With Some Work, You Can Also Restore A Physical System To The Desired State

© SANS Institute 2018
With some work, you can also restore a physical system to the
desired state.
• You can clone a clean partition using tools such as Clonezilla,

FOG, and dd.
Ł Store the clean copy away from the system you're infecting.
Ł At the end of the analysis, restore the infected partition with the clean copy at the
end of the analysis.
• Alternatively, you can restore the clean image over the network
via PXE booting.
• This method isn't quite as convenient as snapshots, but might be
necessary for handling some forms of malware.
FOR610 | REVERSE-ENGINEERING MALWARE 29
If you are using physical rather than virtualized systems for your lab, your options for saving and
restoring the state of the laboratory system are different.
Disk cloning software, such as Clonezilla (http://clonezilla.org), FOG (https://www.fogproject.org) and

dd (part of most Linux systems), enables the analyst to save the laboratory system's hard disk image and
then reapply it after completing the analysis. Cloning large partitions using this method may be time-
consuming. However, although not as convenient as clicking a button to revert the system's state, it is a
time-tested and reliable method.
Internet Storm Center published the following tip from Tyler Hudak describing a free tool called ddp (dd-
delta-patch), which he used to create a patch from an existing dd image and then re-apply it when he
wanted to restore a specific configuration. (See https://isc.sans.edu/diary/4147.)
Another option is to revert the disk's contents to a known state over the network, perhaps with the help of
PXE booting. (See https://en.wikipedia.org/wiki/Preboot_Execution_Environment.)
Restoring the physical system's state isn't as convenient as employing virtualization software snapshots.
However, you might need to have a physical system at hand for dealing with some forms of malware that
refuse to run in a virtualized environment.

© 2018 Lenny Zeltser 29

Software tools could offer basic "snapshots" to physical systems.
• Such software saves the state of the system and enables you to
roll back to that state.
• Commercial options for accomplishing this include Deep Freeze
and RollBack Rx.
• This approach is generally not as practical for malware analysts
as virtualization-based snapshots or partition cloning.
Another way to "snapshot" the state of a physical laboratory system involves the use of software you
would install on your Windows host, such as the commercial products listed on this slide.
Such software replicates the snapshot functionality that's available in virtualization tools, though is
generally reliable. The isolation provided by these products may be bypassed, perhaps by terminating or
modifying their processes running on the infecting system, or by targeting the aspect of the system that
the tool doesn't correctly restore. The advantage of such software, though, is that you could install it on a
physical system.
Commercial software options for taking such "snapshots" of a physical host include Deep Freeze
(http://www.faronics.com/products/deep-freeze) and RollBack Rx (http://horizondatasys.com).

30 © 2018 Lenny Zeltser

The lab should include tools that can examine the specimen
statically and dynamically from several vantage points.
• Static properties analysis: PeStudio, strings, CFF Explorer,

peframe, Detect It Easy, HxD, and others.
• Behavioral analysis: Process Hacker, Process Monitor,
RegShot, Wireshark, fakedns, TcpLogView, and others.
• Code analysis: IDA, x64dbg/x32dbg, OllyDumpEx, jmp2it,
Scylla, and others.
These and other useful tools are already installed in your virtual machines.
We'll use many handy tools throughout this course to examine malicious software. Some of them are
listed on this slide. They can be used for performing tasks related to static properties analysis, behavioral
analysis, and code analysis of malware. These and other useful tools are already installed on your
Windows REM Workstation and REMnux virtual machines.


Confirm that your lab has been set up for this course.
• Make sure you've completed Exercises 0.1 and 0.2 in the

Workbook to accommodate future exercises.
• Your Windows REM Workstation and REMnux virtual
machine have been imported and set up.
• The two VMs should communicate with each other over
the host-only network, isolated from other networks.
The lab should be isolated, controlled, and preconfigured to

support analysis tasks.
Before proceeding with the course, confirm that you completed Exercises 0.1 and 0.2 from your
Workbook. At this point, your Windows REM Workstation and REMnux virtual machines should be set
up. You should have also confirmed that the VMware host-only networking enables the two VMs to
communicate with each other while isolating them from other networks.
Remember to take a snapshot of each virtual machine after you've set it up. This way, you can easily
revert to a pristine state at the end of each exercise or experiment.


Course Roadmap MALWARE ANALYSIS FUNDAMENTALS
• FOR610.1: Malware Analysis 1. Introduction to Malware Analysis

Fundamentals 2. Malware Analysis Lab
• FOR610.2: Reversing 3. Static Properties Analysis
Malicious Code 4. Code Analysis Essentials
• FOR610.3: Malicious Web and 5. Behavioral Analysis Essentials
Document Files
6. Interactive Behavioral Analysis
• FOR610.4: In-Depth Malware
Analysis
• FOR610.5: Examining Self-
Defending Malware
• FOR610.6: Malware Analysis
Tournament
We're in Section 1, Malware Analysis Fundamentals, of the FOR610 course. Our next module is titled
Static Properties Analysis.


