Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Shusei Tomonaga (JPCERT/CC) Tomoaki Tani (JPCERT/CC)
Copyright ©2018 JPCERT/CC All rights reserved. Motivation Sandbox Malware Analyst Perfect! That's not what I want… Huma n 1
Copyright ©2018 JPCERT/CC All rights reserved. Motivation Sandbox Malware Analyst I want configuration data! Huma n 2 Perf...
Copyright ©2018 JPCERT/CC All rights reserved. Why do we need malware configuration data? Many variants of malware code ar...
Copyright ©2018 JPCERT/CC All rights reserved.4 How to Extract Malware Configuration Data Manually It's very simple.
Copyright ©2018 JPCERT/CC All rights reserved. Malware Analysis • Understand encryption techniques • Understand configurat...
Copyright ©2018 JPCERT/CC All rights reserved. Create tool 6 How to Extract Malware Configuration Data Manually Step 2 Tha...
Copyright ©2018 JPCERT/CC All rights reserved. How to Extract PlugX Configuration In PlugX data, PlugX main module and con...
Copyright ©2018 JPCERT/CC All rights reserved. PlugX Encoding Method 8 PlugX uses a custom encoding method. Config size 0x...
Copyright ©2018 JPCERT/CC All rights reserved.9 PlugX Configuration Structure
Copyright ©2018 JPCERT/CC All rights reserved. How to Extract TSCookie Configuration TSCookie uses only RC4 for encryption...
Copyright ©2018 JPCERT/CC All rights reserved.11 TSCookie Configuration Structure
Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan is a Volatility plugin that extracts configuration data of know...
Copyright ©2018 JPCERT/CC All rights reserved. Example (RedLeaves configuration data) 13
Copyright ©2018 JPCERT/CC All rights reserved. Supported Malware Families Supported Malware Families Ursnif TSCookie AZORu...
Copyright ©2018 JPCERT/CC All rights reserved. Supported Malware Families Supported Malware Families Ursnif TSCookie AZORu...
Copyright ©2018 JPCERT/CC All rights reserved.16 Question Why use Volatility?
Copyright ©2018 JPCERT/CC All rights reserved. Advantages of Dumping Configuration Data from Memory • Unpacking malware is...
Copyright ©2018 JPCERT/CC All rights reserved. This tool also dumps more than configuration data if needed. In Addition Co...
Copyright ©2018 JPCERT/CC All rights reserved. Example (Bebloh configuration data and DGAs) 19
Copyright ©2018 JPCERT/CC All rights reserved. Example (FormBook decoded strings) 20
Copyright ©2018 JPCERT/CC All rights reserved. malstrscan function can list strings to which the hollowed process refers. ...
Copyright ©2018 JPCERT/CC All rights reserved. Example 22
Copyright ©2018 JPCERT/CC All rights reserved. D E M O N S T R A T I O N 23
Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan Wiki https://github.com/JPCERTCC/MalConfScan/wiki How to Use 24
Copyright ©2018 JPCERT/CC All rights reserved. Automation! Next Stage 25
Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan-with-Cuckoo is Cuckoo Sandbox plugin for MalConfScan. The plugi...
Copyright ©2018 JPCERT/CC All rights reserved. This tool uses Cuckoo's memory dump function to extract configuration data ...
Copyright ©2018 JPCERT/CC All rights reserved. Overview 28
Copyright ©2018 JPCERT/CC All rights reserved. GUI 29
Copyright ©2018 JPCERT/CC All rights reserved. Anti-analysis functions disturbs the analysis in sandbox Some of the malwar...
Copyright ©2018 JPCERT/CC All rights reserved. Generic — Language settings — Execution after reboot — Total physical memor...
Copyright ©2018 JPCERT/CC All rights reserved.32 How to bypass anti-analysis Configure your VM.
Copyright ©2018 JPCERT/CC All rights reserved. Malware Analysis • Understand anti-analysis techniques 33 How to bypass ant...
Copyright ©2018 JPCERT/CC All rights reserved. Configure VM settings 34 How to bypass anti-analysis Step 2 That's all.
Copyright ©2018 JPCERT/CC All rights reserved.35 How to configure you VM Ursnif have some anti-analysis functions. CPU Bra...
Copyright ©2018 JPCERT/CC All rights reserved.36 Anti-Analysis : CPU Brand Name Detection Call CPUID opcode to dump the CP...
Copyright ©2018 JPCERT/CC All rights reserved.37 Anti-Anti-Analysis: Fake the CPU Brand Name (VMware) Fake the return valu...
Copyright ©2018 JPCERT/CC All rights reserved.38 Before After
Copyright ©2018 JPCERT/CC All rights reserved.39 Anti-Analysis : Device Name Detection Call Win32API to get the device nam...
Copyright ©2018 JPCERT/CC All rights reserved.40 Anti-Anti-Analysis: Modify the Device Name (VMware) Modify the device nam...
Copyright ©2018 JPCERT/CC All rights reserved.41 Recommended setting for Anti-Anti-Analysis Do NOT use VMware tools or Vir...
Copyright ©2018 JPCERT/CC All rights reserved. D E M O N S T R A T I O N 42
Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan with Cuckoo wiki https://github.com/JPCERTCC/MalConfScan-with-C...
Copyright ©2018 JPCERT/CC All rights reserved.44 Feature works Volatility3 is out!
Copyright ©2018 JPCERT/CC All rights reserved. T h a n k y o u ! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or...
Upcoming SlideShare
Loading in …5
×

