175 Lakeside Ave, Room 300A

04/21/2017 Phone: (802) 865-5744 http://lcdiblog.champlain.edu Fax: (802) 865-6446

Malware Analysis

Malware Analysis Page 1 of 15

Disclaimer:

This document contains information based on research that has been gathered by employee(s) of The Senator

Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily

and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained

in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in

connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage

resulting from use of this data. Information in this report can be downloaded and redistributed by any person or

persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly

annotated.

Contents

Introduction 2

Background 2

Purpose and Scope 2

Terminology 2

Methodology and Methods 3

Equipment Used 3

Results 4

1.1 Fake Flash 4

1.2 DarkComet NJRAT 7

1.3 Hicurdismos ScareWare 10

Conclusion 12

Future Work 13

References 14

Malware Analysis Page 2 of 15

Introduction Malware has been plaguing the world for years. Cyber criminals can use it to infect a system without the user

knowing. There are many different types of malware out there, from ones that can be used to log keystrokes to

ones that can remotely gain access to an entire system. It is important to understand how to analyze different

types of malware because it can help detect and prevent future cyber-attacks. Malware, as its name suggests, is

malicious and needs to be analyzed in a secure environment. In order to keep it from infecting the LCDI

network, our team is using Amazon Elastic Compute Cloud (Amazon EC2) in the Amazon Web Services

(AWS) cloud. Amazon EC2 allows us to launch a virtual server that we can use to create an isolated computing

environment in which to monitor malware. Within AWS we used a program called ThreatAnalyzer, which is a

dynamic malware analysis sandbox that can analyze malware and create a report within minutes. Employing

these services allows our team to safely research what different malware does to our system and share our

results with the community.

Background This project is being done to give the community an understanding of how malware works, and is a

continuation of a project previously done at the LCDI. We are using their research to move forward with the

project. Last semester Cuckoo Sandbox, an open-source analysis environment, was used to analyze malware.

Unfortunately, a sample of malware managed to escape that sandbox and out onto the LCDI network. For this

reason, we are using the AWS environment.

Purpose and Scope The scope of this project is to statically and dynamically analyze malware. When analyzing the malware, it is

essential to gain an understanding of what the code is designed to do, and what type of information it could

obtain from the given system.

Research Questions

1. Given a piece of malware, what type of information can be discovered using different forms of malware analysis?

2. Is Amazon EC2 able to supply a safe environment to analyze malware in?

3. Is ThreatAnalyzer able to successfully analyze all samples of malware?

4. Is the information gathered from ThreatAnalyzer relevant in understanding malware?

Terminology

Amazon WorkSpaces (AWS) - Amazon WorkSpaces is a fully managed, secure desktop computing service

which runs on the AWS cloud. Amazon WorkSpaces allows you to easily provision cloud-based virtual

desktops and provide your users access to the documents, applications, and resources they need from any

supported device, including Windows and Mac computers, Chromebooks, iPads, Fire tablets, Android tablets,

and Chrome and Firefox web browsers. (Amazon)

Static Analysis - Static Analysis is a term referring to when computer code is examined without executing the

program in order to gain an understanding of the content and capability of the code. When static analysis is

Malware Analysis Page 3 of 15

done by an automated tool, the code is parsed and identifiable content is reported in a human readable format.

(Rouse)

Dynamic Analysis - Dynamic Analysis is considered testing and evaluating a computer program by executing

it in real time in a controlled test environment. Executing the code allows the analyst to examine any visual and

ephemeral effects caused by code on the test environment. (Rouse)

ThreatAnalyzer - ThreatAnalyzer is a dynamic malware analysis sandbox used to reveal the impact malware

can have on an organization so they can respond quickly. (ThreatAnalyzer)

Malware - Malware is any software that is intended to damage or disable a computer or computer system.

(Christensson)

Methodology and Methods All analysis of malware samples took place on a Windows XP virtual machine that was running on an Amazon

Workspace client. This is because running malware analysis is much too dangerous to both our facility’s

computers and it’s network. Conducting the analysis in a virtual environment allows full connectivity of a

normal PC with lessened risk to the local network, as the infected machine can be sanitized quickly and easily.

This is in line with other web based software like ThreatAnalyzer and VirusTotal that allow for more static

analysis. This is combined with other internal software like Procmon that allow a user to see all active processes

that a specific application is running in the background, as well as the foreground, and Sysinternals Suite for

more dynamic analysis of the malware while functioning.