Static Properties
Analysis
If you're analyzing a suspicious file in your lab, a good starting point is often to examine static properties
of the specimen. This module explains what attributes you might want to study and what tools can assist
you with this process. Your objective at this stage is often to assess the chances that the file is malicious
and start devising plans for taking a closer look at it in subsequent stages.


Consider the following security incident in an enterprise setting.
• A system is misbehaving: Sudden

reboots, slow performance, etc.
• Unfamiliar process brbbot.exe is
running from %AppData%.
• You acquire a copy of the brbbot.exe
file for examination in your lab.
How would you proceed with the analysis?
Consider the following scenario, which we use as the basis for the upcoming discussion:
A user in your organization reports that her desktop is misbehaving in the manner outlined in this slide.
Your initial assessment reveals an unfamiliar process named brbbot.exe running on the user's workstation
from the %AppData% folder.
In case you're wondering, %AppData% is an environment variable on Windows that typically points to a
directory in the user's profile, such as C:\Users\REM\AppData\Roaming. This location is designed for
storing "user-specific files that applications install" according to Microsoft's article at
https://technet.microsoft.com/en-us/library/cc962614.aspx.
In this case, your antivirus tool didn't recognize this program as malware. You acquire a copy of
brbbot.exe, bring it into your lab, and begin examining this specimen. How would you begin investigating
such a malicious program?


Prepare for upcoming experiments in your lab.
• Start your Windows and Linux VMs. EXERCISE 1.1
• Extract the brbbot.exe specimen from brbbot.zip:

Ł The file is in ~/malware/day1 on Linux VM.
Ł The file is in Malware\day1 on Windows VM.
• Place the brbbot.exe file in the %AppData% folder
(C:\Users\REM\AppData\Roaming) on the Windows VM.
• Create a shortcut to brbbot.exe on the Windows VM's desktop.
The password for malware archives in this course is the word malware.
To prepare for the upcoming labs and exercises, start your Windows REM Workstation and REMnux
virtual machines if they're not already running. As a reminder, make sure you've taken snapshots of these
VMs in their pristine states before proceeding.
On the Windows VM, extract brbbot.exe from brbbot.zip, which is located in the day1 folder in your
malware archive. The archive is on your FOR610 USB key and in the Malware folder on the desktop of
your Windows REM Workstation. It's also in the ~/malware directory on your REMnux virtual machine.
The password for the zip file—and the other zip files that contain malware in this course—is the word
malware. Place brbbot.exe in the %AppData% folder on your Windows REM Workstation VM. This is
the place where the specimen was located when it was first discovered. On your system, the path to that
location is C:\Users\REM\AppData\Roaming.
Create a shortcut to %AppData%\brbbot.exe, placing the shortcut on the desktop of the Windows VM.
On the REMnux VM, extract brbbot.exe from brbbot.zip, which is located in the ~/malware/day1
directory. To do this, switch to that directory (cd ~/malware/day1) and unzip the file (unzip brbbot.zip).
The archive's password is the word malware. Keep brbbot.exe in the ~/malware/day1 directory.
These steps correspond to the beginning of Exercise 1.1. This course book will continue outlining the
steps that comprise this exercise in the upcoming pages. For more detailed guidance for this and other
exercises, you are welcome to turn to the Workbook.


Modify the shortcut's properties to execute the specimen as
administrator, so it has full privileges on the system.
• Right-click the shortcut.

• Select Properties.
• Click Advanced.
• Enable Run as administrator.
• Click OK.
This will allow the specimen to achieve its

full potential when infecting the system.
On Windows REM Workstation, modify the shortcut you created for brbbot.exe to run the malicious
program with full administrator privileges. To do this, right-click the shortcut's icon, select Properties,
click Advanced, and enable the Run as administrator checkbox. Then click OK.
On modern Windows operating systems, even if the user is logged with an account that has administrator
privileges, programs don't actually run with full admin rights by default. To ensure that the program runs
with such privileges, the person can right-click the program and select Run as administrator. Depending
on the system's configuration, doing this might also present the user with the User Access Control (UAC)
prompt to acknowledge the action.
When running malware in the lab, you typically want to determine what is the worst that the specimen
can do, giving it the opportunity to reach its full malicious potential. This is why this exercise asks you to
create a shortcut that makes it convenient for you to infect the laboratory system while allowing the
malicious program to run with administrator rights.
This approach helps make sure that the specimen will be able to interact with all aspects of the infected
host, allowing it to achieve its full malicious potential. However, sometimes it is also useful to run the
specimen with normal, nonadministrative privileges to observe its behavior—for instance, if mimicking a
particular scenario of a production system in your organization.
After you've completed these steps, hold on. We're not ready to infect the system just yet.


