Transcript
Page 1: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

1@ThreatConnect

October 19, 2016

Open Source Malware Lab

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 2: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

2@ThreatConnect

Director of Research InnovationResearch Team

ThreatConnect, Inc.

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 3: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

3@ThreatConnect

Why Do I Need A Malware Analysis Lab?

• Malware Research• Automated Malware Analysis (AMA)

• First two of four major stages• AMA can include second stage

• Enhanced Threat Intelligence• Analysis of malware in your enterprise• Stage of malware hunting process

• Network Defense• Network Traffic• Inbound Email• Host Intrusion Detection System

• Fun!!! https://zeltser.com/mastering-4-stages-of-malware-analysis/

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 4: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

4@ThreatConnect

Malware Analysis Process Entry Points

File URL PCAP MemoryImage

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 5: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

5@ThreatConnect

CuckooSandbox Thug Bro Volatility

Open Source Malware Analysis Tools

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 6: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

6@ThreatConnect

Cuckoo SandboxStatic and Dynamic File Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 7: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

7@ThreatConnect

Sandbox

• A controlled, safe environment

• Leverages• Virtual machines• Bare metal computers

• Running malware

• Observing its behavior

• Dynamic malware analysis

• May also perform static malware

analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 8: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

8@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic

$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Strings

AV Detections

Page 9: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

9@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic

$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Strings

AV Detections

Page 10: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

10@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic

$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Strings

AV Detections

Page 11: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

11@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

TrendMicro: OSX_KeRanger.AESET-NOD32: OSX/Filecoder.KeRanger.AKaspersky: UDS:DangerousObject.Multi.Generic

$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

Strings

AV Detections

Page 12: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

12@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 13: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

13@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 14: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

14@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 15: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

15@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 16: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

16@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 17: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

17@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 18: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

18@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 19: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

19@ThreatConnect

More Than Just Dynamic Analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

data RT_VERSION 3519388073965d5b6bae77135c36786f6f8e6882099a88504fbad3ed9b9c9687 99 files found

Name Addr Ent MD5.rsrc 532480 3.59 7ce8cbef10f26dfee328a35f2c724cd5 52 files found

Sections

Resources

Timestamp: 2016-03-07 09:41:34First Seen: 2016-03-07 09:42:47 95c231bb, web, RUFile Metadata

Page 20: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

20@ThreatConnect

Cuckoo Sandbox Flavors

© 2016 ThreatConnect, Inc. All Rights Reserved

Plain VanillaVersion 1.2 (Stable)

Cuckoo Modified(brad-accuvant / spender-sandbox)

Next GenerationVersion 2.0 RC1

Page 21: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

21@ThreatConnect

Cuckoo Modified

• Normalization of file and registry paths

• 64bit analysis

• Service monitoring

• Extended API

• Tor for outbound network connections

• Malheur integration

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 22: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

22@ThreatConnect

Normalization - Why this is Great!

• Not normalized

•C:\Documents and Settings\Dumdum\Application Data\bonzo\AIDVFP.jpg

•C:\Users\Dumdum\AppData\bonzo\AIDVFP.jpg

• Normalized•%APPDATA%\bonzo\AIDVFP.jpg

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 23: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

23@ThreatConnect

Cuckoo Next Generation

• Support for:• MacOS X• Linux• Android

© 2016 ThreatConnect, Inc. All Rights Reserved

• Integrations• Suricata• Snort• Moloch• SSL decryption• VPN support• 64-bit analysis• Fun, fun, fun

Page 24: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

24@ThreatConnect

What if the Malware is VM or Sandbox Aware?

• Pafish (Paranoid Fish)• Uses malware’s anti-analysis

techniques• Shows successful and

unsuccessful techniques• Pinpoint ways to improve

sandbox• VMCloak

• Automated generation of Windows VM images

• Ready for use in Cuckoo• Obfuscates VM to prevent

anti-analysis

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 25: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

25@ThreatConnect

Cuckoo Output

• HTML Report

• JSON Report

• MongoDB Output

• Dropped Files

• PCAP

• Memory Image

• Visited URLs

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 26: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

26@ThreatConnect

ThugLow-Interaction Honeyclient

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 27: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

27@ThreatConnect

What is a Low-Interaction Honeyclient?