Equipment Used Hardware:

Device OS Version Comments

LCDI Workstation Windows 10 Used to host software that was used for

malware analysis

Cisco VoIP Phone N/A Used to aid in data generation for one

piece of malware

Software:

Software Name Version Comments

Amazon AWS Current Used as remote platform for malware

analysis

Process Monitor 3.32 Used as part of our System Internals

Suite of applications to perform dynamic

analysis on malware within our RDP

Threat Analyzer Client

Malware Analysis Page 4 of 15

DiE (Detect it Easy) 1.01 Used for dynamic analysis

Threat Analyzer 6.1.0.552 Application used to analyze malware

statically

VirusTotal N/A Repository from which we gathered

known malware samples for analysis

CFF Explorer 8.0.0.0 Suite of tools that includes the PE Editor

and a process viewer that were used in

static analysis

Results Several pieces and types of malware were recorded, as well as some common scams that are often known to

install malware onto a system. The data from these samples included VirusTotal and ThreatAnalyzer analysis,

as well as physically running them on the Amazon Workspace. Below are some of the examples of the findings

that we came across.

1.1 Fake Flash

This type of malware is endemic to an outdated flash player. Ripe with vulnerabilities, many flash player

installation files are targets for this type of malware insertion. Below, in figures 1 and 2, is one example of such

malware.

Figure 1Flash Player Downloaded Info Screen

Figure 1: Flash Player Download Info Screen

Malware Analysis Page 5 of 15

This particular piece of malware was disguised as a flash updater, but immediate red flags arose when we saw

the name of the file, as seen in Figure 1 as a long string of numbers and letters. Also, the company that was the

claimed publisher was not the well-known and trusted Adobe. Rather it was a company called Emurasoft, Inc.

Figure 2: Additional Information on Downloaded Sample

Malware Analysis Page 6 of 15

This is where the process became interesting. A file recently named stub.exe had changed its name to

Trojan.exe ironically enough. Highlighted above in figure 3 is its process and the attempt to connect back out to

an external address, this was likely to aid the next part of the malware, the keylogger it dropped.

We derived that the whole purpose of this malware was to send data out of our system and back to the attacker.

Due to the constraints of our AWS environment, the malware was thankfully unable to actually send data out.

We decided to follow the path that was indicated in the command it ran to open the netshell. Within this

directory, we found a text file that had been logging all our activity since installing this flash player update. It

recorded us opening applications, all keystrokes, and even what some of the applications we had opened were

doing on our system. In order to test these actions live, we opened up Notepad and typed something in. Sure

enough, it was logging everything and attempting to send it to the remote system indicated earlier.

Figure 3: Process Monitor showing spawned remote shell

Figures 4 & 5: Keylogger data on application use

Figures 6 & 7: Keylogger data from logged keystrokes

Malware Analysis Page 7 of 15

1.2 DarkComet NJRAT This type of program is a piece of software used by what is commonly known as, “script kiddies.” This term is

applied to users that have no idea how the code works, but it works nonetheless. This tool is designed to gain

remote admin access to a system.

Figure 8: DarkComet Software setup

Malware Analysis Page 8 of 15

Once installed, the software executes several command prompts and begins its work. Due to prior static

analysis, we were able to predict the targets of the system like the firewall and the administrator account. This

allows the user on the other end to execute any commands they want, including network commands as the

network firewall is now disabled and cannot be reactivated.

Figures 9 & 10: CFF Explorer enumeration of malicious imports

Malware Analysis Page 9 of 15

Figure 11: ProcMon showing maliciously spawned remote shell

Figure 12: Windows Firewall has been turned off by malware

Malware Analysis Page 10 of 15

Shown above in figure 13 is the static analysis of the actual piece of malware. This piece of malware had also

targeted the task manager and disabled it so we attempted to load task manager. We found the sample of

malware had also turned off our ability to access task manager.

1.3 Hicurdismos ScareWare

The main idea behind this type of malware is similar to the idea behind Ransomware, the main difference being

Ransomware holds the entire system for ransom while Scareware simply alerts the user of a problem that

doesn’t exist. This was sort of a hybrid of the two, where we received a lockout message that stated there were

problems with our computer that we knew did not exist. The prompt at the bottom said to call a number for

support. Naturally that’s what we did. We configured our physical and system environment to better suit the

needs of our investigation, which would require us to speak to a “Microsoft Tech Support Representative” to

solve our issue. Being in a lab environment, we needed a way of conducting this analysis with limited

distractions, while also making sure our cover was secure. So, we utilized a separate office phone and made

Figure 13: Static analysis report of DarkComet malware sample

Figure 14: Task Manager disabled by DarkComet

Malware Analysis Page 11 of 15

sure students were quiet during our conversation in order to do that. Since our AWS system that was “hacked”

was very clearly just that, we also had to manipulate file names and change the background to better represent a

more normal desktop environment. The main method of attack was through an application available at

fastsupport.com called GoToAssist that has been known to be a way for attackers to easily enter a system.

Once our support session had been established, our “representative” showed us how much of a stranglehold

these viruses had on our system. Anyone that is slightly versed in the syntax for Windows Command Prompt

would see this glaring issue in their plan to fool us. The commands they entered literally say “virus found

<name of virus>”, with the resulting error message displayed right below it. Our investigator on the phone with

our representative at the time asked about the error message below. The tech support representative said that

was yet another indication of the presence of this malware and quickly changed the subject.

