Lab 3 - Analysis Lab: Behavioral Analysis Tools

In this lab, you will use behavioral analysis tools in your Windows virtual machine to monitor the execution of a real piece of malware.

Deliverables

Create a PDF document that provides the requested information below. Upload to the Lab 3 Assignment on Canvas when finished.

Malware Sample

Go to the course Canvas site and download the malware sample from the Lab 3 Assignment into your Windows virtual machine. Unzip the file with password 'malware'.

Tools

For this lab, you should use the following behavioral analysis tools as needed:

  • Process Hacker
  • Process Monitor, either in isolation or in combination with ProcDOT
    • Tip: First-run instructions for ProcDOT, and how to configure Process Monitor, are in this tutorial
    • Tip: Process Monitor will go (extra) crazy if you have many monitoring tools running along with the malware, since it will pick up their activity as well. Either run this tool in isolation, or plan to apply some very specific filters to isolate just the system calls you are potentially interested in.
  • RegShot
    • Tip: Make sure to enable the scan files feature for the C:\ path. Otherwise, only the registry is scanned by default.
  • Wireshark
  • TCPLogView

Pre-Lab

IMPORTANT! Configure your network as follows, so that Windows intentionally forwards its network traffic to Linux. (We specifically want Windows to be able to reach its default gateway, but that gateway should not forward traffic further. This will allow us to capture some preliminary network artifacts, like TCP SYN packets, instead of just seeing ARP requests.)
(1) Launch REMnux virtual machine. Remnux will not forward IP traffic by default, so it is already configured correctly. Find the IP address of its eth0 interface via the ifconfig eth0 command, and leave it running.
(2) Launch Windows virtual machine. Manually set its IP address in the same range as the REMnux virtual machine, but not exactly the same address. Manually set its default gateway as the IP of the REMnux machine. Manually set its DNS server as the IP of the REMnux machine. Thus, both Windows and REMnux will be on the same subnet, Windows will be forwarding its network traffic to REMnux, and REMnux will drop/ignore/subvert that traffic as desired.

Questions

Question Answer
What is the full path and filename of the process that begins running soon after you start the malware?
What mutex names exist in this process?
What IP address exists in this process? Provide the memory address where this string starts.
What domain name exists in this process? Provide the memory address where this string starts.
What URL fragment exists in this process? Provide the memory address where this string starts.
What is the name of the registry key(s) that allows a process to be automatically executed when the system starts?
What value does the malware set these registry key(s) to?
What new files are created by the malware? (Provide a full path, not just the file names)
What is the purpose of the log.txt file created by the malware? How did you know?
What network communication does the malware attempt? In your answer, include all available details, such as protocol (TCP, UDP?), IP address of destination, and port number of destination.
What is the popular name (not filename) and purpose of this particular piece of malware? Google using some of your potential IOCs found above.
What are 4 specific technical questions that you have about the operation of the malware that are inspired by but not answered by the above analysis?
Q2:
Q3:
Q4:

Behavioral Analysis and Networking

These additional questions require the use of several networking tools in REMnux: fakedns, accept-all-ips, Wireshark, and a specific network service that you will (easily) identify.

Run Wireshark in the background in REMnux and keep it running, although you may want to clear the display and start fresh from time to time. Ensure that your Windows box is set to use the REMnux IP as both its default gateway and DNS server.

You should have seen an attempted communication with a suspicious IP address earlier in the lab. If you tell REMnux to accept-all-ips start, it will accept data to any destination IP address, not just its correct one. Do that, and run the malware again.

Question Answer
What happens if you attempt to ping google.com from the Windows command line?
What was the suspicious IP from earlier in the lab, again?
What was the destination port number and protocol being attempted in communication with this suspicious IP, again?
What application service would you need to start, in order that the malware has something to talk with at that suspicious IP?
What is the command to start this application service?

Start that service now. Reset Wireshark. Kill the malware, and launch it again. (For this malware, you don't need to restore Windows from a snapshot to see network communication, but you may with other malware).

Question Answer
What is the specific message sent by the malware to the suspicious IP? In Wireshark, right-clicking on the first TCP packet and using the Follow->TCP Stream feature will be much easier than stepping through each packet of the conversation.
In the message above, what pieces of data being exfiltrated can you observe by inspection? (Hint: At least 2 should be obvious)
In the message above, what pieces of data being exfiltrated would require additional investigation to determine their meaning?

You should have seen an attempted DNS query for a suspicious hostname earlier in the lab. If you run the fakedns program in REMnux, it will respond with its IP address for any DNS queries it sees. Run that utility now, and then kill and re-run the malware again.

Question Answer
What happens if you attempt to ping google.com from the Windows command line now?
What is the suspicious hostname from earlier in the lab, again?
What IP address does this hostname get resolved to? (Confirm this via Wireshark - don't just write it down from your knowledge of the fakedns program)
Using Wireshark, what happens next, after the malware learns the IP for this hostname?