Lab – Malware Analysis

See here for instructions on setting up virtualbox for this class.

Heads up! Be sure that you have created the infosec-net virtualbox network, as specified at the top of the above link, before importing the vm! It's not the end of the world if you don't, but it does require some extra work.

This lab uses the following vms:

Overview

In this lab, you will prod at and run live malware called WannaCry. You will be fine as long as you follow instructions. Please talk to me if you are scared.

Rhetorical question. Have you backed up your data lately?

Take a gander at the reading assigned for the malware topic, listed on canvas. It is library access to the first introductory chapter of “Practical Malware Analysis – The Hands-On Guide to Dissecting Malicious Software” by Michael Sikorski and Andrew Honig. The book is accessible for beginners such as yourself, and is also a handy reference for more advanced analysts.

Analyze the Malware

In this lab, you’ll WannaCry. This program made international headlines last summer when it wreaked havoc across the world before being disabled by malware analyst Marcus Hutchins.

WannaCry is ransomware that encrypts the victim’s files and demands ransom in order to decrypt. But due to a programming error, WannaCry does not decrypt victim’s files even after the ransom is paid.

Confirm VM settings for great safety and much assurance

It is possible for WannaCry to “escape” the VM and spread to a wider network if two conditions are met:

  1. The virtual machine has a network adapter that gives it access to other machines on a network, and
  2. The other machines on that network are not patched against WannaCry’s spreading mechanism.

For #2 – This version of WannaCry uses the EternalBlue exploit to spread. Eternal Blue was developed by the NSA, and stolen and leaked by Shadow Brokers, and subsequently picked up by North Korean agents and used in WannaCry. Microsoft issued a patch for EternalBlue in March 2017. If you are running Windows and have installed updates since then, you’ll be fine.

For #1 – WannaCry will not spread to your host unless you changed the defaults on the Windows VM I distributed and set up a host-only network adapter. If you did, you should panic, and undo that. In theory, I think that WannaCry could reach out over the NAT adapter and attempt to exploit servers on the public internet – but mercy on any public server that is still vulnerable to WannaCry. They would have been infected many times over by now.

Heads up! Make sure that you have taken a snapshot of your Windows VM before proceeding. Having one will let you undo the messed-up state after you run the malware.

Preliminary Analysis

The WannaCry executable is zipped up in an encrypted folder on your desktop called “LIVE MALWARE WannaCry.exe”. However, ignore this folder, this zip contains only the “loader” or “encrypter” component. The “worm” component – the part that spreads wannacry around to other hosts – is a separate executable that I forgot to include on the VM. So, let’s grab it.

  1. Make sure that Windows Defender is disabled.

  2. Download the worm + loader executable from here (look for the 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip link).

  3. Extract the malware by right-clicking the folder, choosing Extract all..., and entering the password infected. This will create a new folder called “24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip”, inside of which is a 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe file. Do not run this file yet!

    This is the dropper and spreader only. Technically, it performs no encryption. It has stashed inside of it the wannacry encryptor. Its job is to drop the encryptor on a host, run it, and then scan the network and infect as many other machines as it can.

  4. Open a cmd terminal via the Windows searchbar. Therein, do the following:
    • Use cd to navigate into the extracted folder containing 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe
    • Hash the exe using the md5deep and sha256deep utilities.
  5. Google the hashes to see what comes up.
  6. Go to VirusTotal.com and either search for the hash, or upload the .exe file. If you do the latter, click the “View last analysis” button. Both approaches should return the same results.

    VirusTotal.com can run files and URLs through a barrage of antivirus programs to detect malicious files. This can be much more effective than checking a file against only one or two detection programs. However, people who create viruses also use this site to see whether their malicious code flags, and tweak the code until it comes up clean. It is not uncommon for a piece of malware to only turn up a few hits in VirusTotal.

    Question: What does Ad-Aware report this hash to be?
  7. Browse to the website Reverse.it (now owned by hybrid-analysis), and click on “Select file,” and upload the WannaCry worm file (the .exe) or search for its hash. Reverse.it will check the hash of the file against previously analyzed files. Select any of the Note the wide range of information that this site provides about the executable. Examine the IP address that this malware attempt to access – see the “Network Analysis” section (accessible via the menu on the right-hand side), and then the “Contacted Hosts” section. Keep this IP address in the back of your mind somewhere.

    Question: What IP address does the spreader attempt to access?

Now we will manually perform some of the analyses that reverse.it performs, in order to get a hands-on feel for the work involved.

You may ask, "Why are you asking us to do this? Are we not weakling business school students?" In fact, yes, you are weakling business school students.

As we have discussed in class a few times now, I do not expect you to become experts in any of the domains the labs have you explore. One of the learning objectives of this class is to help you appreciate the broad set of skills required for information security analysis, and in turn, information security management. Despite how it may appear to you, we are not going very deep into any of the lab topic areas. We are only scratching the surface(s). But if you can understand these basics, you will be better able to represent, advocate for, and manage the information security function in your organizations.

