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits the flaws in a browser software to install malware merely by visiting a web page.
Imaging tool
To get a clean image for forensics and prosecution
Sandbox
To perform dynamic analysis manually
File/data analysis
To perform static analysis of potential malware files
Network capture
To understand how the malware leverages a network
Windows Task Scheduler
Using task scheduler, attackers can set the malicious scripts to be triggered and executed automatically at a chosen time interval.
Identifying and Extracting Malware
When investigators obtain reports of suspicious activity from victims, they must conduct a thorough examination of the suspect systems, networks, and other connected devices to find traces of malware. Malware programs exhibit specific properties, which can help the investigators in identifying or distinguishing them from normal software programs. Investigators can use software and hardware tools as well as online tools and databases to identify the malware. Investigators can use tools such as Balbuzard, Cryptam Malware Document Detection Suite, etc. to extract patterns of investigative interest from malicious files. These tools offer automated scanning of the system for traces of malware for easy identification. Investigators can perform static and dynamic analysis together to identify the intent and capabilities of the malware. Static analysis is the process of looking for known traces and values that indicate the presence of a malware. These traces include the presence of malicious codes, strings, executables, etc. in the software program. Dynamic analysis uses a different approach, such as scanning the behavior of the software program while running it in a controlled environment. Prominence of Setting Up a Controlled Malware Analysis Lab Malware Analysis Lab A controlled malware analysis lab is instrumental in gauging the behavioral pattern of a malware, as malware programs are dynamic in nature and will interact with various parts of the system as well as the network when executed. Investigators should create an environment where they can execute the malware without disrupting or corrupting other devices. This requires a laboratory system so that the production environment is safe. The most effective way to set up such a lab involves the use of virtualization software, which enables investigators to host multiple virtual systems running different operating systems on a single computer. A malware connects with networks and other systems for stealing data, getting instructions from the attacker, or copying itself. Researchers can use multiple interconnected virtual machines on a single physical computer for analyzing malware behavior on connected systems and learn about their propagation methods as well as other characteristics. Investigators must take precautions, such as isolating the malware analysis lab from the production network using a firewall to inhibit malware propagation. One can use removable media, mainly DVDs, to install tools and malware. DVDs mostly support read only format of data transfer and prevent malicious software from writing or copying itself onto the DVD. Investigators can also use a write-protected USB key. Using a malware analysis lab also enables the investigators to perform screen capturing during analysis. Additionally, it allows them to take snapshots of the laboratory system, which can be used to easily revert to a previous system state.
Analyzing Registry Artifacts
Windows AutoStart Registry Keys After the malware is executed on a Windows forensic workstation, investigators can examine AutoStart registry locations via tools like Regripper to see if it follows any persistence mechanism.
Event 7040
Windows protection services being disabled on its own, such as Windows Firewall, Windows Defender, or any other antivirus programs, is a good indicator of malware on the system. To determine whether the malware has disabled any Windows protection services, such as Windows Defender, Windows Firewall, and antivirus programs, you need to monitor event ID 7040, which will show whether any such service has been disabled. In the screenshot below, the event ID 7040 shows that the start type of the antivirus service on the virtual machine has changed from auto start to disabled, indicating malicious activities. Note: The event ID 7040 is generated automatically in Windows Event Viewer. It is logged when changes are observed in the system settings.
Monitoring Registry Artifacts
Windows registry stores OS and program configuration details, such as settings and options. If the malware is a program, the registry stores its functionality. Malware manipulates the registry to ensure that it runs automatically whenever a computer or device boots or a user logs in. Forensic investigators can execute the malware on a Windows forensic workstation and observe how it interacts with the system registry files, particularly the registry keys and values that are created, modified, or deleted by it. Investigators can look into specific registry locations while performing a runtime analysis of the malware to learn more about its functionality. Monitoring AutoStart registry keys can be quite useful as those are the most common locations targeted by malware.
