Kelvin James Extracting Information from common malware

sweet alright ladies gentlemen this is looking at we're going to be looking at fantastic malware actually the title of the official title of this I really struggled the title believe or not was a extracting information for common malware for worlds and what that really means is that we're going to take a look at the normal matter that you folks see every day I don't know about you guys but I see three or four malware email campaigns throughout my week we are actually doing so we are not doing any reverse engineering we are not doing debugging we're not doing anything else besides taking malware and take it running it and checking it out most of the modeler samples are going to look at

today you can literally do in two segregated VMs you got your VirtualBox you got your Windows and you got a Linux box which is going to lie to the malware the only one the only exception is Zeus panda banker which is which does require internet if I have found but I included it because it's a pain in my butt and I hate it we will also look at trick bot the trick which is extra icky before we go any further I'm going to ask you guys to ask me a question which is why are we doing this that's a fantastic question I'm glad you asked that we are doing this because even though we have our

mind cast we've got our proof point we've got our app River we've got all these emails sanitization technologies they're not always a hundred percent just this was just September if you notice here I've got believing how this was an open directory and I have 100 X 103 px 106 e^x and I don't standing here net wire Remco fantast now I know my indicators are gonna be however this is what I got anybody notice any discrepancies don't dance style 102 porfavor I had no 102 exe on this list and believe it or not 102 dot exe was actually lucky bottle so if I knew that was lucky but then I see okay great so now I know that I've got my fre dot

php' which I'm gonna see on my network the real reason we take a look at these so we know what's attacking us we have lots of campaigns that come through I can tell you straight away the one that always drops panda Baker is Hanson er Chancellor tour doubt it downloads eagle pony pony until the end of September and you could set your watch by it Monday through Thursday 8:00 between 8 o'clock and 10 o'clock and bam it's coming in with effects with all these other subjects those large campaigns that you'll see coming in throughout your your day those will generally be well analyzed you're gonna have a proof point on them you're gonna have Palo Alto on

them most of the time those are the ones that are going to come in you're pretty safe with saying okay yeah we have thousands of emails and just came in even if they're undelivered if you're looking at something like proof point you can still say holy crud I've got a boat ton of these coming in somebody's analyzed them and it's good to go it's these 1 Z 2 Z's it's these right here that you have to be careful with trip pile will normally come in sometimes on a very large scale campaign but other times as I as I've experienced they come in 1 Z 2 Z 3 s and fours just enough under the radar so if you don't

know what you're looking for you're not going to know what to look for on your network any questions so far I was told by my family to go slow unlike my standard speed of gerbil on crack sooo questions anything all right so the tools we're gonna use all of them I'm a real big open source guy the more open source the better only because it makes it easier to use for my perspective I use a lot of Linux in fact as we look at this one of the crucial things a tech help list calm on Twitter really spoke this well he said you handle your Linux malware on Windows and you handle your Windows malware on Linux we're gonna be using

VirtualBox who had a Linux VM I would highly recommend matter of cell from end game security I believe she has a post and I'll post through all these on my pastebin after this talk she has a premade set up ready to go VM with I netsim really hot stuff makes it super easy to lie to the malware which we like to do Windows 7 vm will be using i netsim so i netsim there's also a great one called fake net these are what we're going to use to just basically lie to the malware that it's most of these affect all these except for paying a banker will request some sort of what's my external IP address IP

chicken IP an info I think there's a can has IP what is my IP address all these ones are just so we can find out what's my external IP address will use I netsim and the Linux VM to lie to it if you want to get a little more esoteric which I have done I'll run my own Apache server on that van and I will actually go down to I will go down the responses from IP chicken or from IP net info and I will actually copy the responses verbatim how they look and I will actually create different websites within an Apache instance that will actually mimic the exact responses but I netsim does just a great job as well so

