Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
COMP7905A - 2019
1
¡ A campus user reported to the Incident Response (IR)
team of the University that he found some abnormal
behavior on his own laptop
¡ He complained
§ Slow user performance
§ Non-responsive mouse clicks
§ Unexpected reboots
§ Programs are suddenly closed or started
¡ After inspection of running processes on the laptop,
the IR team concluded that it is a malware attacks
incident. They identified a file named “iauzzy” and
passed to you for analysis
2
¡ We are going to analysis one bot sample in 2 labs.
¡ First ½ - ¾ hours of each lab, you will be guided to use the tools
¡ In Lab1, you are required to perform a behavioral analysis on the
sample and answer 5 short questions
¡ In Lab2, you are required to perform a code analysis and answer 3
short questions.
¡ Then you have to hand in a full malware analysis report. You may
refer to the contents and format provided in the next 2 slides
¡ The initial triage indicates that this sample is a classical bot. They
claimed that the bot can be used to perform DDoS, controlled by
means of IRC instead of by means of modern C2 (Command &
Control)
3
Extracted from: SANS Forensics 610 course
4
¡ Summary of the analysis
§ An abstract of the analysis results, such as key observations, recommendation, report date and authors
¡ Identification
§ The type of file, name, size, hash, known name, basic static analyzed capabilities
¡ Characteristics
§ The sample’s capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker
(remote attacker interactions), and so on.
¡ Dependencies
§ Files and network resources related to the specimen’s functionality, such as supported OS versions and required
initialization files, custom DLLs, executables, URLs and scripts
¡ Dynamic and code analysis findings
§ Dynamic, code-dynamic analysis, static analysis and memory analysis observations
¡ Supporting figures and snapshots
§ logs, screenshots, string excerpts, function listings, flowcharts and other exhibits that support the investigators
analysis
¡ Incident interpretation and recommendations
§ Indicators for detecting the sample on other systems and networks and possible for prevention steps
¡ Add any identified IOCs and Yara rule as structural threat intelligence
192.168.1.100 192.168.1.1 13
Restarting any services in REMnux may cause the IP address reset
Hint: inet static
14
¡ Start fakedns Services in REMnux
$ fakedns
15
iNetSim’s config file: /etc/inetsim/inetsim.conf
16
192.168.1.1 • Default Gateway
• DNS Server
• HTTP/HTTPS
• FTP
• POP3/SMTP
• etc…
192.168.1.100
17
¡ If you are using VM Workstation or VM Fusion instead
of VM Player, this is a good time to create your first
snapshot to save the current configuration before
further analysis
¡ Perform the first time behavioral analysis by using the
following tools:
§ Autoruns
§ Procexp
§ Procmon
§ Wireshark
18
19
20
Procexp
21
Procmon
22
¡ Based on findings of part1, we understand there is a packed binary called
qqt.exe was created and it was kick started by iauzzy.exe
¡ The qqt.exe tried to resolve these DNS
§ *****.****.org
§ *******.****.org
§ ***.******.com
¡ Perform the second behavioral analysis by using the following tools:
§ Autoruns
§ procexp
§ procmon
§ fakenet
§ capturebat
§ wireshark
23
24