• Pretends to be a browser

• Trigger a drive-by download

• Capture its payload

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 28: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

28@ThreatConnect

Wolf in Sheep’s Clothing

• User agent can change• Windows, Mac, Linux, Android, iOS• Limitless possibilities• http://www.useragentstring.com/pages/

useragentstring.php• http://www.browser-info.net/useragents

• Simulates vulnerable plugins with configurable versions

• Flash• Java• Acrobat Reader (PDF)

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 29: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

29@ThreatConnect

Available User Agents

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 30: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

30@ThreatConnect

Thug Output

• Payload Files• Other Content Files• Visited URLs• MongoDB Output• Elasticsearch Output• HPFeeds• MAEC• Native Report Format

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 31: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

31@ThreatConnect

BroNetwork Analysis Framework

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 32: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

32@ThreatConnect

What is Bro?

• Network Security Monitoring (NSM) Framework

• Processes• Live Packet Capture• Recorded Packet Capture (PCAP)

• Series of scripts

• Output Bro logs

• Packaged with a large group of scripts

• Rich community of open source scripts

• Write your own Bro script for specific needs

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 33: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

33@ThreatConnect

Bro in Action

© 2016 ThreatConnect, Inc. All Rights Reserved

• Analysis Target: tue_schedule.doc_7387.doc

• PCAP Source: https://www.hybrid-analysis.com/

• SHA1: bb45bca4ccc0dd6a0b3a2c6001165f72fbd2cb6e

• What can we learn from PCAP only?

Page 34: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

34@ThreatConnect

conn.log

$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 35: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

35@ThreatConnect

conn.log

$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 36: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

36@ThreatConnect

conn.log

$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 37: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

37@ThreatConnect

conn.log

$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 38: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

38@ThreatConnect

conn.log

$ cat conn.log | bro-cut -c uid id.resp_h id.resp_p proto service | sed -e 's/#fields//g' | grep -v '#' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 39: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

39@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved

Page 40: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

40@ThreatConnect

dns.log

$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 41: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

41@ThreatConnect

dns.log

$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 42: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

42@ThreatConnect

dns.log

$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 43: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

43@ThreatConnect

Poor Man’s pDNS

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 44: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

44@ThreatConnect

Whois Data

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 45: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

45@ThreatConnect

Whois Data

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 46: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

46@ThreatConnect

Site Content

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 47: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

47@ThreatConnect

Site Content

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 48: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

48@ThreatConnect

dns.log

$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 49: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

49@ThreatConnect

Poor Man’s pDNS

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 50: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

50@ThreatConnect

Whois Data

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 51: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

51@ThreatConnect

Whois Data

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 52: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

52@ThreatConnect

Poor Man’s Reverse Whois

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 53: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

53@ThreatConnect

Site Content

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 54: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

54@ThreatConnect

dns.log

$ cat dns.log | bro-cut -c query qtype_name answers rcode_name | grep 'NOERROR\|fields' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 55: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

55@ThreatConnect

Whois Data

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 56: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

56@ThreatConnect

Whois Data

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 57: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

57@ThreatConnect

pDNS

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 58: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

58@ThreatConnect

http.log

$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 59: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

59@ThreatConnect

http.log

$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 60: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

60@ThreatConnect© 2016 ThreatConnect, Inc. All Rights Reserved

Zapoi (Russian: запой)

A term used in Russia and other post-Soviet states to describe alcohol abuse behavior resulting in two

or more days of continuous drunkenness.

https://en.wikipedia.org/wiki/Zapoy

Page 61: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

61@ThreatConnect

/zapoy/gate.php = Pony

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 62: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

62@ThreatConnect

http.log

$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 63: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

63@ThreatConnect

/xdaovcny/index.php = Nymaim

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 64: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

64@ThreatConnect

http.log

$ cat http.log | bro-cut -u -C id.resp_h method host uri status_code resp_fuids resp_mime_types | grep '#fields\|200' | sed -e 's/#fields//g' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 65: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

65@ThreatConnect

pe.log

$ cat pe.log | bro-cut -c id machine compile_ts subsystem is_exe section_names | sed -e 's/#fields//g' | grep -v '#' | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 66: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

66@ThreatConnect

files.log

$ cat files.log | bro-cut -c fuid filename total_bytes md5 sha1 sha256 | grep 'F8Ksgsir0wLKqA4e9\|\|F0XaRJ2XvH5Epscnqj\|#fields' | sed -e 's/#fields//g' | column -t | cut -d " " -f 2- | column -t

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 67: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

67@ThreatConnect

MAN1 Adversary Group

© 2016 ThreatConnect, Inc. All Rights Reservedhttp://www.threatgeek.com/2016/07/tracking-man1-crypter-actor.html

Page 68: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

68@ThreatConnect

What Can We Learn From PCAP Only?