Refer to the Workbook for extra guidance for exercises.
• The Workbook provides step-by-step

instructions for exercises.
• You can generally use the course
books without the Workbook.
• Refer to the Workbook if you require
detailed exercise guidance.
• The Workbook is especially useful for
reviewing exercises outside a live
classroom.
Your FOR610 materials include the course books, such as the one you are reading now, as well as a
single Workbook. The Workbook provides detailed, step-by-step instructions for performing almost every
exercise in the course. The course books also provide the instructions, but with fewer details. Depending
on how much guidance you want to receive, you can use course books or the Workbook when performing
these exercises. When reviewing course materials outside a live session, you may find the extra details in
the Workbook especially useful.


Look at static properties of the suspicious file for an initial
assessment of its nature and to consider future steps.
• File and section hashes

• Packer identification Start determining, as part of triage:
• Embedded resources • Is it malware?
• Imports and exports • How bad is it?
• Crypto references • How to detect it?
• How to analyze it?
• Digital certificates
• "Interesting" strings
Prior to deciding whether to examine the malicious (or suspicious) program using behavioral or code
analysis techniques, consider performing an initial assessment of the file by examining its static
properties. You might find that the file isn't malicious, perhaps because it possesses a hash that belongs to
a trusted program; or you might discover, based on other static properties (sometimes called metadata),
that you or somebody else already examined this program earlier. Furthermore, static properties analysis
can help you determine where to focus your subsequent analysis efforts. It's a useful first step as part of
the triage effort.
Static properties of a Windows executable include the items listed on this slide. We will examine some of
these properties in the following slides by using brbbot.exe as the example.


Looking at the embedded strings—for instance, using pestr on
REMnux—can help assess the nature of the file.
Alternatively, you could've run the strings -a

command twice: once for ASCII and again with
--encoding=l for Unicode strings.
A common first step in examining a suspicious file involves looking at the strings embedded in it. This
examination may reveal filenames, hostnames, or registry keys that the program may attempt to access
and can help focus subsequent steps of the investigation. Of course, we cannot trust all the strings
embedded into the program because they might have been embedded there to throw us off.
A convenient way to accomplish is to use the pestr tool on REMnux. This utility, designed for extracting
strings from Windows executable files, automatically obtains both ASCII and Unicode-encoded strings in
one shot. Alternatively, you could use the well-known strings tool, present on most Linux distributions.
By default, strings extracts only ASCII-encoded strings. You can tell the tool to extract Unicode strings
by specifying the --encoding=-l (that's a lowercase L) parameter.
If using strings to examine a compiled executable file, consider specifying the -a parameter to obtain as
much information as possible. The -a parameter tells strings to scan the whole file, rather than solely the
"initialized and loaded sections of object files."
Use your REMnux VM to look at the strings in brbbot.exe. You can begin formulating some theories
about this specimen’s characteristics based on the strings you discover. For instance, brbconfig.tmp looks
like the name of a potentially interesting file. The string that ends with \CurrentVersion\Run could be a
reference to the registry key that malware might use to ensure persistent presence on the infected host.
The string %s?i=%s&c=%s&p=%s resembles a URL pattern, which you might be able to use when
examining network traffic associated with this specimen. The strings exec, file, and so on look like
actions that this malware might be able to take.
The pestr utility is a part of the Pev toolkit, which includes

severaltools for statically
examining
Windows executable files. For more information about Pev, take a look at
http://sourceforge.net/projects/pev. By the way, pestr supports the convenient --net parameter, which
extracts only those strings that look like network-related details such as hostnames and IP addresses. In
the case of brbbot.exe, the tool doesn't locate any such strings.

BinText provides an interactive and flexible GUI for examining
embedded strings on Windows.
For a Windows command-

line tool, try strings2.
Another way to examine ASCII and Unicode-encoded strings on a file is to use the GUI tool BinText,
available free from http://www.mcafee.com/us/downloads/free-tools/bintext.aspx. This Windows tool is
installed on your Windows REM Workstation.
BinText's Filter tab enables you to configure parameters such as what characters the tool considers as
belonging to a string, as well as the minimum number of characters the tool considers as belonging to a
string. The default minimum text length value is 5. You can decrease it to find shorter strings.
As an alternative method for extracting strings on a Windows system, try the powerful command-line tool
strings2. It's installed on your Windows REM Workstation and is available for free from http://split-
code.com/strings2.html. For this tool to work properly, you need to run it while located in the directory
that contains the file you wish to examine.
By default, strings2 extracts both ASCII and Unicode-encoded strings. In addition to pulling out strings
from files, this utility can also extract strings from active processes as they run.