Event 4657: Registry Key Value Modification
You should also review event ID 4657 to detect any changes in the registry made by the malware. The screenshot below depicts the generation of event ID 4657, showing that the malicious "payload.exe" file has made changes in the value of the registry key to maintain persistence on the compromised virtual machine. The malicious VB script file named "IVYeFjuOcR.vbs" is saved within the Temp directory of the system and a new value name "nnyxxuTM" is created under the Run registry key, which indicates that the malware would load automatically each time the user logs in Note: Auditing for File and Object Access must be locally as well as globally enabled to detect changes in the registry values. System Behavior Analysis: Monitoring API Calls Application programming interfaces (APIs) are parts of the Windows OS that allow external applications to access operating system information such as file systems, threads, errors, registry, kernel, buttons, mouse pointer, network services, web, and the internet. Malware programs also make use of these APIs to access the operating system information. Investigators need to gather the APIs related to malware programs and analyze them to reveal its interaction with the operating system, as well as the activities it has been performing on the system. They can use tools like API Monitor to perform the analysis.
How Fileless attack works via Memory Exploits
allow attackers to remotely execute arbitrary code on the target Windows machines. By employing memory code injection techniques, attackers can inject the malicious code into the memory of any live Windows process without writing any file to the disk. Thus, threats that occur via memory exploits are completely fileless. The malware can distribute and reinject itself into various Windows processes to evade detection. Such exploits might leverage any vulnerability in the Windows Operation system components, or arrive via external sources, such as email attachments or websites. As an example of fileless memory exploit, EternalBlue, manipulates the SMB1 protocol in Windows OSs that allows access and the sharing of files on a remote server. EternalBlue enables attackers to compromise an entire network, including all devices running on it. Attackers can then inject the malicious code into any running Windows process (usually lsass.exe) to launch further attacks. This exploit has been used by fileless threats like WannaCry and Petya.
Malware disassembly Static analysis
also includes the dismantling of a given executable into binary format to study its functionalities and features. This process will help investigators find the language used for programming the malware, look for APIs that reveal its function, etc. This process uses debugging tools such as OllyDbg and IDAPro. Disassembling a malware is an important part of static malware analysis. In this process, investigators use a range of tools, such as IDA Pro, to analyze the assembly code instructions for understanding what the malware is designed to do and the vulnerabilities it might exploit. This enables investigators to formulate solutions aimed at preventing the propagation of malware. Dubugging tools like OllyDbg can help investigators review all strings embedded in a PE file and examine the imported functions.
System Behavior Analysis
involves monitoring the changes on operating system resources upon malware execution. System behavior analysis includes the monitoring the changes in the following system components after the execution of the malware: o Monitoring registry artifacts o Monitoring processes o Monitoring services and startup folders o Examining event logs o Monitoring API calls o Monitoring device drivers o Monitoring files and folders
Documentation Before Analysis
involves the process of recording detailed information on the malware analysis. Investigators should be quick in taking a note of the steps they follow, properties of the executable file they are analyzing, study results, and supporting material such as screenshots, etc. Investigators can also take a note of the system status, platform, operating system, and tools used for the process.
Network Behavior Analysis
involves tracking the malware's network-level activities. Network behavior analysis includes the monitoring of the following network properties: o Monitoring IP Addresses o Looking for Connected Ports o Examining the DNS Entries During runtime, a malware might interact with various system components, such as registry, file and folders, windows processes and services, and device drivers. It might update/delete registry keys or create malicious Windows services/processes to accomplish what it is designed to do. After running the malware, investigators can analyze the changes in registry, processes, or services by comparing the result with the baseline image and by using various forensic tools. They can also examine the API calls made by the malware and monitor event logs to see the changes on the system properties performed by the malware.
Investigators can use the event description to identify the these details
o Name of Application The name of full path of the malicious executable used to communicate with external or internal IP o Direction It specifies whether the allowed connection is inbound or outbound o Destination Address It shows the IP address the connection was received from o Destination Port Port number used to start the connection from any remote machine o Direction It specifies whether the allowed connection is inbound or outbound o Destination Address It shows the IP address the connection was received from o Destination Port Port number used to start the connection from any remote machine
startup locations are found both at the user level and system level for windows
oHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\S hell Folders, Common Startup oHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ User Shell Folders, Common Startup oHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Sh ell Folders, Startup oHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Us er Shell Folders, Startup
Dynamic malware analysis
refers to the process of studying the behavior of a malware by running it in a monitored environment. The environment design should include tools that can capture every movement of a malware in detail and provide feedback to the investigator. Mostly, virtual systems act as a base for conducting such experiments. Investigators use the dynamic analysis to gather valuable information about malware activities, including files and folders created, ports and URLs accessed, called functions and libraries, applications and tools accessed, information transferred, settings modified, and processes and services started by the malware. An investigator should design and setup the environment for performing dynamic analysis in such a way that the malware cannot propagate to the production network, and the testing system can return to a previously set timeframe in case anything goes wrong during the test.