Specifically for this lab, if an organization gets hit by malware, upper management all the way to the top will want to know exactly what happened. Basic malware analysis can provide answers for upper management. If you are in a management position, you may want to know answers to questions that approaches in this lab can help answer.

Static Analysis

Static Analysis is usually the first step in malware analysis. It involves gathering as much information as possible from a potential malware file and determining its functionality, purpose, and identifying traits to the greatest degree possible. Static analysis does not involve running the malware file, and thus is less risky than dynamic analysis. However, caution must be used here (and in all stages of analysis), as certain analysis tools may execute the malware without warning.

Using the Strings Program

As its name implies, strings is a command-line tool that will parse through a file and pull out any character strings in either ASCII or Unicode. The result of running this tool can tell you many things about potential malware:

In this lab, we will use several tools from a set of tools developed in 1996 which still rocks called sysinternals.

Resource Hacker

Resource Hacker is another useful tool that can often pull information from a malware sample without executing the malware. Windows application development tools will set values in this section, but developers can override and set whatever information they want, if they so desire. Regardless, examining the values can sometimes give hints about and insight into the malware.

  1. Download “Resource Hacker” from here, and install it. Open “Resource Hacker” by searching for it from the windows search bar.
  2. Load the wannacry worm into resource hacker.
  3. Navigate through the folder tree structure to see information about the malware.

    1. Examine the “Version Info” node, and look at the “FileVersion”. This can be helpful to track to note versions of malware that may be floating around.

      Question: What FileVersion does this malware claim to be?

      lol and look at the CompanyName, FileDescription, and LegalCopyright. Cheeky North Koreans.

      Question: What is the name of the company that this malware claims is its author?
    2. Applications can embed applications within their resource section, which is accessible via the navbar on the left under the R tree. The loader stores the wannacry encryptor here. When the loader runs, if the killswitch is not triggered, it will extract the embedded resource payload, install it, and run it. Let’s extract it manually and play with it, eh?

      1. Expand the “R” node and right-click the star range. Choose Save Resources to a BIN file (a BIN file is another name for a .exe in windows). Save it where you like. This is the wannacry encryptor. If you run this, say goodbye to your vm files. Rename it to be wannacry.exe for your convenience, if you feel like it.

Strings again, this time on the wannacry encryptor

  1. From a cmd prompt in the directory where your newly extracted wannacry.exe is located, run the following:

    strings -n 12 wannacry.exe > output.txt
    notepad output.txt
    

    Read through the output.txt file and look for sensical strings. Some malware can use “packing” tricks to make it harder for malware analysts to perform static analysis (read more about it here). “Packing” is a form of compressing that is sometimes also combined with encryption. If this malware were “packed”, strings would find no sensical text inside. If it is not packed, you will see English words which are names of windows functions or custom that the malware may call internally.

    Question: Is this malware likely "packed", or is it "unpacked"?
    Consider. If you did not know what this malware did, what would seeing calls in the strings output to windows functions such as "CryptDecrypt", "CryptEncrypt", "CryptDestroyKey", and "CryptImportKey" tell you? Dadgum right, got ransomware on our dadgum hands.

Analyzing DLLs with Dependency Walker

A few Dynamic Linked Library (dll – the windows function library calls) appeared when we ran the Strings program above. We can use another program, Dependency Walker, to obtain more information about those dlls and their use by the malware. Dynamic linking is an area that gives a great deal of insight into how a program functions, and it is of particular importance to malware analysis.

  1. Download Dependency Walker from http://www.dependencywalker.com/. Extract the zip file contents, and run depends.exe. When the program loads, use the “open” button on the top-left and load wanncry.exe.

  2. There’s a lot of information here, so let’s step through it.

    • The top-left pane shows all of the DLL files that are called by the WannaCry program.
    • The top-right pane shows the functions that are called by the selected DLL.
    • The right-middle pane shows all possible functions that could be called by the selected DLL, along with their ordinal values; a function can either be called by its name or by the ordinal value, so if you see an ordinal value called you can use this list to check its functionality. Calling functions by ordinal allows a program to call the function without ever using its name in the code. It can be a useful obfuscation technique.
    • The bottom two panes show additional information.

    Spend some time looking through the different DLLs.

    Question: Under ADVAPI32.DLL, find BCRYPT.DLL. What is function for ordinal value 37, i.e., the 37th function from the top?
    Bcrypt.dll is a family of functions, documented and listed [here](https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/). Bcrypt.dll is not the same as the blowcrypt family of algorithms that we studied earlier in the semester. bcrypt.dll lamely refers to "bestcrypt", a.k.a "Cryptography: Next Generation (cng)" (see [here](https://stackoverflow.com/questions/9711568/does-winapis-bcrypt-h-actually-support-bcrypt-hashing)). It is the built-in Windows way to perform encryption. And yes, that means that Wannacry is lamely using Windows functions, instead of making their own functions, to encrypt all the things. Lazy son of a guns.

