Published on

Virtual Machine Malware / Malicious Analysis

Authors
  • avatar
    Name
    Predrag TASEVSKI
    Twitter

INTRODUCTION

The main goal of laboratory report is to identify possible infection of two Windows 7 virtual machine. Virtual machines presented by the lecture:

  • Win 1
  • Win 2

The assignment is following:

  • Find out what is infecting the machine win1
  • Understand which way is the current malware dangerous to “your organisation”
  • If possible, do clean win1
  • Is win2 clean or it has problems, too?
  • If needed, do clean win2

Additionally, deliverable questions should be visible:

  • Summary – Your thoughts about the exercise. Please provide a short
  • Malware that infects machines
  • Md5 hash – if it possible and if not, please explain, why.
  • Sha256 has -if it possible and if not, then please explain, why.
  • A description – in which way that malware is a threat to “You organization”
  • Tools You used to find the infection(s)
  • Tools You used to clean machine(s)
  • Where You found hints and how exactly You did it (you need to show Your thought and communication process – please write a summary of it.)
  • How would you evaluate your partner.

Moreover, we have to consider the malware analysis report reminders, please refer to [1] or [2].

Furthermore, each virtual machine will be analysed with different tools, in case to gather more information and solution for disinfecting process. Structure of the laboratory report is first to present each virtual machine with details information in section Virtual Machine’s, Each visualization is examined. Malware and disinfection process are described. Meanwhile in appendices, we explain what virtual environment and tools we have used for this written report.

Finally the conclusion made of all analysis will be concise in summary section.

VIRTUAL MACHINE’s

In this section each virtual machines are going to be examine in sub-sections, analysis and additionally the disinfection solutions, etc. will be presented. The tools that are used for conducting the analysis are presented in the Tools section.

Win1

Intense detail information are highlighted bellow and MD5 sum for Win1 virtual box machine:

    OS: Ms Windows 7 ProfessionalVersion: 6.1.7601 Service Pack 1 Build 7601System type: 32 bitComputer name: DoeMUsers Names:- Jane Doe- Jhon DoeMD5 Sum: 6313cf7303de37ba62aadf5208b6ea78

Analysis

The analysis starts firstly from the observations, then with an supporting figures, sample of identification, are there any dependencies and in closer with summary of the analysis. From analysis with a different tools we came to conclusion that the above virtual image it is infected with some malicious code. Were certain tools have provides as an information that there is background accessing to network. However, this analysis it is not enough so therefore we will do more inside investigation to come-out with the hosts or network that the malicious code is trying to access, or an information that is shared.

To be able to identify the behaviour of a network we have used the Wireshark tool. Bellow are highlighted the steps: Network adapter type: NAT, logged in as: John Doe, additionally Wireshark run as Administrator. Upon the testing, the only user application open on WIN1 is Notepad. No additional network activities from log-in user, also no network activities from user on Host System. Wireshark, it detected suspicious traffic:

  1. Classification: BAD TCP (according to Wireshark coloring rules), Destination: 192.168.0.254 / 8.8.4.4 (Googne Public DNS) with Protocol: DNS; Info: Standard query A mamtumbochka766.ru / Standard query A followmego12.ru / Standart query A losokorot7621.ru / standard query A hidemyfass87111.ru /; Reason for classification as BAD TCP: Header checksum incorrect, maybe caused by “IP checksum offload”, Message: Bad Cheksum, Severity level: Error
  2. As a response, WIN1 machine got UDP packet (according to Wireshark coloring rules); Protocol: DNS; Info: Standard query response, Sever failure.
  3. Additionally, Wireshark detected another round of BAD TCP packets; Classification: BAD TCP; Destination: 195.226.218.135; Protocol: TCP; Port: 50530; Info: HTTP ACK (before that, WIN1 sent ACK message, got SYN ACK and this packet was an ACK). Where during HTTP session, WIN1 machine received the following linebased text data: i5eOnJKV57mp5biuqK+0tri0tbW+uK+0qeDr57mp5b29uL6pr7ypurm5vqng6+e5qeU=; Then WIN1 received FIN ACK message from server and send ACK and FIN ACK. Session was finished.