Strings in brbbot.exe suggest a few potential characteristics.
• IOCs for detection:

Ł File system: brbconfig.tmp Note that these are just
Ł Network: %s?i=%s&c=%s&p=%s theories at the moment. They
• Persistence mechanism: inform our next analysis steps
Ł Registry: …\Windows\CurrentVersion\Run
and need to be validated.
• Communication mechanism:
Ł Network: HTTP/1.1
Ł User-Agent: Mozilla/4.0…
By examining the strings embedded inside brbbot.exe, we can begin formulating theories about its
characteristics.
For instance, the string HTTP/1.1 might imply that this program can communicate over HTTP. The string
referring to the …\Run registry key suggests that this program might use this key as a persistence
mechanism.
Strings might also enable us to formulate indicators of compromise (IOCs), which can help in identifying
systems throughout our organization infected with this specimen. Potential IOCs based on strings are the
brbbconfig.tmp file and the string %s?i=%s&c=%s&p=%s as part of an HTTP request. Along these lines,
the string that began with Mozilla/4.0 could be a specific User-Agent header sent as part of the specimen's
HTTP request; this could help us spot the associated network traffic in our environment.
All the theories above are just conjectures, of course. We would need to perform behavioral or code
analysis to prove or disprove them. Quite often, such theories inform our next steps in the process of
examining the malicious program.


PeStudio shows multiple static properties and flags anomalies.
In addition to the embedded strings, many other static properties are worth examining at the onset of the
malware analysis process. PeStudio is a free Windows tool that can display many of these attributes, as
you can see on this slide. The free version of this tool is installed on your Windows REM Workstation.
You can download it from https://www.winitor.com.
Among many details about the specimen, PeStudio calculates various hash values. You can use such
values as unique identifiers of the file you're examining. Moreover, you can look up these hashes in
public and private information sources to obtain additional data about the malicious program you're
examining. For the purpose of this walkthrough, we won't perform such lookups so that we learn to
handle situations where no third-party details are available to us.
One of the most useful features of PeStudio is its Indicators area, which automatically highlights
potentially malicious aspects of the Windows executable that the tool is examining. You can see the
characteristics that PeStudio considers suspicious for brbbot.exe by clicking the indicators area of the
tool.
You can tweak which aspects of files PeStudio considers "blacklisted" and other aspects of the tool's
functionality by editing the XML configuration files that reside under the folder where the tool is installed
(for example, C:\Program Files (x86)\PeStudio\xml).
PeStudio offers malware analysts a convenient way of examining many useful properties of a suspicious
Windows executable statically, helping you formulate the path for subsequent analysis steps. It's well
suited for the triage process that we're covering in this module of the course.


Among other details, PeStudio also shows information about the
file's sections and imports.
As illustrated on the previous slide, PeStudio displays hashes of the file that it is examining. These hashes
can be used as digital fingerprints of the file and would typically be included in the report that malware
analysts produce to describe their findings.
Hash values could be used as IOCs, enabling the organization to detect the malicious file regardless of its
filename. However, malware authors can easily tweak the specimen to change the file's hash without
changing the specimen's functionality. For this reason, it's also useful to note hash values of the sections
that comprise the malicious program, which PeStudio computes as well. This way, if the attacker changes
a portion of the file, hash values of one or more sections might still match as an IOC.
For those not familiar with sections within Windows executables, it's worth noting that such files typically
contain several groupings of code and data, organized into sections. PeStudio shows that brbbot.exe is
composed of several sections: .text, .data, .rsrc, and .reloc.
Among other details, PeStudio also displays contents of the specimen's import table in the area labeled
"imports." Windows uses this information to determine which DLLs ("libraries") and the functions
implemented within them ("symbols" or "APIs") are necessary for the program's execution. Looking at
imports can help us determine the type of functionality implemented within the specimen. For instance,
the presence of LoadLibraryW indicates that the specimen can load additional DLLs during runtime. If
you scrolled down in the listing of imports, you would see the RegSetValueExA symbol, which suggests
that the sample has the capability to set registry values while seeing CryptDeriveKey indicates the use of
Windows cryptographic capabilities. We will take a closer look at the ways in which we can use such
details for malware analysis later in the course.