In order to explain the severity of our issue better, the “representative” proceeded to go over, in excruciating

detail, exactly what these viruses were by surfing to their Wikipedia pages. We are still unsure why they spent

Malware Analysis Page 12 of 15

nearly an hour reading verbatim the Wikipedia articles on these enumerated viruses, perhaps it was meant to

fatigue us into letting them have full control or maybe it was purely for our own education. Finally, we came to

the part of his script where he had to ask us for money. He opened up a new Notepad Window and wrote up

fields for us to fill in our credit card information, as well as outlining payment plans and options. A previous

malware analysis team had already created an alias to use for this purpose, so we used that for this information.

Once we had filled that in, the “representative” proceeded to set a boot password that was not disclosed to us.

This would normally restrict us from using our system upon logging in later, thankfully we could just blow

away the instance and rebuild it after our phone call.

In order to act like they were performing a real service for us, the “representative” installed several free

applications that would strengthen our security, including CCleaner, MalwareBytes, and Adblock Plus. At the

end of our work shift, we quickly ended our phone call but did not disconnect our support session in order to see

if they would drop any additional malware onto our system before leaving. Instead, they simply typed in a new

Notepad window asking us to call them back.

Conclusion Having completed our research, we are now able to answer our research questions as found below:

1. Given a piece of malware, what type of information can be discovered using different forms of malware

analysis?

2. Is Amazon EC2 able to supply a safe environment to analyze malware in?

3. Is ThreatAnalyzer able to successfully analyze all samples of malware?

4. Is the information gathered from ThreatAnalyzer relevant in understanding malware?

A largely varying amount of information can be available from malware samples. Naturally, the type of

Malware Analysis Page 13 of 15

information changes based on the nature of the malware in question. Generally, we were able to find

maliciously spawned processes and were able to trace the roots of the malware down to where they embed

themselves in the root of most file systems. We were also able to find network traffic related to some malware

samples, as well as actively monitor the changes it made while it was executed.

Our team agrees that Amazon’s EC2 performed well beyond expectations. With the occasional outage

on Amazon’s side out of the way, the system was completely separated from our normal lab environment,

making it a very safe platform within which to detonate and analyze malware. On top of that, the instance was

easy to use and even easier to reset back to working order, allowing us to quickly and efficiently analyze

malware and proceed to the next sample.

We agree the ThreatAnalyzer is not quite capable of analyzing all forms of malware. There are certain

types of malware that the ThreatAnalyzer client cannot return much information about, or it ended it up not

being very useful. Its integration with VirusTotal made it easy to analyze the malware, but not all samples were

complete enough for ThreatAnalyzer to provide any sort of meaningful analysis on. There were also other

samples that needed certain criteria in order to run that prevented them from running on such a sandbox.

After ThreatAnalyzer had analyzed a sample of malware, it provided a rather intricate report that

detailed everything it found during its scan. Generally, these reports were helpful to us as a first point of

reference on which to continue our analysis. Sometimes, however, nothing would be found or the information it

provided would be completely unusable. The information was hardly detailed enough to bank all of our findings

off of, but it was definitely used as a preliminary tool to assess the severity of the malware, in order for us to

determine if we should continue investigating it or not.

Future Work Using the AWS platform for this type of forensic analysis worked much better than expected. We believe this is

a good tool to use in order to provide safety to the lab’s internal network while providing the functionality of a

normal computer system in which to introduce malware samples. We would like to see this platform used in the

future for this purpose. One addition task would be to configure it to allow multiple people to interact with it at

one time. Having just one user account limited our ability to analyze more than one sample at a time. We would

have liked to analyze more samples than we had the opportunity to do.

Malware Analysis Page 14 of 15

References 1. Amazon Elastic Compute Cloud. (2017). Retrieved from

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

2. Distler, D. (2017, December 14). Malware Analysis: An Introduction. Retrieved from

https://www.sans.org/reading-room/whitepapers/malicious/malware-analysis-introduction-2103

3. I. (2017). Remote Access Trojan. Retrieved from http://www.trusteer.com/en/glossary/remote-access-

trojan-rat

4. K. (2017). What is a Keylogger? Retrieved from https://usa.kaspersky.com/internet-security-

center/definitions/keylogger#.WMClElXyuUk

5. ThreatAnalyzer. (2016). Retrieved from https://www.threattrack.com/malware-analysis.aspx

6. Rouse, M. (2006, November). What is static analysis (static code analysis)? Retrieved from

http://searchwindevelopment.techtarget.com/definition/static-analysis

7. Rouse, M. (2006, May). What is static analysis (static code analysis)? Retrieved from

http://searchsoftwarequality.techtarget.com/definition/dynamic-analysis

8. Christensson, P. (2006). Malware Definition. Retrieved 2017, May 1, from https://techterms.com