Robusta Technology and Training Computer Hacking Forensic Investigator fam 31249 Malware Forensics LO#06: Analyze Malware Behavior on System Properties in Real-time Monitoring Reps Artacts Monitoring Processes Monitoring Windows Serces Monitoring Start Programs Mentoring Windo ys set Logs Monitoring ans Menta Diets aceite tiates ny dec ney Checkers: FastSum and LO#06: Analyze Malware Behavigfon System Properties in Real- time During runtime, a malware might inter with various system components, such as registry, file and folders, windows processes and Zervices, and device drivers. It might update/delete registry keys or create malicious Windayestrvices/processes to accomplish what itis designed to do. After running the malwareginvestigators can analyze the changes in registry, processes, or services by comparing the result with the baseline image and by using various forensic tools. They can also examine the API calls made by the malware and monitor event logs to see the changes on the system properties performed by the malware. This section describes how to analyze various system components and track malicious changes during dynamic malware analysis. ‘Computer Hacking Forensic Investigator Copyright © by Ke-Pounelt ‘AllRights Reserved. Reproduction s Stel Prohibited.Robusta Technology and Training Computer Hacking Forensic Investigator am 31249 Malware Forensics System Behavior Analysis: Monitoring C Registry Artifacts (© Mawar manipulates the rgty tcoe attri suey =. ‘henner th cemuter Dots ort ‘ner on {© By running the malware on a forensic ‘workstation, ou can observe is activity onthe registry and look for specific keys ‘or values that are read, created, ‘modified, or deleted by it (© Look or Windows AutoStart registry locations that ace commonly targeted by ‘malware to persist on the system System Behavior Analysis: Moni try Brtifacts Windows registry stores OS and erogram shea details, such as settings and options. If the malware is a program, the regist 3 its Functionality. Malware manipulates the registry to.ensure that it runs automatically, ybenever a computer oF device boots ora user logs in. Forensic investigators can executésthe malware on a Windows forensic workstation and observe how it interacts with the systept registry files, particularly the registry keys and values that are created, modified, or deleted by it. Investigators can look into specific registry locations while performing a rut is of the malware to learn more about its functionality. Monitoring AutoStart registry keys can be quite Useful as those are the most common locations targeted by malware. Module 14 Page 1355 ‘Computer Hacking Forensic Investigator Copyright © by Ke-Pounelt ‘AllRights Reserved. Reproduction s Stel Prohibited.Robusta Technology and Training Computer Hacking Forensic Investigator am 31249 Malware Forensics below: Windows AutoStart Registry Keys sera o3THARE \tleronoft\Mindows\CornentVecsice\Rin ‘mrco\sornense Werovott \indowe\CorrentVereioe\Ron smu soronare eieronote Mindows\CorrentVereioe\Foliciae\Eeplore vn sera sormense ierouote \Rindows \Correntversin\Raronse Te ere aren ini roel gloee NE ere vt seta near nt eter Yaccnmicaeayng ana yaar seco\nornmar nicrocore winder Sn Sostaretontepras ee << Windows AutoStart Registry Keys oS The Autostart keys within the Wind istry, which allow programs to be executed automatically upon system reboot or 4G login, are the most common locations targeted by malware to achieve persistence on apy Compromised machine. Some of the Windows eee gistry keys targeted by malicious programs are discussed Run/RunOnce Keys Malware often modifies the below-mentioned registry keys to continue running on the system whenever the user logs in: © HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run © HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ‘A malicious program can also modify the following system-related keys: © HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run © HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce © HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Exp! orer\Run Startup Keys Malware authors also try to place their malicious executable file within the startup directory of the compromised system and create a shortcut entry on the location pointed by the Startup subkey which is set to execute the service automatically on each logon/reboot. Module 14 Page 1355 ‘Computer Hacking Forensic Investigator Copyright © by EE-Coumelt ‘Al Rights Reserved. Reproduction is Stl ProhibitedRobusta Technology and Training Malware Forensics Module 14 Page 1357 Computer Hacking Forensic Investigator fam 31249 These startup locations are found both at the user level and system level: © HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\S hell Folders, Common Startup © HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\, User Shell Folders, Common Startup © _HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sh ell Folders, Startup © HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Us er Shell Folders, Startup ‘Computer Hacking Forensic Investigator Copyright © by Ke-Pounelt ‘AllRights Reserved. Reproduction s Stel Prohibited.Computer Hacking Forensic Investigto am 31249 Analyzing Windows AutoStart Registry Keys Use tools ke Regripper that comes with stonstay ane a8 both GUI and command ine tools that can © Paylte New sre ue ted aera hey patee kay vals, and dat from registry © Cosheopat Mann VO ait fic aed to chew pert Analyzing Registry Artifacts: Windows WutoStart Registry Keys After the malware is executed on a WinduWs forensic workstation, investigators can examine AutoStart registry locations via tools like RPRripper to see if it follows any persistence mechanism The screenshot below shows the gdfimand used to parse the AutoStart registry key contents from the NTUSER.dat file of gpécific user (in this scenario, Robert) to a text file named Output.txt via Regripper after he malware has been executed. The NTUSER.dat is a registry log file that stores settings and preferences specific to any user account. BEE CAWINDOWS\system32\cmdeve 1 used to parse the NTUSER dat fle ofa specific user using Regripper Module 14 Page 1358 Computer Hacking Forensic investigator Copyright © by Counc Tl ight Reserve. Reproduction Stty Prone.Robusta Technology and Training Computer Hacking Forensic Investigator fam 31249 ‘Mabware Forensics The analysis of the AutoStart registry key values shows an entry added to the Run key in the HKEY_CURRENT_USER hive by the malware at runtime. The malware has appended a persistent VB script file under the Run key to run automatically on user login: = PiQyyECwr: New name value created under Run key = CaoCtboog.vbs: Malicious VB script file installed to achieve persistence = Script file path: C:\Users\Robert\AppData\Local\Temp\CaoCiboog vbs ae tat sh ven enoang Uagge Seng ok thu in pee nse 7 2H0sG8/4eB aclau e209). 