As you can see, PeStudio presents a wealth of information about the file. Time permitting, look around
the program's output to become familiar with its capabilities.

For alternatives to PeStudio, experiment with peframe and
pescanner.py on REMnux to extract interesting file properties.
Also try pescanner.py.
For alternatives to PeStudio, experiment with peframe and pescanner.py command-line tools on
REMnux. Both utilities extract a wealth of details about the Windows executable using static analysis and
bring to your attention the most interesting properties.
You can learn more about peframe by visiting https://github.com/guelfoweb/peframe, while the version of
pescanner.py installed on REMnux is available at
https://github.com/hiddenillusion/AnalyzePE/blob/master/pescanner.py.
As you examine the output of these tools, remember that any conclusions we draw from static properties
analysis are theories that need to be validated in subsequent analysis steps. For instance, though peframe
flags the specimen's use of GetLastError as an anti-debugging technique, it's possible that a call to this
function serves another purpose.


Detect It Easy (DIE) and Exeinfo PE show PE header details and
try to recognize the tools (including packers) that created it.
Windows executable files follow the PE (Portable Executable) format. According to PE specifications,
such programs have a specially formatted header that contains the details the operating system needs to
load the file into memory and set up the runtime environment for the process so it can run properly.
Looking at some aspects of the PE header can be useful for assessing the nature of the specimen.
PeStudio, which we examined a bit earlier, relied on PE header contents when displaying some of the
information we found helpful. In addition, consider incorporating into your toolkit the two tools shown on
this slide: Detect It Easy (DIE) and Exeinfo PE. These utilities are especially useful for determining
which tools were used to generate the executable file you're examining.
Malicious executables tend to be created using the same tools developers use to create legitimate
software, such as Visual Studio. Afterwards, malware authors might pack their creations to make it harder
for us to examine them. Packing typically involves obfuscating, encrypting, or otherwise encoding the
original executable to create a new file that embeds the original program as data. When the packed
program runs, it unpacks itself into the memory of the infected host. We'll work with packed specimens
later in the course. For now, keep in mind that it can be useful to determine whether the file is packed and,
if it is, which packer was used to safeguard the original file. Detect It Easy and Exeinfo PE can help with
these tasks. These tools show that brbbot.exe is not packed and was probably created in C or C++ using
Visual Studio.
Detect It Easy is installed on your Windows REM Workstation and on REMnux as a graphical tool. Note,
however, that its user interface doesn't seem to scale well for high-resolution screens. REMnux also
includes the command-line version of the tool, which you can invoke using the diec command. You can
download Detect It Easy from http://ntinfo.biz. Exeinfo PE
is a similar
tool. It works only on Windows
and is installed on your Windows REM Workstation. You can download Exeinfo PE from
http://www.exeinfo.xn.pl. Exeinfo PE also has the capability to "rip"—in other words, carve—any file,
extracting from within the file embedded artifacts.

Take a look at other tools for analyzing static properties of
malware, many of which are installed on REMnux.
• signsrch: Locates code used for crypto, compression, and more.

• pescan and portex: Examine key aspects of Windows
executable files and identify some anomalies.
• MASTIFF: Extracts many details from various types of malware;
good for bulk review of many samples.
• exiftool: Displays metadata embedded in files of various types.
• trid: Identifies the type of file you're starting to examine.
• viper: Manages the malware collection and extracts various
static properties about the files.
This slide lists several other free tools that you can run inside your lab for analyzing static properties of
suspicious files:
• signsrch (http://aluigi.altervista.org/mytoolz.htm)
• pescan (http://pev.sf.net)
• portex (https://katjahahn.github.io/PortEx)
• MASTIFF, which you can launch using the mas.py command
(https://git.korelogic.com/mastiff.git)
• exiftool (http://www.sno.phy.queensu.ca/~phil/exiftool)
• trid (http://mark0.net/soft-trid-e.html)
• Viper (https://github.com/viper-framework/viper).
Many of these utilities are available as part of your REMnux virtual machine.
We won't necessarily refer to these tools during the course, but consider looking them up on the web to
understand their capabilities.


Examining static properties assists with triage of the specimen.
• We discovered potential IOCs for brbbot.exe.

• We saw indications of potential functionality based on references
to Windows APIs.
• We obtained hashes and other details useful for researching the
specimen on the web.
• We formulated theories that we might want to validate using
further analysis steps.
We've been examining static properties of a suspicious file (brbbot.exe) to assess the likelihood that it's
malicious and to get a sense for what we might encounter if we examined it further using behavioral and
code analysis techniques. In the process, we discovered several potential IOCs for this specimen and saw
indications of potential functionality related to HTTP communications, registry and file activity, and
encryption. These steps have enabled us to formulate theories about the specimen's characteristics, which
we will validate in the subsequent analysis steps.


