Reverse engineering and malware analysis

COMP7905A - 2019

1
¡ A campus user reported to the Incident Response (IR)
team of the University that he found some abnormal
behavior on his own laptop
¡ He complained
§ Slow user performance
§ Non-responsive mouse clicks
§ Unexpected reboots
§ Programs are suddenly closed or started
¡ After inspection of running processes on the laptop,
the IR team concluded that it is a malware attacks
incident. They identified a file named “iauzzy” and
passed to you for analysis

2
¡ We are going to analysis one bot sample in 2 labs.
¡ First ½ - ¾ hours of each lab, you will be guided to use the tools
¡ In Lab1, you are required to perform a behavioral analysis on the
sample and answer 5 short questions
¡ In Lab2, you are required to perform a code analysis and answer 3
short questions.
¡ Then you have to hand in a full malware analysis report. You may
refer to the contents and format provided in the next 2 slides
¡ The initial triage indicates that this sample is a classical bot. They
claimed that the bot can be used to perform DDoS, controlled by
means of IRC instead of by means of modern C2 (Command &
Control)
3
Extracted from: SANS Forensics 610 course
4
¡ Summary of the analysis
§ An abstract of the analysis results, such as key observations, recommendation, report date and authors
¡ Identification
§ The type of file, name, size, hash, known name, basic static analyzed capabilities
¡ Characteristics
§ The sample’s capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker
(remote attacker interactions), and so on.
¡ Dependencies
§ Files and network resources related to the specimen’s functionality, such as supported OS versions and required
initialization files, custom DLLs, executables, URLs and scripts
¡ Dynamic and code analysis findings
§ Dynamic, code-dynamic analysis, static analysis and memory analysis observations
¡ Supporting figures and snapshots
§ logs, screenshots, string excerpts, function listings, flowcharts and other exhibits that support the investigators
analysis
¡ Incident interpretation and recommendations
§ Indicators for detecting the sample on other systems and networks and possible for prevention steps

¡ Add any identified IOCs and Yara rule as structural threat intelligence

Extracted from: SANS Forensics 610 course

5
¡ Unzip the malware from the “Sample” folder
located at the desktop of your VM by using the
password = “infected”
¡ Copy the file called “iauzzy” onto your desktop
¡ Perform basic code check on the malware by
some tools mentioned in the lecture. We are
going to inspect the code under strict concealed
environment, therefore you are not allowed to
tools which requires connecting to the Internet
6
7
8
9
10
11
12
REMnux IP: 192.168.1.1
$ sudo ifconfig -a eth0 192.168.1.1 netmask 255.255.255.0

192.168.1.100 192.168.1.1 13
Restarting any services in REMnux may cause the IP address reset
Hint: inet static

14
¡ Start fakedns Services in REMnux
$ fakedns

¡ Start iNetSim Services in REMnux

$ sudo inetsim

15
iNetSim’s config file: /etc/inetsim/inetsim.conf

Add this line to the conf file

service_bind_address 192.168.1.1

16
192.168.1.1 • Default Gateway
• DNS Server
• HTTP/HTTPS
• FTP
• POP3/SMTP
• etc…

192.168.1.100
17
¡ If you are using VM Workstation or VM Fusion instead
of VM Player, this is a good time to create your first
snapshot to save the current configuration before
further analysis
¡ Perform the first time behavioral analysis by using the
following tools:
§ Autoruns
§ Procexp
§ Procmon
§ Wireshark

18
19
20
Procexp

21
Procmon

22
¡ Based on findings of part1, we understand there is a packed binary called
qqt.exe was created and it was kick started by iauzzy.exe
¡ The qqt.exe tried to resolve these DNS
§ *****.****.org
§ *******.****.org
§ ***.******.com
¡ Perform the second behavioral analysis by using the following tools:
§ Autoruns
§ procexp
§ procmon
§ fakenet
§ capturebat
§ wireshark

23
24