Chapter 11: Challenge Solutions
Chapter 2 – Static Analysis – Techniques and Tooling
The challenges in Chapter 2 cover the basic static analysis of binaries. The answers are as follows:
- The SHA256 sum of the sample is B6D7E579A24EFC09C2DBA13CA906227 90866E017A3311C1809C5041E91B7A930.
- The ssdeep of the sample is 3072:C5OLkQW8JS0k0wcBalDIs3hlAp5+hQQE89X3Qo+PgaE3:CsWnGYlAp5+hR9sYaE.
- Utilizing what we've learned from static cryptographic hashes, we can utilize OSINT sources such as VirusTotal to learn that this sample corresponds with the SolarMarker family of malware.
For this challenge, you could locate the kill-switch domain for WannaCry just by utilizing the strings utility! The domain you should have uncovered was as follows:
Chapter 3 – Dynamic Analysis – Techniques and Tooling
The challenges in Chapter 3 focus on automation and dynamic analysis of samples. The answers are as follows:
- This malware sample does not appear to create a persistence mechanism immediately following execution.
- The file will write one decoded payload to C:UsersPublic*.GOF with the SHA256 of 47b1f63e7db1c24ad6f692cf1eb0e92dd6de27a16051f390 f5b441afc5049fea.
- Checking for alternate data streams via PowerShell reveals no hidden data within our payload.
- If there were persistence mechanisms or files uncovered by our script(s), we could easily add a pipeline element to Remove-Item or similar in order to automate the removal of files and registry keys. The same could be used with scheduled tasks via Unregister-ScheduledTask.
Chapter 4 – A Word on Automated Sandboxing
In Chapter 4, we discussed automated sandboxing. You were tasked with utilizing Cuckoo and a sample of the Locky ransomware to answer several questions about the characteristics of the binary. The answers are as follows:
- The sample appears to contact random domain names. This could be an attempt to ascertain via DNS whether or not a network is being emulated by a malware analyst as opposed to a live connection.
- The sample is packed. The leading indicator of a packed sample in this instance is the relatively high entropy of the PE sections shown in Cuckoo.
- The SHA256 of the unpacked binary in memory should be e1e9a4cc4dcbeb8 d07bb1209f071acc88584e6b405b887a20b00dd7fa7561ce7, which should be revealed in the Dropped Buffers section of Cuckoo.
- There are several indicators within the binary, but one in particular stands out in the Strings section of Cuckoo – a seemingly randomly generated PDB file string: Z:as28cxkoaoazoozykzl0tjxw9y4cnijyc6mq3mvnt.pdb. Might this be a good IOC or indicator of the custom packer that was utilized?
Chapter 5 – Advanced Static Analysis – Out of the White Noise
In Chapter 5, we discussed the more advanced points of static analysis utilizing the NSA's Ghidra and other tools to ascertain information about an executable without running it. The answers to the questions posed are as follows:
- The sample is packed with the UPX packer.
- The PE is a Windows .exe file.
- The raw size of the text section is 00010000.
- There are several modules and functions imported that you could have chosen – however, one may have caught your eye as it did mine: SetWindowsHookExA.
- The arguments passed are as follows:
EDI (0) for dwThreadId
The current handle for the binary
0xd – which corresponds to WH_KEYBOARD_LL for the idHook argument
- You'd be more hard-pressed to find out what this executable can't do. However, based solely on static analysis, we can assume that it can read and write registry keys; read, write, and delete files; download files; contact a C2; execute arbitrary commands – and based on the previous function's arguments, even log our keystrokes! Reading the symbol references in Ghidra will reveal all of this information.
Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions
In this chapter, we took a deep dive into the nitty-gritty of dynamic analysis and what we can really learn about malware and its behavior by simply giving it an environment to destroy. You were tasked with answering several questions about the NetWalker ransomware threat – the answers are as follows:
- PowerShell spawns CSC.exe processes. Some research about these processes should tell you they're used for compiling executables from source code.
- No – it doesn't attempt to download any secondary stages. The script contains everything it needs to compile its payload DLL at runtime!
- Yes, it does – PowerShell utilizes its malicious DLL to inject code into the already running Explorer.exe process and encrypt the files.
- The DLL is loaded by reflective loading. This can be inferred by the fact that it's spawned within an existing process and by looking at the source that is compiled by csc.exe.
Chapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
Here, we discussed some more advanced topics revolving around Windows API functionality and manually unpacking malware. In the challenges in this section, you were tasked with answering a series of questions about a likely packed executable:
- Yes – the sample is packed. Based on your research, you should find that it is packed with a packer called MPress.
- The SHA256 of the unpacked sample is a23ef053cccf6a35fda9adc5f1702 ba99a7be695107d3ba5d1ea8c9c258299e4.
- The only imported functions in the packed sample are as follows:
Comparing this list to the list of imports once the sample is unpacked shows quite a difference!
- The sample has several functions that could ostensibly be used for analysis avoidance, but the easiest to spot is Sleep()! This could be utilized to evade automated analysis by sleeping for a period of time much longer than a sandbox would usually wait for a detonation.
Chapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the Tube
- While the information necessary could easily have been gleaned by behavioral analysis, you could have gained an understanding of the script by de-obfuscating the code through VBSEdit. Once done, it should become clear the site in question is domenuscdm[.]com.
- Utilizing the same methodology, you should have been able to find the malware utilizing MsXmlHttp to download the secondary stages and make HTTP requests to the site.
- This one is a bit trickier. However, with the right recipe, you will get a good start. The correct recipe is as follows:
– From Base64
– Remove Null Bytes
However, as you've noticed, things seem to be out of order and splatted, as discussed in the chapter by utilizing numbers in curly braces. When put into the order specified, the following domains become clear:
Chapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for Defense
In this chapter, we talked about weaponizing IOCs and turning the tables on attackers by preventing their malware from executing at all – or limiting its ability to communicate with those that control it. You were tasked with collecting IOCs via OSINT about a Monero coin-mining campaign and implementing strategies to mitigate it within your environment:
- The file hashes you should have been able to gain are 240fe01d9fcce5aae311e906b8 311a1975f8c1431b83618f3d11aeaff10aede3 and 8ecffbd4a0c3709cc98b036a895289f3 3b7a8650d7b000107bafd5bd0cb04db3.
a. The best mitigations for Windows servers would be to block the initial PowerShell command utilized to download and execute the installer for the XMRig binary – some research on the internet should have led you to the command being utilized. For further reading on the threat and the solutions you should have come to, please see the following URL from F5 Networks: https://www.f5.com/labs/articles/threat-intelligence/xmrig-miner-now-targeting-oracle-weblogic-and-jenkins-servers-to-mine-monero
b. The best mitigations for Linux would be to block the SHA256 and filenames associated with the binaries – or better yet, utilize a restricted shell for the user associated with Oracle Weblogic. ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
- The network-based IOCs are multiple – however, the IP 222.184.79[.]11 was found to be associated with this campaign.
a. Both will be about equal in terms of efficacy. However, FQDNs will be slightly less efficacious, as they are a bit easier to change than IPs. Both are rather malleable IOCs, however.
b. On Linux, iptables would be an effective way to block this. On Windows, Windows Firewall via GPO would suffice.
Chapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CK
In this chapter, we learned about the MITRE ATT&CK framework – how it can inform us and let us speak intelligently and consistently about our malicious samples. We also learned how we may leverage this consistency and in-depth information to write concise reports for multiple audiences. The challenge in this chapter asked you to review an article about Dridex and present the techniques that it utilized. The answers are as follows:
- MITRE actually has a matrix for well-known malicious software! The one for Dridex can be found here: https://attack.mitre.org/software/S0384/.
- Further research would lead you to the fact that the groups behind Dridex – TA505 or INDRIK SPIDER – tend to use phishing as an initial access method, corresponding to T1566.
- Continuing to research the threat actor, you would find that while they have often stolen things via man in the browser, they've recently been known to perform impact via data encrypted for impact, opting for their own in-house ransomware. This corresponds to T1486.
In this final section, we've worked through the solutions and the challenges presented to you in each chapter. They should have been fairly easy to follow at this point given the knowledge you've gained by working through these chapters.
If they were not – that is also okay! Malware analysis is a deep subject, and we have barely scratched the surface. It is a long journey – and one where we never stop learning. I sincerely hope you've enjoyed reading this book and walking through the challenges as much as I enjoyed putting them together, and do hope that you have gained some knowledge here, and that you'll continue on this journey as a malware analyst, taking the fight to the adversaries and making their lives a bit more difficult.