[Tutorial] Analyzing Malware by Example Part 5 -- Monitoring

[Deque]

Malware Analysis by Example - Part 5

This time we will analyse a sample dynamically, that means you need the dynamic analysis lab ready for use. If you haven't seen it already, the guide for setup is here: https://evilzone.org/tutorials/malware-lab-setup-for-dynamic-analysis/

First Snapshot

For most malware samples today there is not much to see if you execute them, because they usually don't want to catch the attention of the victim.

You need monitoring tools to gain information by dynamic analysis.

Download SystemInternals Suite
We will be using only a few programs from that suite for this tutorial, but feel free to explore the other tools too. They will come in handy soon.

Download RegShot

Put these tools on your dynamic analysis machine. Then do the following preparation on the analysis machine.

1. Autoruns

• Rename the file Autoruns.exe to something else.
• Open it via right-click, Run as Administrator. <-- this is important to see everything; ignore this if you use Windows XP
• Agree to the license.
• Wait for the scan to finish.
• Once it is finished, you are able to save the scan to your desktop. Do that via File -> Save.
• Close the program.

2. Process Explorer

• Rename the file procexp.exe to something else.
• Open it via right-click, Run as Administrator.
• Agree to the license.
• Click on Options -> Difference Highlight Duration...
• Set the highlight duration to 5 seconds. Click OK.
• Let the program stay open.

3. Process Monitor

• Rename the file procmon.exe to something else.
• Open it via right-click, Run as Administrator.
• Agree to the license.
• It will start monitoring right away. Disable monitoring by clicking on the magnifying glass icon.
• Clear the monitored entries by clicking on the eraser icon.

To not drown in events, you need to set some filters first.
Click on Filter -> Filter..., a new window will open.
Include the following filters for Operation is:

• WriteFile
• RegCreateKey
• RegSetValue
• RegRenameKey
• RegDeleteKey
• RegDeleteValue
• ProcessCreate
• ProcessExit
• TCP Connect
• UDP Connect

Press OK.
Let the program stay open.

4. RegShot

• Rename the executable.
• Open it via right-click, Run as Administrator.
• Create the first shot and save it to your desktop.
• Close the program.

5. Command Prompt

Open the command prompt and navigate to your desktop.
Let the command prompt stay open.

Executing the Sample

Now that you have a basic setup for analysis, create a snapshot of your VM, give it proper name.

Download the sample from here:

sampleexprep4.zip

This is life malware!
Run this sample only in a properly secured dynamic analysis VM!

The password is "infected".

• Put it on your analysis VM and rename it to sample.exe (or a similar name).
• Open the filtering options in Process Monitor again and add the name of the executable via:
• Process Name is sample.exe then include
• Press OK.
• Start process montoring by clicking on the magnifying glass icon.

Now run the sample from the command prompt.
The reason why you should prefer running it this way is that some samples have an output, which you can see in the command prompt. If you run the sample by double-clicking, you will miss this information.

Keep your eyes on Process Explorer. You should see the process of the sample highlighted in green when it starts. Processes that close are highlighted red.

You should soon see a screen that looks as follows:



This is in fact a screenlocker or winlocker ransomware.
Your mouse movement will be limited to the small window. There is no taskbar anymore.
Press Ctrl + Shift + Escape at the same time. The taskmanager will open and close again. That means this ransomware kills the taskmgr process.

It is time to shut down your VM and set it back to the last snapshot. Put your sample on the analysis machine again and rename it to winlocker.exe. Now prepare a small batch file with the following content:

Code: (batch) [Select]

ping 127.0.0.1 -n 60
taskkill /f /im winlocker.exe
taskkill /f /im explorer.exe
explorer.exe

The ping command is a way of telling the script to wait for 60 seconds before executing the rest. There are alternative commands for that, e.g. timeout and choice, but not all of them are available on Windows XP. Ping should be available on every Windows machine.
taskkill /f /im winlocker.exe will kill the winlocker.exe process.
The last two lines of this code will kill and restart the explorer, so you can use it again.

Execute the batch script first, then execute winlocker.exe and wait for the batch file to kill it.

After winlocker.exe has been killed, you can open the minimized windows of Process Monitor and Process Explorer again.
Stop Process Monitor from monitoring the events, so it does not use up too much RAM. Save the event log to the desktop (in case you close the window without being finished analysing, which happens quite often to me).

Now you can start Autoruns and open Regshot to compare the new scans with the old ones.
In Autoruns click File -> Compare... then navigate to the saved log of the last scan. It will only show the differences to the old log.
In Regshot click 2nd shot to scan the registry again and then cOmpare.

Analysing the Logs

Try to find the following information on your own by analysing the logs:

• Where does the ransomware copy itself to?
• How can it startup after reboot?
• Which PIN do you need to enter to unlock the screen? (Note: This requires static analysis)

[Trevor]

I have not yet run the malware. Everything was found out entirely using static analysis.
So this may be wrong or missing aditional information.

Where does the ransomware copy itself to?

C:\\System33\\qwerty.exe

How can it startup after reboot?

1. By creating a startup entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2. Changing the default shell from explorer.exe to itself. This is done by changing the registry key at
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

When window starts up, it will start the malware instead of explorer.exe

3. Changing the userinit registry value at
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.

Userinit is used to run logon scripts when window starts up. The malware sets up itself as the userinit application.

Which PIN do you need to enter to unlock the screen? (Note: This requires static analysis)

081484


Anyways, thanks for the great writeup 

[Deque]

Hi Trevor.

This is indeed a very good sample for static analysis too. Well done.

I had to rewrite a part of the tutorial after realizing that killing the malware's process via taskmanager will not work. The malware will kill taskmanager before you have a chance to do that.

But the suggested solution works here and should work for most winlocker samples.
Of course one could also enter the PIN. 

[Trevor]

Another alternative method, to bypass the minimization of task manager is to use a separate Desktop.

The malware automatically minimizes any open windows. This is done via the EnumWindows and ShowWindow function combination.
So if we open task manager or for the matter any program, it will automatically minimize it, rendering it unusable.

Now, the interesting point is EnumWindows, will only enumerate windows on the same desktop. Hence if we create a new desktop, we can again run all our favorite tools, without being minimized. 

To create a new desktop, we can use the Desktops utility which is included in the Sysinternals suite. We have to run the utility before running the malware. After running the malware, we can switch to a different desktop.

A lot of other other annoying malware can similarly be bypassed using this technique.

[Deque]

That's a good idea to circumvent the screen lock.