• Adversary Likely Russophone

• Office Document generating network traffic

• Multi-stage malware

• One payload is Pony

• One payload is Nymaim

• Nymaim has• Dedicated infrastructure

•Rogue DNS

• Dropper uses compromised Drupal websites

• Adversary is MAN1

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 69: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

69@ThreatConnect

Collected Lots of Indicators

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 70: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

70@ThreatConnect

My local.bro

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 71: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

71@ThreatConnect

cuddlesome.exe = Ruckguv

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 72: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

72@ThreatConnect

Bro Output

• Important Logs• conn.log• dns.log• http.log• pe.log• file.log

• Extracted Files

• Alternative JSON Output for Elasticsearch

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 73: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

73@ThreatConnect

VolatilityMemory Analysis Framework

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 74: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

74@ThreatConnect

What is the Volatility Framework?

• Extracts artifacts from samples of volatile memory• An amazing view into what is happening in memory while a

malware sample is running

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 75: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

75@ThreatConnect

Operating System Support

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 76: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

76@ThreatConnect

Volatility in Action

• Analysis Target: b.exe

• Sample Source: https://www.hybrid-analysis.com/

• SHA1: 5149b40858c575238f1cbfcd32dd78a30bc87742

• What can we learn from memory analysis?

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 77: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

77@ThreatConnect

Preparing Your Memory ImageConvert ELF64 image into raw dd-style memory dump

• Dump a memory image from running VirtualBox VM• VBoxManage debugvm "Win7x64" dumpvmcore --filename=vbox.img• vol.py -f vbox.img --profile=Win7SP1x64 imagecopy -O copy.raw

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 78: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

78@ThreatConnect

pslist & psscan

© 2016 ThreatConnect, Inc. All Rights Reserved

• psscan shows hidden and terminated processes

• pslist shows running processes

• pslist before and after running malware sample

Page 79: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

79@ThreatConnect

malfind

$ vol.py -f copy.raw --profile=Win7SP1x64 malfind -D .

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 80: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

80@ThreatConnect

Malware Found?

Avira: TR/Patched.Ren.Gen7Qihoo-360: HEUR/QVM40.1.Malware.Gen

Qihoo-360: HEUR/QVM40.1.Malware.Gen

0x80000

0xa000

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 81: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

81@ThreatConnect

netscan

$ vol.py -f copy.raw --profile=Win7SP1x64 netscan | grep explorer

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 82: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

82@ThreatConnect

What Can We Learn From Memory Analysis?

• Sample uses process injection

• Injects explorer.exe

• Command and Control IP Address: 216.170.126.105

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 83: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

83@ThreatConnect

Volatility Output

• Files extracted from services

• Files extracted from injection

• DLLs extracted

• IP addresses extracted from network connections

• URLs extracted from IE history

• URLs extracted from malware configuration

• Suspicious mutexes

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 84: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

84@ThreatConnect

Tying It All TogetherConclusion

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 85: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

85@ThreatConnect

Cuckoo, Thug, Bro Process

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 86: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

86@ThreatConnect

Volatility, Thug, Cuckoo Process

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 87: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

87@ThreatConnect

Orchestration and Automation

• Use a message queue• Redis• Rabbit MQ• ZeroMQ <- Preferred

• Use NGINX for file transfer under message queue

• Keep all output in Elasticsearch• Cuckoo needs to be cuckoo-modified or write your own report plugin• Thug uses ES natively• Bro can export logs in JSON format• Volatility can export logs in JSON format

• Glue everything together with Python3

© 2016 ThreatConnect, Inc. All Rights Reserved

Page 88: Open Source Malware Lab - SecTor 2018 Open... · Open Source Malware Lab ... • Moloch • SSL decryption ... • Live Packet Capture • Recorded Packet Capture (PCAP) • Series

88@ThreatConnect

Questions?

© 2016 ThreatConnect, Inc. All Rights Reserved

www.ThreatConnect.com/blog

@MalwareUtkonos @ThreatConnect