I will reiterate that when you are using this type of technique using VirtualBox I would strongly recommend you actually handle it on a Linux machine if not if you are willing to take the risk I would strongly recommend wherever your source is you use something like 7-zip to do it to encrypt it zip with a password this way you're going to prevent yourself from accidentally clicking on it and having a horrible rest of your day so first thing we're going to do you can choose whatever internal network you like 171 60.1 and 0.2 is what I've chosen all your 192 block 1 I 2 1 6 8 blocks those are fine as well you'll be

wanting to set these up as an internal only network on VirtualBox you can see here I've got this set just a the router the default gateway and the preferred DNS are the Linux box which we just set up really easy make sure to do a pain test test make sure they can talk to each other so what I've done here is I actually run VirtualBox on Linux as well so I have a VM shared directory so the VM shared directory is what I share on the Linux machine itself and that allows me to share from the guest to the host that one I have read and writable there's nothing in there it's only if I

want to copy something from the hook from the guest to the host now SF case this is actually where I have them our so that's sitting on my host machine so when I want to make a copy when I want to get this malware from my Linux box VM on to my Windows machine the first step is I use my Linux VM to copy from my host to my Linux VM and this is why movement Monday I have no idea why they call it that but that's what they called it from there we will SFTP that file across from our Linux VM to our windows BM so our process is our host machine preferentially Linux which is holding

the malware we copy it from the Linux VM on to from that machine onto Linux VM itself and then we SFTP it across to the Windows machine after we've got that set we're gonna tell our we this that we're gonna set up RI netsim really quick really easy you can actually just do a search in a place I think they're all set that end up 10.1 anyway we tell it hey we're gonna buy to our internal address 117 to the 6201 same thing with our DNS the default response is ein it's an HTTP server I've been a giveaway so we want to change that into something that's not blatantly saying hey I'm fine it's him

now where absolutely does look for that first thing we look at is agent Tesla agent Tesla is a key logger it is one of many that I see constantly this hawkeye key logger as well they're very prevalent they can be anywhere from embedded within documents to downloaded some documents will actually I've seen a lot of recent ones where they'll actually go out to a bitly link the bitly link will go to a loud coca la or there's one other I think it's confident mo they'll actually download either a JPEG file which is literally an executable or they will tag on the embedded executable within the JPEG file it's trivial to execute it out we run this and a good

thing that I do is I keep an eye on this bad boy right here so when I have five Meg's of memory used I don't think much is going on but I will tell you that as soon as I run it I will keep an eye I normally have both of these running I have a nice wide screen monitor I have my Linux VM on one side my windows VM on the other and I run a packet capture so I can listen the traffic as soon as you see the magic of check I peed in DNS there or you know that it's loaded into memory at this point in time i suspend the process and i create a dump file I may

not have all the information there yet but I will I actually for especially for agent Tesla I make about three or four process dumps I let it sit I will resume the process and then I'll do a search search stream sometimes I have to refresh it as soon as you start seeing this gobbly [ __ ] you're in like Flynn you know you got these are base64 encoded and encrypted entries that we use that is the key which is static key that 1v2 I don't know why they haven't changing it what they haven't changed together I will add one more time make a dump file from there I'm going to use a new on track on Twitter as a very sharp region

I believe he works for Palo Alto he created this all I did was add one more entry which is import base64 and basically weaponize this I'll also have this up on Facebook we copy all these back over three dump files over three dump files over and from here we strings these out we do al for a wide - extracted basic b64 we run that script which is here that's literally all this is I kid you not copy paste add the import base64 under there that's that's seriously hit and we will have this amount of excitement it does look a little nasty at first you can clean it up with grep sent off at the end of the

day this is what you'll get and you will see that this one actually - ftp lassic comm jungle at 6:00 calm people who say gee that looks like a password are probably right that's probably a password agent Tesla comes in three tasty variants usually we see the SMTP version which may use TLS betweens you will not be able to get the threat actor in this case jug alas XCOM sometimes they do a phenomenal fail where they actually have their email go out and clear text and they do an authentication it's basics before you get the credentials that way in this particular case though it was FTP variant so if we saw a if we saw a DNS request for alas

XCOM we would know that somebody has opened something bad and their day has just gone pear-shaped our next little DC that we're going to look at is panda banker we will start with that same process we're going to copy it over from our host operating system onto our Linux VM we will then SFTP it across from our Linux VM to our windows 7 box we will run this and what will seem like a very long time but you will actually see two service host processes Python at this point in time I actually will do dumps as well but I will also begin to look for Strings within this and the phrase that pays ladies and gentlemen

and I usually just check for underscore config as soon as you got an underscore conferring the goal why because now you know your bucket ID is 2 6 10 and you have all the configuration information needed dump it lesson out bam there you go there's their entire conflict up to and including the base64 encode is processed name which is usually putty dot exe botnet ID is up there your web and jex your b and c modules your grab or your socks your key logger all that garbage is right there for you so again if you suddenly see this on your network someone has just to open something that is very naughty and you're going to get