Monitoring Host Integrity
the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents. This dynamic malware analysis approach involves taking a snapshot of the system before and after the execution of the malicious specimen using the same tools and analyzing the changes to evaluate its impact on the system and its properties.
Challenges faced while performing malware analysis generally pertains to
▪ Accuracy of the analysis process ▪ Detection of malware pieces and traits ▪ Amount of data to be analyzed ▪ Changing technologies and dynamics of malware creation and propagation ▪ Anti-analysis procedures such as encryption, code obfuscation, and deletion of records
Requirements to build a test bed for malware analysis
▪ Allocating a physical system for the analysis lab ▪ Installing virtual machine (VMware, Hyper-V, etc.) on the system ▪ Installing guest OSs in the virtual machines such as Windows and Linux (Ubuntu) which serve as forensic workstations ▪ Isolating the system from the network by ensuring that the NIC card is in "host only" mode ▪ Simulating internet services using tools such as INetSim ▪ Disabling "shared folders" and the "guest isolation" ▪ Installing malware analysis tools ▪ Generating hash value of each OS and tool ▪ Copying the malware collected from the suspect machines onto the forensic workstations ▪ Keeping virtualization snapshot and re-imaging tools to capture machine state
The procedure for preparing a testbed for dynamic malware analysis is given below
▪ Create a fresh baseline of both Windows and Linux workstations, which should include details of the file system, registry, running processes, event log files etc. ▪ You can compare this baseline state with the system's state after executing the malware. This will help in understanding the changes the malware has made across the system. ▪ List down all device drivers, Windows services, and startup programs. ▪ Install the tools that would be used to capture the changes performed by the malware on the network properties and other system resources, such as file system, registry, and processes. ▪ Generate hash values of the OSes and tools used. ▪ Run the malware that has been collected from the suspect machines onto the forensic workstations and begin the monitoring. Monitoring Host Integrity For host integrity monitoring, investigators must take a snapshot of the baseline state of the forensic workstation prior to the malware execution. Upon the establishment of the baseline, which has already been done for the Windows workstation as a part of the pre-execution preparation, investigators need to do the following tasks: ▪ Run the malware on the Windows workstation for a certain period and take a second snapshot of the workstation. Note: For the demonstration purpose, we will be executing a malware named payload.exe ▪ Compare the second snapshot with the baseline to detect the changes made to the system properties by the malware, such as file systems and registry keys. Investigators can use tools like WhatChanged Portable that allows the capture and comparison of the system states before and after the malware execution. It scans for modified files and registry entries and lists them in text file format. The tool should run in the background while the malware is running on the workstation to record changes in the file system and registry.
basic objectives behind analyzing a malicious program
▪ Determining what exactly happened ▪ Listing the IoCs for different machines and different malware programs ▪ Determining the intent of the malware ▪ Evaluating the complexity level of an intrusion ▪ Finding signatures for host and network-based intrusion detection systems ▪ Finding the system vulnerability malware has exploited ▪ Identifying the extent of damage from an intrusion ▪ Distinguishing between a gate crasher and an insider responsible for the malware entry ▪ Tracing the perpetrator accountable for the malware intrusion Some of the most common business questions answered by malware analysis are the following: ▪ What is the intention of the malware? ▪ How did it get through? ▪ Who are the perpetrators? ▪ How to abolish it? ▪ What is the extent of loss? ▪ How long the system has been infected? ▪ What is the medium of malware? ▪ What are the preventive measures?
Investigators must examine areas of the compromised system to find traces of malware installation
▪ Installed programs ▪ Suspicious executables ▪ Auto-starting locations ▪ Scheduled jobs ▪ Services ▪ Modules ▪ Logs ▪ User accounts and login activities ▪ File systems ▪ Registry entries ▪ Application traces ▪ Restore points
Dynamic malware analysis can be performed in two ways
▪ Monitoring Host Integrity ▪ Observing Runtime Behavior
Some commonly used software to simulate real-time systems in a virtual environment
▪ VirtualBox ▪ VMware vSphere Hypervisor ▪ Microsoft Windows Server virtualization