The session was repeated once in 3 minutes and received line-based text data, for all sessions was the same. For illustration please refer to the following link for more details of pcap life of wireshark: (https://bit.ly/mDdqAQ).

Additional log files and screen shots are presented bellow during the analysis with other tools that are listed in the sections of tools.

Illustration 1: TCPView tool, YGLA.ru access to domain

Furthermore, log illustration of hijackThis tool:

    Logfile of Trend Micro HijackThis v2.0.4Scan saved at 20:35:44, on 27.11.2011Platform: Windows 7 SP1 (WinNT 6.00.3505)MSIE: Internet Explorer v8.00 (8.00.7601.17514)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\VBoxTray.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\taskmgr.exeC:\Users\Jhon Doe\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =F3 - REG:win.ini: load=C:\Users\JHONDO~1\LOCALS~1\Temp\5b17fff70008a4e8.exeO4 - HKLM\..\Run: [VBoxTray] C:\Windows\system32\VBoxTray.exeO23 - Service: FJOSKX - Sysinternals - www.sysinternals.com -C:\Users\JHONDO~1\AppData\Local\Temp\FJOSKX.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACETechnologies, Inc. - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: SUUKATRPY - Sysinternals - www.sysinternals.com -C:\Users\JHONDO~1\AppData\Local\Temp\SUUKATRPY.exeO23 - Service: VirtualBox Guest Additions Service (VBoxService) - Oracle Corporation -C:\Windows\system32\VBoxService.exe

Alternatively, we turn to Process Explorer and Process Monitor from Sysinternals. In spite of comprehensive information and some suspicious activities, these tools were unable to show direct link to malware. We analyzed some suspicious DLLs and .exe files, but all of them appeared to be legitimate Windows files. Also ee turned to Security Task Manager by Neuber Software where it discovered file 061afffa0005f9e5.exe in C:\Users\JHONDO~1\LOCALS~1\Temp folder. Usually malware runs itself or is hidden in Temp folder. So weird name and location give us enough reason to think it’s malware. Additional information provided by Security Task Manager: Company: Not provided; Type: Program. Hidden; Starts: when Windows starts and Registry: win.ini.

Meanwhile, for advance analysis we have conduct with clean boot which is explained into the KB article in the following link.

Now we run the wireshark analysis network tool, where no more suspicious network traffic is identified. This means that the malicious code is running from 3rd party applications and not from Microsoft services or process.

Likelihood, to be able to identify the malicious code, threads in virtual machine, we recommend to run an online free virus scanning. Thus process is done by ESET free online tool scanning, refer to the following [link](https://www.eset.com/us/online-scanner/](/https://www.eset.com/us/online-scanner/).

The aim of this step is to help to identify if the threads have been registered in to the virus signature database. If so, this will be a useful information and will assist to continue with analysis.

    Eset Online scanner, found 20 threads:C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.2.60\c39bb188f2ac6534e75c6d961b9a78a2 Win32/Spy.SpyEye.BY trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.2.99\92bf8b3eb04be42f6aba05d6b97e8f25 Win32/Spy.SpyEye.BY trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.3.10\21da6142e3cd3979b7ef122ee638c78f a variant of Win32/Kryptik.MKM trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.3.25\7822bbf0c8ea3e9a75a19e954a39d6c9 Win32/Spy.SpyEye.CA trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.3.31\2bed4bbed303c91e2169b2f32db46acb.exe Win32/Spy.SpyEye.CA trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.3.32\1686b7e48871dd715336c732cfc32c1d Win32/Spy.SpyEye.CA trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIZWMML\spyeye-1.3.34\b2c3acf99f68c42626cf345b74095d51 a variant of Win32/Spy.SpyEye.CA trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R387J1S IRC/SdBot trojan cleaned by deleting - quarantined C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R6TYLIY a variant of Win32/Kryptik.KUQ trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$R8Y8LWG Win32/Pepex.E worm cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RD4Q6CZ Win32/AutoRun.IRCBot.FC worm cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RI87EEE Win32/AutoRun.KS worm cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RIJ4S9U a variant of Win32/Kryptik.KUQ trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$ROFILPO probably a variant of Win32/Autorun.MHBFUDT worm cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RQNEZXA Win32/Pepex.F worm cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RU9MNXT IRC/SdBot trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RY4NX2I IRC/SdBot trojan cleaned by deleting - quarantinedC:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1000\$RY6CB6A Win32/AutoRun.KS worm cleaned by deleting - quarantinedC:\Bios.Bin\Bios.Bin.exe a variant of Win32/Injector.FPL trojan cleaned by deleting - quarantinedC:\Users\Public\Videos\Sample Videos\moos.exeIRC/SdBot trojan cleaned by deleting - quarantined