the role it's a no response questions anything all right a last one to my particular favorite but i really is trick but same process we copy it over from host the linux vm from linux vm to windows 7 vm the process now is so fast that if you have process hacker running which come tasty you will see a service has been deleted anyone want to guess with that services god bless you Windows Defender it's kind of rude you can also check and this one will absolutely take an eternity I teach you nothing you're going to wonder if anything actually happened after you click the executable oh my gosh what happened you can check because trick bots will

actually create a scheduled task as you can tell it says it's every 10 minutes if you catch it wrong you will actually have to wait 10 minutes which is really lame this is what it has started this actual start I name my boxes ran to make them look good as much as I can in what will seem like an eternity service house will finally show up you will also see network activity the same with agent Tesla you'll see your check IP you'll see your can't I have IP all these other ones I didn't dive any use another one that trick Bob will continually try this is why my external IP is another this is why it's really

good to have these running side-by-side run you can use t sharp you can use TCP dump whatever you want to use a hoarder so you can just so you can see the traffic you can actually if you're just doing it on your on a host machine as well if you're running Wireshark you can listen in on that a V net that VirtualBox Ethernet interface as well and listen to that as well from here the phrase that pays is MC comp mic Charlie Charlie us for November Foxtrot as soon as you see this and you may have to do several refreshes you're going we don't even have to do any dumps through this one all we have to do is save it right

down here you can save their strings that will actually save this the entire search this is our version there's our D tag there's our command and control servers which are going to download a boat ton of nasty modules up to including latest one which is quite a sale grab over - there's REO B's copied over in fact on my VM on my Linux VM I don't even I have the bi-directional clipboard work rock-and-roll and I just copied straight over copy this into Visual Studio code XML format it posted on Twitter like a boss if you happen to see Ford 449 you're going to have a bad day for the rest of your day this is why we take a

look at these things these small sort of okay it was a malicious attachment grande wasn't blocked I get that a lot well was it blocked yes it was Oh fantastic wasn't fantastic but the bugger-all wasn't right we want to know what's attacking us so we know what indicators to look for these are all the goodies that we used I strongly recommend visual studio code it is cross-platform it is a as I've used it more and more it's been a really good replacement for notepad plus plus again I will post these up shortly any questions please I use Windows 7 because Windows 10 is also a pain in my butt trying to get it to stop running antivirus Windows

10 is fantastic for the common person I would have my Ballmer in Windows 10 as a analyst oh my gosh stop I have to make special things special scripts just to kill the thing I actually use Windows 10 for static analysis which is fine and dandy but seriously I had to make sure to disable all the all the antivirus check the Windows Defender it is amazing that that's currently why I've also found there are certain types of malware that will I ran on just the other day the dotnet would only run in Windows XP so I have a window I have no idea why so I have a Windows XP VM I have a Windows

7 VM which is 32-bit only I also have one which is 64-bit only I have all three of them and I have seriously used all three of them to analyze certain hours that just won't play any other way other questions don't think they're inane questions because they're not anything else

that's a great question I recently kind of sort of switched over to making snapshots but for some reason I found for a long time than making snapshots was having to remember to go back and restore the snapshot later it's terrible okay I better do this great analysis you started up I had firing out oh crud I forgot to restore the snapshot I just cut it out stop it restore the snapshot I've actually gone in and set the drive once I get everything all set up I got all the tools that I need paid dump whatever process hacker I will actually go in and set that drive to immutable and so all I need to do is as soon as I shut it down

it automatically if nothing was ever stored into the disk when it's when you're using it for snapshots then it stores in the disk there's a caveat with that however the bonus point about if you're using snapshots you can if you say oh gee I needed a file off that off that image I can actually just start up my virtual box again and boom everything's fine and dandy I didn't restore the snapshot yet so I can still grab the file or the artifact that was dropped but that's a really good question so far immutable seems to be the best method for me but I have switched over a couple of them to the snapshot method just because a lot of

these tools get updated really frequently x64 debug gets updated just almost monthly and I'd like to keep those tools current so that's why I've kind of switched over there to the snapshot man anything else okay the last bit before I go as you go out and as you look at these malicious code as you defend your companies defend families but one thing to keep in mind is that everything we do every service every product it is all about people so as you approach your day and it's two o'clock in the morning you you're on call and you're looking at an IDs alert keep it in the back of your mind really at the end of the day it's all about

people all right thank you very much appreciated [Applause]