More Related Content
What's hot
Similar to Static malware analysis sop
Similar to Static malware analysis sop (20)
Recently uploaded
Recently uploaded (20)
Static malware analysis sop
- 1. Static Malware Analysis SOP This documentistargeted at Tier I and Tier II MalwareAnalysis. This will not cover dynamicmalwareanalysiswhich requiresa live system which needsto be actively compromised for analysis. This documentwillcover how to analyzethe following: Suspected malicious PDFfiles, suspected maliciousOffice documents, and suspiciousexecutables. The tools required are: Olevba.py – For Office DocumentAnalysis Pyew.py – for PDF, Officedocument, and maliciousexecutable analysis UPX – for unpackingexecutables xorBruteForcer.py – for further deobfuscation of maliciousexecutables and their payloads ghex – for lookingat a raw binary strings – for pullingtext outof a file NOTE: Wehave also been given access to the Norse Odin and Norse DarkVision accounts which will help us analyzeURLsand malware in the future. Part I: MaliciousPDF Analysis Of course, our first stop is usually VirusTotal to see if anyoneelse has seen this before…in this case infected.pdf isa “heap spray” attack.
- 2. Figure1 - VirusTotal positivehits for infected.pdf Wetry openingthe infected.pdf withpyew, and wesee already there is some Javascriptin there USAGE: pyew.py infected.pdf
- 3. Figure2 - pyew.py shows someJavascript insidethe pdf Runningthe command “pdfview” from insideof pyew lets usactually read the JavaScript….in this case it is suspiciousand appear to be hiding some sort of shellcode…since wesee that VirusTotal has a hit on it and also there is some Javascriptembedded in the PDF, we can declare this malware. The Tier III personnelwillhave the tools and expertise to de- obfuscate this JavaScript and figureout what it is doing.
- 4. Figure3 - pdfview shows us the Javascript embedded inside. So here wesee someobfuscated JavaScriptwhich is difficultto decode unlessyou are very familiar with JavaScript, and we see a very strangely named function and avariable named “large_hahacode”. Part II: Malicious Office Documents Analysisof these is pretty simple, but what is visible in regular .xls documentsis notvisible in the new .xlsm formatfor Office which is based on .xml. Wewill look at 2 Excel sheets with the same basic exploit inside, but one is an .xls documentand the other is a .xlsm document. The basic exploit here is a VBScript macro that opensnotepad.exeand pings127.0.0.1. Running“strings” against the malware.xlsfile gives uspretty obvious results as we see the referenceclearly to notepad.exeand 127.0.0.1
- 5. Figure4 - strings against a .xls file Butrunningstringsagainst the malware.xlsm file does not. Figure5 - strings against the new OfficeXML-based format A morereliable tool is olevba.py. Itsvery easy to use and quickly extracts VBA Macros. As you can see below, it indicates what the macro is, and even gives you a list of IOCs you can use to detect how widespread this is on your network
- 6. Figure6 - olevba output against a .xls Officedocument Here we can see the same items that “strings” found for usin the original .xls.
- 7. Figure 7 - olevba.py against an xlsm document Here we can see the referencesto vbaProject.bin which seems to be what is hidingthe pertinentinformation from “strings” in .xlsm documents. From the olevba.py report, we can determine that there are some bad VBA Macros in these documents and can pass along for Tier III Malware Analysis with our findings. Part III: Malicious Executable Analysis This is by far the most difficult and time consuming. Obfuscation and evasion techniques such as packing and XOR’ing of contents makes these difficult to find out what is going on or to generate a list of IOCs (Indicators of compromise). We will be using a piece of malware known as “Frethog”, a keylogger and password stealing program. When we open it with “pyew.py”, we don’t see much, and when we run the pyew command “packer”, we can see why. Its packed using the UPX algorithm in an attempt to evade analysis.
- 8. Figure8 - pyew "packer" analysis of an .exe file Running “strings” against a packed file gives us very little, so we have to unpack this file. Figure9 - strings runagainst a UPX packed file To “unpack” the file we use the UPX program USAGE: upx –d –k fethog.000 (-d -= decompress –k = “keep a copy”) which will give us an unpacked file named “fethog.000” to analyze and the original is renamed fethog.00~
- 9. Figure10 - using UPX tp unpack a malicious executable Now we can look at it with pyew again and check the packing…now we see it is seeing it as a VisualBasic file Figure11 - pyew analysis of the unpacked malware And we can see “strings” gives us better results now
- 10. Figure12 - strings analysis against the unpacked file BONUS ROUND However, this file is also using XOR to hide its payload, so we are going to use xorBruteForcer.py to try every possible key against its contents to see if anything works….once you see some entries with cleartext, then you know you have found the right key…in this case, the key was 0x20. So we use xorBruteforcer.py again with the key specified, and we get some more valuable information. USAGE: xorBruteForcer.py fethog.000 - this will try all key combinations and we will look at this output to determine what the key was by looking at cleartext. USAGE: xorBruteForcer.py –k 20 fethog.000 -k indicates the key we want to use
- 11. Figure13 - output of xorBruteForcer against the unpacked malware Now we see references to www.yswm.net, www.ahwm.net, and couple other URLs, but now we have some additional IOC’s (Indicators of Compromise) that we can check to see if any other computers on our network have been trying to get to these sites. …they are reaching out trying to pull down file.txt. Further analysis of this de-XOR’d file will yield even more IOC’s that we can proved to SOC Analysts to investigate.