Each virus definition is presented bellow in the following table with the description [link]

Name of threadsDescription links
Win32/Spy.SpyEye.BY(https://www.eset.eu/encyclopaedia/win32-spy-spyeye-btrojan-pincav-shd-backdoor](https://www.eset.eu/encyclopaedia/win32-spy-spyeye-btrojan-%20pincav-shd-backdoor)
Win32/Kryptik.MKMN/A
Win32/Spy.SpyEye.CA(https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSpyeye](https://www.microsoft.com/security/portal/threat/Encyclopedia/%20Entry.aspx?Name=Trojan%3AWin32%2FSpyeye)
IRC/SdBot(https://www.symantec.com/security\_response/writeup.jsp?docid=2002-051312-3628-99](https://www.symantec.com/security_response/writeup.jsp?%20docid=2002-051312-3628-99)
Win32/Kryptik.KUQ(https://www.virustotal.com/file-scan/report.html?id=1025888a8be72a04cf0b576c65a9b2b13a7abaaa6b90124e2c14b095f98edef7-1310416729](/https://www.virustotal.com/file-scan/report.html?%20id=1025888a8be72a04cf0b576c65a9b2b13a7abaaa6b90124%20e2c14b095f98edef7-1310416729)
Win32/Pepex.E(https://www.virustotal.com/file-scan/report.html?id=169ff0849ce6e055584d24cabc18637db9ae127c166f430147c457a4f410d9d-1303250955](https://www.virustotal.com/file-scan/report.html?%20id=169ff0849ce6e055584d24cabc18637db9ae127c166f4309%20147c457a4f410d9d-1303250955)
Win32/AutoRun.IRCBot.FC(https://www.eset.eu/encyclopaedia/win32-autorun-ircbot-fcnet-worm-mytob-gvm-w32-gen-trojan-qhost-d?lng=en](https://www.eset.eu/encyclopaedia/win32-autorun-ircbot-fcnet-%20worm-mytob-gvm-w32-gen-trojan-qhost-d?lng=en)
Win32/AutoRun.KS(https://www.eset.eu/encyclopaedia/win32\_autorun\_ks\_sillyfdc](https://www.eset.eu/encyclopaedia/win32_autorun_ks_sillyfdc%20_worm_fgj_dnn)
_worm_fgj_dnn
Win32/Injector.FPL(https://www.virustotal.com/file-scan/report.html?id=51591a4e9aed52a04bbd33c45f7111ae8b3af1051bf39e207940243962e7f25-1303564836](https://www.virustotal.com/file-scan/report.html?%20id=51591a4e9aed52a04bbd33c45f7111ae8b3af1051bf39e25%2007940243962e7f25-1303564836)

From the above table we can come to the conclusive proof that total sum number of malicious code running in the virtual machine are 20, with an 9 different definitions of trojan, warms, etc. However, most of them were located in to the Recycle bin folder. Additionally to the analysing packets with Wireshark showed that Win1 has some malware, which sent and received some information over network without knowledge of the user. Destination IP addresses, names and port numbers were suspicious.

Disinfection

Indeed, this virtual machine it is infected. Therefore we have to perform an disinfection process. However, from the above table of the links it provides an solution and steps that should be followed for disinfection process. Either with an tool or steps for removing the malicious code. Also, we can remove the files with some additional tools that are available for free, for instance Eraser tool. Now that we know the exact location of each infected file it is much easier and simple to be able to delete, remove the files from our system. Although we could use the Eset scanner tool that we have performed previously. Nevertheless, to be sure and more save way is to do the removing process manually.

Therefore, recommendation for deleting the malicious code of all time from virtual machine is eraser tool. You need to configure task and which folders or files you specify to be removed. After the task was completed, restart the machine and now the system should be disinfected and additional we recommend to run the Eset online scanner free tool one more time, just in case in a meaner of your organization.