Dynamic Analysis of WannaCry

Now we come to the fun part. Dynamic Analysis is used to gather information about a file that could not be gathered during static analysis. Dynamic Analysis is inherently riskier than static analysis, as it involves investigating malware as it runs, or the state of the host machine after the malware has executed. The drawbacks of dynamic analysis are that (1) malware may behave differently in a VM environment if the malware detects that it is in such a setting; (2) malware may behave differently depending on available network and Internet connections, and (3) running malware may potentially expose the host or other hosts on a network to risk, as mentioned previously. But don’t worry about #3, you’ll probably be fine!

Grab some more sysinternals tools:

Process Monitor

You can get basic information from Task Manager in Windows, but Process Monitor allows you to track every action of a given process. Be warned that Process Manager generates a lot of data, all of which it stores in RAM. So, it may quickly fill up the memory of a VM and crash it if left to run for a long time.

No one in their right mind uses Process Monitor without applying some filters. We will apply filters soon to the gigantic pile of data pouring in.

Final reminder! Make sure that you have a snapshot of your nice and un-ransomware'd vm before proceeding!
  1. Launch Process Monitor. From within Process Monitor, launch the Process Tree (Tools > Process Tree).
  2. With Process Monitor running, run the 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe. OH NO YOU ARE UNDER ATTACK. Or are you?
  3. Stop Process Monitor from collecting (File > Capture Events to toggle). Examine the Process Tree. Note the entry for 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe. Right-click it and Add Process to Include Filter. Back in the main process monitor view, we are now looking at only events associated with our malware worm.
  4. In the icon menu on the top of Process Monitor, deselect all icons in the far-right section except for the third from the right – the one with two computers and who-knows-what-shape on top of them. This will filter to show only network calls. This should at least one TCP Reconnect operation. This is the loader calling out to the killswitch domain. If the call resolves successfuls, then the malware immediately exits without doing anything else (eyeroll @ DPRK).

    Question: What was the value of the "Result" field for the calls to 104.17.41.137?

Disable Network Adapter and run dropper again

The worm won’t killswitch if we don’t have an internet connection! Before we proceed, disable the VM’s network adapters. To do this, from the VM’s top-bar menu, select “Devices” > “Network” > click “Connect Network Adapter” to disconnect it. Verify that you do not have internet access from within the VM before proceeding.

Open Process Monitor again. Do the following from the menu options:

  1. With Process Monitor running, right-click 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe and choose “Run as Administrator.” OH NO YOU ARE UNDER ATTACK. YES THIS TIME YOU REALLY ARE. TIME TO CRY.

  2. The dropper installed the file stored in its R resource section into the C:\Windows\ directory, naming it tasksche.exe, and then ran it. This is the wannacry encryptor.

    Question: What is the sha256 hash of C:\Windows\tasksche.exe?
  3. Well, what does this encryptor do? It scans through the entire drive for files with interesting file extensions, and it encrypts them, storing an encrypted version of the decryption key in header info in the file itself. The encrypted variants of all of your precious files have a .WNCRY extension.

    strings in tasksche.exe shows that it is looking for files with the following extensions:

    .der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd 
    .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf 
    .sln .suo .cs .cpp .pas .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 
    .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff 
    .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx 
    .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost 
    .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm 
    .dot .docm .docb .docx .doc
    

    It then pops up an annoying notification about your ransomed state which will continue to pop up every sixty seconds or so. Best way to deal with that popup is to not “X” it out, but rather, drag it to a corner of your screen, almost out of sight.

    Right-click one of the encrypted files on your desktop, and “Edit in Notepad++” to examine the contents. What used to be plaintext aint so plain anymore, ‘tis it? The first 8 bytes of any file encrypted by wannacry are always the same. This is wannacry’s “magic number” You can see it in notepad++ or in a hex examiner such as HxD (installed on the VM).

    Question: What is the magic number for a wannacry-encrypted file?

Decrypting the WannaCrypted files

Just kidding. You can’t.

Actually, you can with two long-shots.

  1. A decryption tool exists which can extract the prime numbers from memory which were used in the encryption. However, huge caveats: it relies on a Windows encryption implementation bug that only only works for Windows OS versions less than 10, (e.g., XP through 7), and “it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).”

  2. Also, there’s a chance that if you pay the ransom, you will get a response… but, “Those who do shouldn’t expect a quick response – or any response at all. Even after payment, the ransomware doesn’t automatically release your computer and decrypt your files, according to security researchers. Instead, victims have to wait and hope WannaCry’s developers will remotely free the hostage computer over the internet. It’s a process that’s entirely manual and contains a serious flaw: The hackers have no way to prove who paid off the ransom.” Sigh.

Best defense against ransomware? Backups! Do you have one?

Bonus Reading!

In September 2018, the US Justice Department indicted a North Korean agent who participated in the WannaCry and Sony hacks.

Question: What is the name of the indicted agent?

References