PMA 221: Basic Dynamic Analysis (30 pts + 30 extra)

What you need:

Task 1. Basic Static Analysis

Downloading and Extracting the Sample

Using Firefox, download this file:

key.7z

You need 7-zip to extract the file. If you don't have it installed, download and install the 64-bit version from:

https://www.7-zip.org/

Right-click the key.7z file and click 7-Zip, "Extract Here". Enter a password of malware

The sample appears, named key.exe.

Using PEview

Open key.exe in PEview.

As shown below, if you expand "SECTION .rdata" and click "IMPORT Address Table", one of the three DLL's imported is advapi32.dll.

As you scroll you will see functions such as WriteConsoleW, GetConsoleWindow, WideCharToMultiByte, and GetStringType which assist us in identifying what the exe is doing.

The other two DLLs are kernel32.dll, and user32.dll.

Using BinText

Examine the strings in key.exe and find these items, as shown below.

Scroll up and find the key definitions, including #SHIFT# and #CAPS_LOCK#, as shown below. These look like strings used by a keylogger.

Task 2. Preparing for Dynamic Analysis

Dynamic analysis is simple: run monitoring tools, then run the malware, and let it have its way with our virtual machine. This is a sloppy technique, trusting a system that is being infected, but it usually works.

We will use these three programs to see what the malware does:

  1. Process Explorer
  2. Wireshark
  3. Process Monitor

Install and Run Process Explorer

Download Process Explorer from https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Extract the zip file and open procexp64

Process Explorer shows currently running processes, with far more detail than Task Manager. It doesn't keep a log of them, so it's harmless to leave running.

Install and Run Wireshark

Go to https://www.wireshark.org/index.html#download and save/run the Windows Installer (64-bit) file.

Install Wireshark with the default options

Start Wireshark and begin capturing packets from the interface that goes to the Internet, it should be "Ethernet".

There will be a lot of traffic at the start because you are running RDP from your host machine to the Windows cloud machine.

To filter out the RDP traffic, enter this into the Wireshark command line, replacing 192.168.10.10 with your host machine IP address:

!(ip.addr == 192.168.10.10)

Note: To get the ip of your host machine, Google search "What's My IP?

Once that command is entered, you can stop and start the capture again by clicking the red box and the blue fin above the command line. Close any open web browsers to limit the traffic.

Note: For this project, no web requests will be made by the malware, but it's a good idea to monitor network traffic when running malware.

Install and Start Process Monitor

Process Monitor logs all the events in Windows Event Viewer, which will typically be hundreds of thousands of events. Don't leave it running for too long or it will use up all the RAM and crash.

It's best to start Process Monitor last, so you can exclude all the harmless processes the other tools are using.

Go to https://docs.microsoft.com/en-us/sysinternals/downloads/procmon and download / extract Process Monitor.

Note: if you are running Windows on ARM, download the zip file at the link above, unip it, and launch procmon64a.exe

Launch Process Monitor. If a Security Warning box pops up, allow the software to run.

Agree to the license.

You see Process Monitor, with a lot of visible events, as shown below.

Excluding Harmless Processes

In Process Monitor, right-click the name of one of the visible processes, such as explorer.exe, and click "exclude 'lsass.exe'", as shown below:

Repeat the process until all current processes are hidden, as shown below. There were a lot of processes to ignore, around 15 to 20.

Running the Malware

In File Explorer, right-click key.exe and choose Run as Administrator.

RUN THE MALWARE AS ADMINISTRATOR!

If you run it without Administrator privileges, the persistence mechanism will fail and you won't be able to find flag 221.3 below.

Wireshark

No unusual traffic appears in Wireshark, because this sample doesn't use the Internet. Close Wireshark.

Flag 221.1: Viewing the Running Malware in Process Explorer (10 pts)

In Process Explorer, in the top pane, find key.exe and click it.

Find the name of the exe covered in green in the image below. That is the flag.

Flag 221.2: Viewing the Running Malware in Process Monitor (5 pts)

Go to ProcMon and scroll until you get to key.exe. You can view the steps the malware is taking.

This malware creates an executable file in the Windows directory.

The malware also creates persistence by modifying the run registry key for the current user (HKCU = HKEY_CURRENT_USER). The programs referenced in this key will be executed when the user logs in.

Find the path of that key and take note of it.

The flag is the text covered in green.

Test out the keylogger

Open notepad and type some text.

In File Explorer, go to the folder where key.exe is, find log.txt and open it. You see the captured keystrokes, as shown below.

Persistence Mechanism

In Process Explorer, right click key.exe and choose Kill Process.

This stops the keylogger for the current sesssion. However, the malware has written itself into the registry, so it will start back up at the next reboot.

Restart the machine and reconnect through RDP.

Flag 221.3: Persistence (10 pts)

Open Process Explorer, find and click the new keylogger file, vmx32to64.exe.

From the Process Explorer menu bar, click View, "Show Lower Pane" View, "Lower Pane View", Handles.

The flag is covered by a green rectangle in the image below.

Flag 221.4: Removing persistence (5 pts)

Open command prompt and type in regedit

Navigate to the path we saw in 2.2: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The flag is the text covered in green.

Right click vmx32to64 and delete the registry key.

Flag 221.5: Run Key (10 pts extra)

Download this sample and unzip it with the password malware

key12.7z

Use the same dynamic anaysis tools to monitor the behavior of this sample. Find the Registry action shown below. The flag is covered by a green rectangle.

Flag 221.6: DNS Traffic (10 pts extra)

Examine the network traffic generated by the key12.exe sample.

Find the key in the DNS traffic, as shown below.

Flag 221.7: HTTP Traffic (10 pts extra)

Download this sample and unzip it with the password malware

key13.7z

Examine the network traffic generated by the key13.exe sample.

Find the key in the HTTP traffic, as shown below.


Ported to the cloud and updated 9-10-19
Posted 8-28-18
Wireshark "Clear" button added 9-11-18
More explanation added to last form 11-13-18
Renumbered and converted to flag-only format 8-16-19
Ported to Google Cloud 9-17-19
Extra credit samples added 9-18-19
key12.7z file uploaded and "malware" spelled correctly 9-25-19
More instructions added to flag 221.3 and CSS added 9-8-2020
Run as Administrator emphasized 9-1-2021
Background color changed 2-13-24
ARM note about procmon64a added 2-16-24