Win2

Intense detail information are highlighted bellow and MD5 sum for Win2 virtual box machine:

    OS: Ms Windows 7 ProfessionalVersion: 6.1.7601 Service Pack 1 Build 7601System type: 32 bitComputer name: DoeMUsers Names:- Jane Doe- Jhon DoeMD5 Sum: 155a5b9e8b842dff4aa5a7b4361113d3

Analysis

Despite the fact that Process Monitor, TCPView and other Sysinternals Suite analysis tools did not help us at all (also Wireshark did not detect any suspicious network activities), at this point, additionally registry changes were detected with CaptureBat tool, where the log file will be presented in figure 2. However by running the ESET online free scanner tool, it did detect in total three threads to our virtual machine, logs are presented bellow.

Eset Online Scanner, found 3 threads:

    C:\$Recycle.Bin\S-1-5-21-1301155936-2652204530-896827088-1001\$RKV8ZW1.exe Win32/Duqu.A trojanC:\Users\Jane\AppData\Local\Temp\0004fbd1.tmpa variant of Win32/Kryptik.VFI trojanC:\Users\Jane\AppData\Local\Temp\b01dffe3001c4fe2.exe Win32/TrojanDownloader.Agent.QXN trojan

Threads are located in to the system directory of Jane user name. Additionally, there is an other malicious code located into the Recycle bin as we were able to detect into the previous analysis for Win1 virtual machine. In spite of fact that in previously scenario we had only a threads located into Recycle Bin, at this virtual environment we have as an local files. Therefore to be able to identify the above file and there integrity we have to sum the MD5 and SHA256 algorithms. For this action we are using an online tool winMd5Sum.

File nameMD5SumSHA256
C:\Users\Jane\AppData\Local\Temp\0004fbd1.tmpaa17de9a17a58840b8f3b3bd5412daee6d242dbfec946dcacc90d624defb073cb7d7bcc531c06d566933610fef62f986
C:\Users\Jane\AppData\Local\Temp\b01dffe3001c4fe2.exedc88442c440a5fa5c5fa449a2d0ab1e5d9a874bf8d9f2f2ca803d38abd677ab51e77008b6cfbab37525dd28df71be107

For advance analysis, we will run the MD5Sum into the virustotal.com search to identify the threads. Indeed, all of the above have been reported previously as a malware. Meanwhile, to gather better description of the above malicious codes we will search the definitions in the Eset database and descriptions provided in the following table.

Thread nameDescription
Win32/Duqu.A(https://blog.eset.com/2011/10/28/win32duqu-analysisthe-rpc-edition](https://blog.eset.com/2011/10/28/win32duqu-analysisthe-%20rpc-edition)
Win32/Kryptik.VFIhttps://vil.nai.com/vil/content/v\_683077.htm
Win32/TrojanDownloader.Agent.QXN(https://www.pcsafedoctor.com/Trojan/remove-Win32.TrojanDownloader.Agent.QNX.html](https://www.pcsafedoctor.com/Trojan/remove-%20Win32.TrojanDownloader.Agent.QNX.html)

Figure 2 is just a part of the log files that were able to be capture of the CaptureBAT tool, as we can see form the above that many changes were effected over the registries. Therefore, we need to run either an registry system check or as we know the location of the malicious code, with OllyDbg we can run the files and inspect there behaviour and if they have any additionally affect over the memory dump, etc. presented in figure 3.

Illustration 3: OllyDbg analysis, memory dump, system dll access, etc.

Nevertheless, because now we have the locations and the threads description it is next step to disinfected the system, yet it is still a big thread for the organization, etc.

Disinfection

As on the previously scenario, we recommend either to use the Eset online free scanner or to use in more convinced way the Eraser tool, for removing the malicious code from the machine forever. Furthermore, to just make sure that the above malicious code is removed, disinfected from our system still recommendations is to run the Eset tool for a second time, for double check the system.

All the above files and threads could be a very harmful for the organization and for everyday production work. Therefore, advance analysis of the system it is always in hands to help us to protect our data, internet access, etc. of being leaked.

Tools

Tools that help for conducting the results are highlighted in this section. Those are just few of them that are available for this purpose. Nevertheless, we have use only the listed ones.