Course Roadmap MALWARE ANALYSIS FUNDAMENTALS
• FOR610.1: Malware Analysis 1. Introduction to Malware Analysis

Fundamentals 2. Malware Analysis Lab
• FOR610.2: Reversing 3. Static Properties Analysis
Malicious Code 4. Behavioral Analysis Essentials
• FOR610.3: Malicious Web and 5. Code Analysis Essentials
Document Files
6. Interactive Behavioral Analysis
• FOR610.4: In-Depth Malware
Analysis
• FOR610.5: Examining Self-
Defending Malware
• FOR610.6: Malware Analysis
Tournament
We're in Section 1, Malware Analysis Fundamentals, of the FOR610 course. Our next module is titled
Behavioral Analysis Essentials.


Behavioral Analysis
Essentials
We are now ready to take a closer look at brbbot.exe by observing how it behaves when it runs within our
lab. In the process, we will learn several practical malware analysis techniques that you'll be able to apply
to other samples during the course and outside of it.


We'll use several tools to observe how brbbot.exe infects your
Windows REM Workstation virtual machine.
• Process Hacker: Replaces built-in Task Manager, similar to

Microsoft's Process Explorer tool.
• Process Monitor: Records interactions of processes with the
registry, file system, network, and other processes.
• Regshot: Highlights changes to the file system and the registry.
• ProcDOT: Visualizes Process Monitor logs for easier analysis.
• Wireshark: Sniffs the network and captures packets.
Process Hacker is an open-source tool designed to help analysts "monitor system resources, debug
software, and detect malware." (See http://processhacker.sourceforge.net.) It is a powerful replacement
for the Task Manager built into Windows. The capabilities of Process Hacker are similar to those of a free
tool that you can download from Microsoft, called Process Explorer. (See
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx.)
Another powerful component of our toolkit is Process Monitor. It's available free from Microsoft at
https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx. This tool "shows real-time file system,
Registry and process/thread activity" of processes on the infected Windows laboratory system, recording
all observed actions in a detailed log file. We will also use a companion tool, ProcDOT, to examine key
aspects of the Process Monitor log in a convenient manner. ProcDOT is available free from
http://www.procdot.com.
We will supplement Process Monitor's insights with a report from Regshot. This open-source tool enables
analysts to determine how the malicious program changed the state of the file system and the registry of
its host during the infection. To accomplish this, we'll use Regshot to compare the state of the system
before and after the infection and examine the report that the tool generates to highlight the changes.
Regshot is available at https://sourceforge.net/projects/regshot.
Wireshark is a popular open-source network sniffer, available at https://www.wireshark.org. It will give

us excellent visibility into the laboratory's network traffic associated with the specimen.
Process Hacker's Network tab shows only the connections active at a given moment. What if a specimen
performed a network action so quickly that you didn't spot
it in Process
Hacker's
Network tab? Wireshark
maintains a historical record, but it doesn't specify which local process was involved in the connection. At
this point, TcpLogView can help. This free tool, available from
http://www.nirsoft.net/utils/tcp_log_view.html, "monitors the opened TCP connections on your system,
and adds a new log line every time that a TCP connection is opened or closed."

Launch Process Hacker and become familiar with the processes,
services, and network connections on the clean system.
EXERCISE 1.2
At this point, your Windows REM Workstation should be prepared for brbbot.exe experiments because
you've already placed brbbot.exe in the location in which it expects to reside on the file system and
created a shortcut to ensure that when you run the malicious program, it executes with full admin
privileges. Before infecting the lab system, launch a few monitoring tools, which are already installed on
your Windows REM Workstation.
Start by running Process Hacker on the virtual machine. Familiarize yourself with the process listing,
services, and network connections on the system while it is still clean. You'll use Process Hacker to spot
the malicious process after infecting the system and, if possible, to terminate that process when you no
longer need it.
The listing of the processes on your VM will look similar to what's captured on this slide, though it might
not match the screenshot exactly.
Spend a few minutes getting to know the user interface of this tool. For example, you can right-click a
process that interests you, select Properties, and examine and even edit its runtime memory. We won't
cover all the features built into Process Hacker that might be useful to a malware analyst, but we will
discuss the most important ones.
Note that Process Hacker shows the parent-child relationship of the active processes. For each process, it
displays details such as its name and process identifier (PID), whether address space layout randomization
(ASLR) is enabled for it, and what its integrity level is. (We'll discuss ASLR and integrity levels later in
the course.)


