Second Detonation
INetSim Enabled execution
or Hosts file modified etc.
How does it behave after service imitation is enabled - e.g. Internet, Network, AD etc.? Or if anti-sandbox/reverse has been manually bypassed?
Initial Detonation
How does the malware operate when executed without any network connectivity in your sandbox?
Revert VM Snapshot
2.3
2.2
Noriben is a python wrapper around ProcMon that is used as an analysis tool specifically for malware behavioural analysis.
When you run noriben.py, it will automatically attempt to open procmon with a predefined config. The config specifies the filters for capturing system operations
This tool has YARA integrations as well. You can use --yara option to specify a folder containing yara rules.
noriben.pypython3 noiben.py
ctrl+c to stop logging once execution is completeNote
due to limitations,noribenmay omit some information, such as VM and Sandbox checks that a sample may do.
It is always worth doing manual checks in conjunction
CMD
https://kahusecurity.com/tools.html (7z pwd: kahusecurity)
Win API
It may be worth running wireshark in the background
Wireshark - filter for http / dns:
dns → Show only DNS queries/responses.tcp.port==80 or tcp.port==443 → Show HTTP/HTTPS.http.request.full_uri contains <string>Suricata is an IDS tool. It takes PCAP files as input, analyses them then dumps Network-based indicators on the rule-set supplied.
sudo suricata -r sample.pcap -S custom.rules -k none
2.4
run to user code > reference for current module > String Search
This tool allows you to trace and monitor API function calls.
You can use it to set breakpoints on specific Win API functions.
Workflow:
Once you have selected your process and it has executed, if the program calls the API Module that you have set breakpoints for, you will see the output on API Monitor - as well as the arguments passed to it.
Run this command as admin in the background to log the system's 'live' connections
netstat -b -n -o 5
-b displays the process from which the connection is made
-n display address and port in numerical value (optional)
-o display process id
5 interval (refresh time) - increase / decrease as you wish
Open Process Hacker > select Process > Properties > Memory > String Check
TCPView (sysinternals program).
Sort by Remote Port:
whois on the dest IP on the GUIRun procmon and set the filter:
Process Name contains <proc name>
Operation contains TCP
This is useful to determine network IoCs. It can be used to determine inbound/outbound TCP operations from your sample.
Fiddler Web Proxy to review outbound traffic
NOTE: Bind Connectivity
if you notice that your sample has started a LISTENER on a given port, you can usenetcator similar to establish a connection to it and inspect what happens
Reverse Connectivity
Conversely, if the sample is connecting out to a target address on a given port, you can imitate the target (set the hosts file - if necessary, and start a listener on the specified port) to see what happens when the sample connects to it
The "ncat" version of netcat has an SSL option that can be used if required:
ncat -lvnp <port> --ssl
ncat.exe works & this can be downloaded in many instances on Linux with
apt install nc
Process Name is not explorer.exe, Process Name is not chrome.exe etc.)Process Name is sample.exe if you want to focus on one binary and its children.Useful procmon filters:
path contains <string>
ppid is <parent proc ID>
Operation is Process Create
Operation is Process Exit
Operation is Thread Create
Operation is Thread Exit
Operation begins with Reg ; catches all registry actions
Operation is RegQueryValue
Operation is RegCreateKey
Operation is RegSetValue
Operation is RegDeleteKey
Operation is RegDeleteValue
Operation is CreateFile
Operation is WriteFile
Operation is ReadFile
Operation is SetDispositionInformationFile ; rename/delete
Operation is CloseFile
Operation is Load Image ; DLL loads
operation monitoring
Behavioural analysis is an imperative step that helps us to understand what the program actually does, and how it behaves. In this stage you should try to identify any indicators of compromise (IoC), including System-based and Network/Internet-based IoCs.
You may be required to configure your environment in such a way that it facilitates the full execution of the target program. You are the master of your own environment. You may also be required to "patch" your program, in order to have it execute in full, thus you may need to jump to stage 3 or 4 to apply patches, and then return to stage 2 to continue.
Some questions that ought to be asked at this point are the following:
| Questions to ask |
|---|
| How does the sample behave when executed while isolated without any network connectivity? |
| Is there a network activity kill-switch? |
| Is there anti-sandbox kill-switch? |
| What conditions need to be met in order for the program to be executed in-full? |
| What are the Host indicators (System operations)? process/thread spawn, File writes / Deletion, Registry activity etc. |
| Is there any persistence? |
| What are the Network indicators (Network & Internet operations)? HTTP, Bind Con, Remote Con, AD, SMB etc. |
| Based on the information collected - can the program be classified as mlwr? Is there enough evidence to determine this? |
Tracing Registry Modification
https://sourceforge.net/projects/regshot/ (or trusted mirrors)
note: regshot may take a while to complete the registry snapshot
1st shot → Shot (or Shot + Save if you want to keep the file). 2nd shot → Shot (or Shot + Save if you want to keep the file).Compare- Added Keys/Values
- Deleted Keys/Values
- Modified Keys/Values
- Changed files (if directories were scanned
2.1
HTTP server
In some instances you may need to serve an http server for a specific domain. You can modify the hosts file and run the following:
python -m http.server <port>
Nth Detonation
What operations does it perform after a "successful" execution?
What are the Host IoCs?
What are the Network IoCs?
Revert VM Snapshot