152Biee|e=0R ool e s Figure 1a 2@Analyis ofthe output.txt fle RegRipper xO we Source: https://glthub.com 3 RegRipper is an open-souite tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis. RegRipper consists of two basic tools, both of which provide similar capability. The RegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. It also includes a command line (CL) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. This tool run via plugins that are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Module 14 Page 1359, ‘Computer Hacking Forensic Investigator Copyright © by Ke-Pounelt ‘AllRights Reserved. Reproduction s Stel Prohibited.Robusta Technology and Training Computer Hacking Forensic Investigator am 31249 Malware Forensics System Behavior Analysis: Monitoring Processes Process Montor shows real-time le system, Process monitor | eg, od procetend vty {© Some matare aso use PEs [Portable recta) to nec theses ito various processes (suchas explorer or web browsers) frocess monitoring after the execution ofthe maware on the forense ‘rotation Reps menting the Processes the mabareintiates oF se process monitoring to the Process Monitor sean fo SuBICous processes crested bythe saare System Behavior Analysis: Monit cesses Investigators should perform process morporing as it will help them understand the processes initiated and taken over by a malwe fer execution. They should also observe the child processes, associated handles, loaded libraries, and functions to define the nature of a file or program, gather information abag# processes running before execution of the malware, and compare them to the processe{Minning after execution. This method will reduce the time taken to analyze the processes anéthelp in easy identification of all processes started by the malware. Process Monitor Source: https://docs.micrasoft.com Process Monitor is a monitoring tool for Windows that shows real-time file system, registry, and process/thread activity. It combines the features of two Sysinternals utilities, Filemon and Regmon, and adds enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. Process Monitor includes monitoring and filtering capabilities, which includes the following: = More data captured for operation input and output parameters = Non-destructive filters allow you to set filters without losing data * Capture of thread stacks for each operation makes it possible in many cases to identify the root cause of an operation Module 14 Page 1360 ‘Computer Hacking Forensic Investigator Copyright © by EE-Coumelt ‘AlRights Reserved. Reproduction is Strict ProhibitedRobusta Technology and Training Computer Hacking Forensic Investigator Malware Forensics session IDs of log data = Cancellable search = Boot time logging of all operations Module 14 Page 1361 am 31249 = Reliable capture of process details, including image path, command line, and user and = Configurable and moveable columns for any event property = Filters can be set for any data field, including fields not configured as columns = Advanced logging architecture scales to tens of millions of captured events and gigabytes = Process tree tool shows the relationship between all processes referenced in a trace ‘= Native log format preserves all data for loading in a different Process Monitor instance "Process tooltip for easy viewing of process image information ‘Computer Hacking Forensic Investigator Copyright © by Ke-Pounelt ‘AllRights Reserved. Reproduction s Stel Prohibited.Robusta Technology and Training Computer Hacking Forensic Investigator am 31249 Malware Forensics System Behavior Analysis: Monitoring Windows Services HF ‘Thistool an hep trace matlous sertces Indy the maar can create sereces (© Malware spawn Windows services tat ‘ow atackers to remotely contol he ‘tim machine ard pass malious ‘atware may ao employ eat tectnique 0 manipula REY LOCAL_MACHINE\System\Current onrotet\ Services repity kes to ide examining Windows services upon ‘malware ection helps in enttyng ‘any suspicious series created by the ‘malware that mightrun aaematcaly OF ‘equee manual tarvention get stared System Behavior Analysis: Monit lows Services ‘Attackers design malware and other maticigils code in such a way that they install and run on a computer device in the form of a servic@@K malware might spawn Windows services that allow attackers remote control to the victip Machine and pass malicious instructions or apply rootkit techniques to manipulate registry Kes and avoid detection. ‘As many Windows services ruin the background to support processes and applications, the malicious services are invisifle even when performing harmful activities on the system and can function even without any intervention or input. ‘These malicious services run as a SYSTEM account or other privileged accounts, which provides more access than the user accounts. This makes them more dangerous than a common malware and executable code. Attackers also try to trick users and investigators alike by naming the malicious services with names similar to that of genuine Windows services to avoid detection. Investigators need to trace the malicious services initiated by a malware during runtime analysis Using tools that can detect changes in services. Investigators can use tools like Windows Service Manager for this purpose. Windows Service Manager (SrvMan) Source: http://tools.sysprogs.org ‘Windows Service Manager is a small tool that simplifies all common tasks related to Windows services. It can create services (both Win32 and Legacy Driver) without restarting Windows, delete existing services, and change service configuration. {thas both GUI and command-line modes. It can also be used to run arbitrary Win32 applications as services (when such a service is stopped, the main application window is closed automatically). Module 14 Page 1362 ‘Computer Hacking Forensic Investigator Copyright © by EE-Coumelt ‘Al Rights Reserved. Reproduction is Stl ProhibitedRobusta Technology and Training Computer Hacking Forensic Investigator fam 31249 Malware Forensics You can use SrvMan's command line interface to perform the following tasks: Creating services Use the following command line to create services using SrvMan (parameters in brackets are optional): srvman.exe add ] [/start:] [/interactive:no] [/overwrite:yes] s> [service name] [display name] Deleting services Use the following command to delete services using SrvMan: fereman/ene dalate 1] (/delay:] © srvman.exe stop ] © srvman.exe restart [/delay:] Testing legacy driver Ke Test the legacy drivers by ushig the following command with SrvMan: srvman.exe run [ [/stopafter :