Launch Process Monitor; then pause capturing and clear its log.
• Pause capture by pressing Ctrl+E or clicking the button that looks

like a magnifying glass.
• Clear the log by pressing Ctrl+X or clicking the button that looks
like an eraser over a sheet of paper.
• We'll activate Process Monitor immediately before infecting the
VM with brbbot.exe, but we're not quite ready yet.
1 2
Next, run Process Monitor in your Windows REM Workstation. This tool will enable you to record a log
of the specimen's system, registry, and some network-related operations. As soon as Process Monitor
launches, it begins recording the activities of currently running processes. You see activities that are a part
of the normal operation of Windows: Files being accessed and registry keys being queried and sometimes
set.
To keep the amount of noise in the Process Monitor log to a minimum, press Ctrl+E (or click the button
that looks like a magnifying class) in Process Monitor to pause capture until you are ready to infect the
system. After pausing capture, press Ctrl+X (or click the button that looks like an eraser floating over a
sheet of paper) to clear the log. You will reactivate Process Monitor's capture immediately before
infecting the system, but we're not ready to do that yet.
Consider minimizing Process Hacker and Process Monitor for now, so it's easier to focus on the next set
of tools you launch.


Launch Regshot and take the first shot.
• Click the 1st shot button; then click

the Shot button.
• The tool will record the state of files
and registry keys.
• You'll take another snapshot after
infecting the system.
• The tool will reinforce Process
Monitor findings.
You can use Regshot during behavioral analysis to create a baseline of the pristine system and compare it
to the system's state after the malicious program ran. Using Regshot with tools such as Process Monitor
enables us to be relatively certain that we can observe the specimen's effect on the infected system.
After launching Regshot, click the 1st shot button, and then click Shot to take the snapshot of your
Windows REM Workstation's file system and registry while the VM is still clean. When taking the
snapshot, Regshot computes checksums of all files and registry keys, so it can later spot which of these
objects have changed.
After taking the first snapshot using Regshot, minimize the tool. You will take the second snapshot a bit
later after you've infected the system with brbbot.exe.


Launch Wireshark on REMnux and start its capture.
• Use wireshark & to launch

Wireshark on REMnux.
• Click "eth0" in Wireshark to begin
sniffing the network.
• Then go back to your Windows VM.
In general, it's good to run monitoring tools on

a system other than the infected Windows VM.
Now, switch to your REMnux virtual machine and type wireshark & at the terminal prompt to launch
Wireshark. We'll use this sniffer to monitor the laboratory network while infecting the Windows virtual
machine with brbbot.exe.
In general, it's good to run monitoring tools on a system other than the one you're infecting. This way, the
specimen is less likely to detect that it's being observed or to interfere with the monitoring tools. The
utilities you've launched in preparation for infecting the system so far have to execute on the system
where the specimen will run. In contrast, a sniffer can be effective on any host within your laboratory
network, assuming it operates in a promiscuous mode.
Activate capture in Wireshark by clicking the eth0 line highlighted in the screenshot on the right side of
this slide or by pressing Ctrl+E.
Leave Wireshark active and go back to your Windows REM Workstation virtual machine.


Activate capture in Process Monitor; then infect your Windows
REM Workstation virtual machine.
Press Ctrl+E to activate capture in Process Monitor; then 2
double-click the brbbot.exe shortcut to infect the system.
You're now almost ready to infect your Windows REM Workstation. It's time to re-enable Process
Monitor on it.
First, make sure you have the Brbbot shortcut, which you created earlier, visible on your screen, so it's
easy for you to launch the malicious executable when you're ready to do so. Also, confirm that Process
Hacker is running and visible so that you can see the malicious process after you infect the system.
Next, activate capture in Process Monitor by clicking the magnifying glass button or pressing Ctrl+E.
Double-click the shortcut to brbbot.exe to infect your Windows REM workstation! When preparing for
this step, you modified the shortcut's properties to launch the specimen with full admin rights, giving it
the opportunity to show us its full capabilities.


Terminate the malicious process; then stop capturing in Process
Monitor and Wireshark.
• Terminate brbbot.exe in Process Hacker after about 30 seconds.

• Pause capture in Process Monitor (Ctrl+E).
• Pause capture in Wireshark (Ctrl+E).
If you look at Process Hacker, you should notice the malicious process running on the now-infected
system called brbbot.exe. After letting the process run for about one-half a minute, terminate it using
Process Hacker. To do this, right-click the running brbbot.exe process and select Terminate, or press the
Del key on your keyboard.
When brbbot.exe is no longer running, go to Process Monitor and pause capture by clicking the
magnifying glass button or pressing Ctrl+E.
Next, switch to the REMnux virtual machine and pause Wireshark's capture by pressing Ctrl+E or
selecting Capture > Stop from its menu.
We'll examine what these tools recorded shortly.