Tools and downloadable links:

However, there are many other tools that can be used. Recent papers, tutorials can help us for further action, please refer to [3] [4] [5] [6].

SUMMARY

Nowadays malicious codes, infection of the system is one of the highest vector of production work everyday of the organizations. Therefore, different approaches, advance analysis, troubleshooting, etc. has to be applicable and stated in every organization.

Leaking of data, information, access of network (internal and external) can be very harmful for organization and even the home usage of computers. Therefore, this laboratory report main aim is to provide the reader to be able to conduct advance analysis of system and their disinfection.

From the two scenarios, virtual machine environments we came to final consistent conclusion that both of them are infected. Yet different threads were able to be found in the systems. However analysis is done by the short time of period. In each scenario in report provides an solutions how and what kind of actions should be considered for future disinfection of the system. Moreover, in next lines we are stating the summary of each infected machine.

Firstly, Win1 was infected with identified 20 threads, with other words in total of 9 different definitions of trojan, malware, warms code. The definition of the threads were advance, where from the links provided in the table above, is stated that the few of them were playing very smart. By smart, we mean, that if they have noticed that wireshark, tcpviewer or other tools were running, the malicious code stops responding, so it was able to cover his identity, information leaks, etc. In addition, the malicious codes were located in to the Recycle bin folder, where we were not able to identify there MD5 sum or SHA256. If we want it to proceed in this step, we had to restore them from the bin folder and then identify them. Advance we identify the user that has spread the malicious code, user name: John Doe. Nevertheless, disinfecting process helped us to remove the code from the system and just in case we have run in second time the Eset online scanner tool.

Secondly, Win2 was indeed infected too. In spite of the scenario one, this was less infected. The total sum of the threads were 3. Each of them were supply by the administrator user account: Jane Doe. The location of the malicious code is located into the temp folders and one in a recycle bin directory. From the definitions links from the above table we can stated that they have try to attempt over the network to leak informations, registry changes and additional files are added to the system. However, all of them were harmful for our environment and therefore and disinfection steps were necessary. Additionally, the location of the files were accessible therefore we provide an addition MD5sum and SHA256 for each file, were it help us to identify them in virustotal.com.

Finally, the both virtual box were infected with different malicious code. Advance disinfection procedures were necessary to troubleshoot and find the solution to make the hence system for being able to use it in production. However, the threads were able to share, leak information and data, in advance were able to change the registry and even the system files. Therefore, we do recommend advance furthermore actions to be considered. Meanwhile, the list of the tools that is provided by this report will help the hence users and analysers to be able to identify the threads in a system and to perform an disinfection. Additional the tutorials, stepwise solutions were provided as a reference where can guide for more advance troubleshooting.

Closing, as there are many different ways, tools, process for analysing the malicious code behaviours in system this laboratory report is supplying the reader with advance and stepwise solution for identifying the infection of the system. The above procedure can be applied into real time, everyday working machine.

WORKLOAD

We analysed both Win1 and Win2 on our computers. Virtualization environment for both host systems were the same. Each of us analyzed Win1 and Win2. First we analyzed Win1 and then Win2. So the group analyzed each of Virtual Machines (Win1 and Win2) two times.

In such way we cross-referenced the analysis results and got more reliable information about the system and its infection.

APPENDIXES

Appendix 1 is configuration of the virtual environment.

APPENDIX 1

Virtual environment: Oracle VirtualBox Version 4.1.2 r73507. Downloadable from the following [link] (https://www.virtualbox.org/wiki/Downloads)

Bibliography

[1] Lenny Zeltser, Reverse-Engineering: Malware Analysis Tools and Techniques Training, 2011, Link.

[2] Lenny Zeltser, Malware analysis report reminders, 2011,Link.

[3] Lenny Zeltser, Introduction to malware Analysis, 2010, Link.

[4] Michael Kassner, 10 ways to detect computer malware, 2009, Link.

[5] Michael Kassner, 10 more ways to detect computer malware, 2009, link.

[6] Andrew Brandt, Security Tips: Identify Malware Hiding in Windows’ System Folders, 2005, link.

The above post is written by Predrag Tasevski and Mikheil Basilaia.