Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
WSO2's API Vision: Unifying Control, Empowering Developers
Sandbox vs manual analysis v2.1
1. Are malware sandboxes as good
as manual analysis?
Michael Gough – Founder
MalwareArchaeology.com
Co-creator of
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
• Malware Management Framework
• Several Windows Logging Cheat Sheets
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• @BrakeSec
• @HackerHurricane and also my Blog
MalwareArchaeology.com
3. Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Getting breached means an RGE !!!
– Resume Generating Event
MalwareArchaeology.com
4. Define Sandbox
• A VM you build to evaluate malware
• An on premise virtual malware analysis like Cuckoo
sandbox
• A specific malware analysis eco-system like RemNUX
• A cloud based malware analysis like Payload Security/
Reverse.IT, Lastline, Malwr.com, etc.
• Email Gateways like FireEye, Cisco AMP, etc.
• Web Proxies like FireEye, Lastline, etc.
• Advanced features in Firewalls like Palo Alto WildFire
• And of course anything you specifically build
MalwareArchaeology.com
6. How do the malwarians evade
sandbox analysis?
Look for indicators of a VM
• VM Tools
• Registry keys
• Hardware (is virtual not real)
Look for ‘Recent Files’
• Have you opened several misc. documents
Processor related indicators
• Some API calls take MUCH longer on a VM
MalwareArchaeology.com
7. How do the malwarians evade
sandbox analysis?
Password protected
files
• Can’t scan what you
can’t access
MalwareArchaeology.com
8. How do the malwarians evade
sandbox analysis?
OLE~
• Embed OLE objects and the sandbox may not
know where to click to execute the payload
MalwareArchaeology.com
9. How do the malwarians evade
sandbox analysis?
URL’s in the
document
• Can be
anywhere in
the document
MalwareArchaeology.com
10. How do the malwarians evade
sandbox analysis?
Time
• They wait you out
• Your automated queue
will just backup
• How long can you
wait? Or the
automated sandbox
wait?
MalwareArchaeology.com
11. How do the malwarians evade
sandbox analysis?
Time
• They wait you out
• Your automated queue
will just backup
• How long can you wait?
Or the automated
sandbox wait?
MalwareArchaeology.com
12. How do the malwarians evade
sandbox analysis?
Time
• The automated
sandbox gave up
• So did our email
“Advanced
Malware
Protection”
But WE did not
• +LOG-MD caught it
all
MalwareArchaeology.com
13. Manual Analysis rules
• We detonate everything in a lab that fits a
pattern like ‘has a password’ and anything that
comes back ‘unknown’ or ‘look incomplete
MalwareArchaeology.com
22. And a couple more…
• Clean???
MalwareArchaeology.com
VawTrak
23. Even AV actually caught it
• Same
Day !
• McAfee
knew
MalwareArchaeology.com
VawTrak
24. Simple Manual Analysis
• In 1 minute or less I was able to tell this Word
DOC is malicious with very basic analysis
– 7Zip, Strings & OfficeMalScanner
• To be certain the file is bad, we could
detonate it in a lab or an online solution
• Let’s see what the fancy pants Cloud and
Sandbox solutions say about it
• By the way, auto processing your documents
to the cloud may contain PII ;-(
MalwareArchaeology.com
25. VirusTotal
• VT Score 28/53
• Date: 9/8/16
• 8 Days later
• AV has a Sig
• Clearly BAD
MalwareArchaeology.com
26. Unknown???
MalwareArchaeology.com
• This is obviously bad Word Doc, same as the
others
• This one had the added benefit of an
embedded OLE object
• Still easily bad
• This one was KOVTER
27. Let’s see what a
Cloud analysis shows
MalwareArchaeology.com
31. Artifacts / Indicators
• What do we want to get out of any analysis?
– URL’s What websites were visited
– IP’s Communications
– Filenames What files were added
– Directories used Where does it live
– Autoruns used How does it launch
– Config changes What changed
– Metadata Details
– Signed Digital Signatures
– Behavior What actually happened
– Network info Traffic behavior - Net Flow
MalwareArchaeology.com
32. Artifacts / Indicators
• Why do we want this data?
• We need to know who else got infected
– The IP’s and URL’s
• What was added
• What was changed
• So we know whether to
– Re-image
– IF we can clean it up
MalwareArchaeology.com
33. Let’s look at another
Manual analysis
MalwareArchaeology.com
34. Artifacts URL’s
• A little script I run during analysis
• And…
• Google
MalwareArchaeology.com
35. Process Artifacts
• What launched
• Linked processes – Bad EXE calls WinHost32.exe
MalwareArchaeology.com
Creator
ID
Process
ID
Process Name
Sandbox Found
36. Artifacts IP’s
• What talked to Whom
• Wait… WinHost32 did not show up in the
Cloud Analysis
MalwareArchaeology.com
42. Artifacts / Indicators
– URL’s
– IP’s
– All Filenames
– All Directories used
– Autoruns used
– Config changes
– Metadata
– Signed
– Behavior
MalwareArchaeology.com
No/Yes Yes
No Yes
Some Yes
Some Yes
No Yes
No Yes
Yes Yes
Yes Yes
No Yes
Cloud Manual
43. Sandbox or Manual?
• Paid solutions work better than Free ones
• Many samples failed to execute due to VM aware
• Not as much detail as you can get yourself (IMHO)
• You CAN do as good a job, or better as sandbox
solutions
• Sandbox solutions are good for multiple samples after
you have evaluated one using manual analysis so you
can compare results
• You may, or will have to super harden VM sandboxes to
make them look and act like a normal system
MalwareArchaeology.com
44. So what do we use for
manual analysis?
MalwareArchaeology.com
45. Free Edition
MalwareArchaeology.com
• Audit your settings – Do you comply?
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process and
File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden payloads
46. MalwareArchaeology.com
• Everything the Free Edition does and…
• More reports, breakdown of things to look for
• Specify the Output directory
• Harvest Sysmon logs
• Whitelist Hash compare results
• Whitelist Registry compare results
• Create a Master-Digest to exclude unique files
• WhoIs lookups of IP Addresses called
• SRUM netflow data (Win 8.1 & 10 64bit)
• Free updates for 1 year, expect a new release every quarter
• Manual – How to use LOG-MD Professional
47. MalwareArchaeology.com
Future Versions – In the works!
• PowerShell details
• AutoRuns report
• VirusTotal lookups of discovered files
• Find parent-less processes
• Assess all processes and create a Whitelist
• Assess all services and create a Whitelist
• VirusTotal lookups of unknown or new processes and
services
• Other API calls to security vendors
48. So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
49. Resources
MalwareArchaeology.com
• Websites
– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”
– MalwareArchaeology.com
• Malware Analysis Report links too
– To start your Malware Management program
• This presentation is on SlideShare and website
– Search for MalwareArchaeology or LOG-MD
50. Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane
• @Boettcherpwned
• MalwareArchaeology.com
• HackerHurricane.com (blog)
• MalwareManagementFramework.Org
• http://www.slideshare.net – LinkedIn now