Create the 1st Regshot shot and compare it with the 2nd one.
• Click the 2nd shot button and then click Shot.

• The Compare button lights up shortly.
• Click the Compare button and review the report.
Before looking at logs of Process Monitor and Wireshark, let's use Regshot to see how the specimen
changed the state of the Windows virtual machine during infection.
Go to the Regshot window where you took the initial snapshot, click the 2nd shot button, and select Shot.
This will take the second snapshot of the state of the file system and the registry.
When Regshot finishes scanning the infected system, click the Compare button. The program will launch
Notepad, showing you results of the comparison.
Spend some time reviewing the Regshot report to spot interesting entries. Keep in mind that it's normal
for Windows to change some aspects of its state when it runs. Therefore, the report will show many
changes (especially registry ones) that are not directly associated with the behavior of brbbot.exe. As you
become more familiar with looking at the state of your Windows REM Workstation, it will be easier for
you to mentally filter out those normal activities and spot those that might be relevant to your
investigation.


With Some Work, You Can Also Restore A Physical System To The Desired State

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

With Some Work, You Can Also Restore A Physical System To The Desired State

Uploaded by

Copyright:

Available Formats

© SANS Institute 2018

• You can clone a clean partition using tools such as Clonezilla,

FOR610 | REVERSE-ENGINEERING MALWARE 29

Disk cloning software, such as Clonezilla (http://clonezilla.org), FOG (https://www.fogproject.org) and

© 2018 Lenny Zeltser 29

FOR610 | REVERSE-ENGINEERING MALWARE 30

30 © 2018 Lenny Zeltser

• Static properties analysis: PeStudio, strings, CFF Explorer,

FOR610 | REVERSE-ENGINEERING MALWARE 31

© 2018 Lenny Zeltser 31

• Make sure you've completed Exercises 0.1 and 0.2 in the

The lab should be isolated, controlled, and preconfigured to

FOR610 | REVERSE-ENGINEERING MALWARE 32

32 © 2018 Lenny Zeltser

• FOR610.1: Malware Analysis 1. Introduction to Malware Analysis

FOR610 | REVERSE-ENGINEERING MALWARE 33

© 2018 Lenny Zeltser 33

FOR610 | REVERSE-ENGINEERING MALWARE 34

34 © 2018 Lenny Zeltser

• A system is misbehaving: Sudden

How would you proceed with the analysis?

FOR610 | REVERSE-ENGINEERING MALWARE 35

© 2018 Lenny Zeltser 35

• Start your Windows and Linux VMs. EXERCISE 1.1

• Extract the brbbot.exe specimen from brbbot.zip:

FOR610 | REVERSE-ENGINEERING MALWARE 36

36 © 2018 Lenny Zeltser

• Right-click the shortcut.

This will allow the specimen to achieve its

FOR610 | REVERSE-ENGINEERING MALWARE 37

© 2018 Lenny Zeltser 37

• The Workbook provides step-by-step

FOR610 | REVERSE-ENGINEERING MALWARE 38

38 © 2018 Lenny Zeltser

• File and section hashes

FOR610 | REVERSE-ENGINEERING MALWARE 39

© 2018 Lenny Zeltser 39

Alternatively, you could've run the strings -a

FOR610 | REVERSE-ENGINEERING MALWARE 40

The pestr utility is a part of the Pev toolkit, which includes

40 © 2018 Lenny Zeltser

For a Windows command-

FOR610 | REVERSE-ENGINEERING MALWARE 41

© 2018 Lenny Zeltser 41

• IOCs for detection:

FOR610 | REVERSE-ENGINEERING MALWARE 42

42 © 2018 Lenny Zeltser

FOR610 | REVERSE-ENGINEERING MALWARE 43

© 2018 Lenny Zeltser 43

FOR610 | REVERSE-ENGINEERING MALWARE 44

44 © 2018 Lenny Zeltser

Also try pescanner.py.

FOR610 | REVERSE-ENGINEERING MALWARE 45

© 2018 Lenny Zeltser 45

FOR610 | REVERSE-ENGINEERING MALWARE 46

46 © 2018 Lenny Zeltser

• signsrch: Locates code used for crypto, compression, and more.

FOR610 | REVERSE-ENGINEERING MALWARE 47

© 2018 Lenny Zeltser 47

• We discovered potential IOCs for brbbot.exe.

FOR610 | REVERSE-ENGINEERING MALWARE 48

48 © 2018 Lenny Zeltser

• FOR610.1: Malware Analysis 1. Introduction to Malware Analysis