From the RegShot project page,
Regshot is an open-source(GPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one – done after doing system changes or installing a new software product.
This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
the options below) and are followed by an unprintable character. By default, it only prints the strings from the initialized and loaded sections of object files; for other types of files, it prints the strings from the whole file.
strings is mainly useful for determining the contents of non-text files.
For each file given, GNU strings prints the printable character sequences that are at least 4 characters long (or the number given with
On Windows based systems, we can also use ‘Bintext‘ [ http://www.mcafee.com/us/downloads/free-tools/bintext.aspx ]
A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional “advanced” view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.
UPX achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression. UPX strengths in a nutshell:excellent compression ratio: typically compresses better than WinZip/zip/gzip, use UPX to decrease the size of your distribution!
You can read more about UPX on wikipedia: http://en.wikipedia.org/wiki/UPX
Wireshark is the go-to tool for network traffic monitoring. Let’s fire up wireshark and run the executable again.
Here you see that the malware is trying to resolve the following three domains:
2. malware.lab.server [ this is the custom domain I configured into the malware specimen ]
In order to gain insight into what and why of these network access attempts by the malware, we will give it what it wants. It is sending out name resolution requests to get the IP address of the domains, so we will give it the IP address. The catch is, we will tell the malware that the domain(s) it wants to reach, refer to us, i.e. 220.127.116.11.
One way we can do this, is by modifying the ‘hosts’ file and adding the IP-hostname mapping in it.
We will start with sb.webhop.org. We will add a IP-hostname entry in the C:WINDOWSsystem32driversetchosts file for sb.webhop.org.
Save the hosts file and ping the domain address. You should receive a ping response from 18.104.22.168.
Once malware is able to resolve sb.webhop.org, we kill the malware process, restart traffic capture in wireshark and run the specimen again. You will see that it is trying to establish a HTTP connection.
Kill the nwhyy.exe through Process Explorer.
We will now set up a netcat listener on port 80 and execute the specimen. This simple set up with help us gather connection request header info immediately.
Netcat listener is set up using the following command:
nc -lv 80
-l -> listening mode
-v -> verbose
80 -> port to listen on
In the connection request captured, we see that the malware is using a custom Referer and User-Agent. Second, the User-Agent is of Windows 98, which is certainly incorrect as the traffic had originated from Windows XP Sp2.
So overall, this is making the requests seem to come from ‘hxxp://psychward.slak.org’. Ads and affiliates, more traffic that comes from affiliate, more commission that goes to affiliate, you see the point.?!
Kill the process nwhyy.exe now.
Let’s move on to malware.lab.server. This is a custom irc server I added to the bot specimen. Botherders can add multiple irc/http servers to act as command-and-control. The bot will then contact these command & control servers in case other servers are unavailable / unreachable.
As earlier, we will add a new hosts file entry to make the domain resolve to us, 22.214.171.124.
You can confirm the reachability by pinging the domain name. It should resolve correctly and ping responses are received.
If you start sniffing via wireshark again and run the malware exe, you will see IRC connection attempts to 126.96.36.199. Since there is no irc server running on our box, the connections are RST back.
Doing a ‘Follow TCP Stream’ on the connection originating from 188.8.131.52 – the infected box – we see that this is an IRC request, and the channel is #jigyaasa.
Kill the malware process and now let’s start an IRC server [ iirc-hybrid ] on our box.
After starting the IRC server, we join in to the channel #jigyaasa. Joining the channel first, ensures that we have the OP privileges. This privilege is like an admin privilege to be able to control the channel and its users.
Run the malware exe, & you will find a new client is connected to our IRC server, the client originates from 184.108.40.206. Based on the command strings that we found inside the unpacked exe earlier, go ahead & enter some commands in the IRC channel.
You’ll notice that the commands !@id and !@sysinfo run fine and give the output out. But commands like !@login and !@run do not show any message, no output or any sign of execution. If you try to talk to the bot with a random text, there is no response. Looking at this behavior, it is certain that there is an authentication mechanism built into the bot. Only once the analyst / bot herder authenticates, can (s)he can run privileged actions like remote execution.
To conclude, we have derived the following info from network traffic analysis:
1. Bot sends HTTP connection requests with modified headers to sb.webhop.org – objective is to increase traffic stats coming from the host [ hxxp://psychward.slak.org ]
2. Bot attempts to connect to a potential command n control server – malware.lab.server, in our scenario – channel #jigyaasa, with a random NICK, and has both unprivileged & privileged commands
Now at this stage, we have studied potential ways in which this bot interacts and have collected sufficient information about it. The behavioral analysis phase can be paused for now and we can proceed to the Code analysis phase.
I highly recommend you start referring and going deep dive with these books to follow on and enhance learning pace.
After listening to all of readers’ positive feedbacks and requests, I have now collated this entire 5-part Malware Analysis series into a short, easy to read book. If you have found this series useful, and would like to show some love, you can purchase it from here:
This series will still be available for free here on the blog.!