[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction System by Tomoaki Tani, Shusei Tomonaga

272 views

Published on

Overall, malware activity is increasing day by day; the automation of malware analysis using sandbox system has become widespread. Such automated analysis systems are created to clarify the behavior of programs on Windows, such as communication and file registry creation. However, malware analysts spend more time extracting the configuration data embedded in the malware than grasping such behavior of the malware.

There are two reasons. The first is that many malware variants only differ in their configuration data, and have the same code. It means that the analysis of malware is complete if only the malware type and setting configuration are known. The second reason is that malware configuration data often contains attacking campaign information and the encryption keys of malware communication. These pieces of data are essential clues in advancing incident response. However, such data is often encrypted and can not be easily extracted. It is necessary to clarify the details of each malware by static analysis to extract the configuration data.

To bridge the gap of the sandbox system and malware analysts, we developed a new tool. It supports the task of extracting malware configuration data for malware analysts and incident responders. With these tools, we could automatically extract the known malware's configuration data and reduce the time spent on malware analysis. Furthermore, these tools can also use for memory forensics. By using it in memory forensics, victims affected by a malware infection can quickly obtain the data necessary for investigating, such as the destination hosts associated with the malware and the communication encryption keys.

Published in: Presentations & Public Speaking
no profile picture user

  • Login to see the comments

  • Be the first to like this

[CB19] MalConfScan with Cuckoo: Automatic Malware Configuration Extraction System by Tomoaki Tani, Shusei Tomonaga

  1. 1. Shusei Tomonaga (JPCERT/CC) Tomoaki Tani (JPCERT/CC)
  2. 2. Copyright ©2018 JPCERT/CC All rights reserved. Motivation Sandbox Malware Analyst Perfect! That's not what I want… Huma n 1
  3. 3. Copyright ©2018 JPCERT/CC All rights reserved. Motivation Sandbox Malware Analyst I want configuration data! Huma n 2 Perfect!
  4. 4. Copyright ©2018 JPCERT/CC All rights reserved. Why do we need malware configuration data? Many variants of malware code are almost unchanged, and only configuration data is different. • If the configuration data is known, there is no need for static analysis. Configuration data contains important information that cannot be obtained by Sandbox analysis. • Including campaign id, encryption key etc. 3
  5. 5. Copyright ©2018 JPCERT/CC All rights reserved.4 How to Extract Malware Configuration Data Manually It's very simple.
  6. 6. Copyright ©2018 JPCERT/CC All rights reserved. Malware Analysis • Understand encryption techniques • Understand configuration structures 5 How to Extract Malware Configuration Data Manually Step 1
  7. 7. Copyright ©2018 JPCERT/CC All rights reserved. Create tool 6 How to Extract Malware Configuration Data Manually Step 2 That's all.
  8. 8. Copyright ©2018 JPCERT/CC All rights reserved. How to Extract PlugX Configuration In PlugX data, PlugX main module and configuration are encoded. Code Encoded Code & PlugX & Config Code LZNT1 Compress PlugX Encoded + LZNT1 Config Decmpress PlugX Config Decoded Code Injection Process
  9. 9. Copyright ©2018 JPCERT/CC All rights reserved. PlugX Encoding Method 8 PlugX uses a custom encoding method. Config size 0x2540 Config size 0x36A4
  10. 10. Copyright ©2018 JPCERT/CC All rights reserved.9 PlugX Configuration Structure
  11. 11. Copyright ©2018 JPCERT/CC All rights reserved. How to Extract TSCookie Configuration TSCookie uses only RC4 for encryption. Code Encrypted Resource Decoded Code TSCookie RC4 Config TSCookie Config
  12. 12. Copyright ©2018 JPCERT/CC All rights reserved.11 TSCookie Configuration Structure
  13. 13. Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan is a Volatility plugin that extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. MalConfScan searches for malware in memory images and dumps configuration data. What is MalConfScan? 12
  14. 14. Copyright ©2018 JPCERT/CC All rights reserved. Example (RedLeaves configuration data) 13
  15. 15. Copyright ©2018 JPCERT/CC All rights reserved. Supported Malware Families Supported Malware Families Ursnif TSCookie AZORult Emotet TSC_Loader NanoCore RAT Smoke Loader xxmm AgentTesla PoisonIvy Datper FormBook CobaltStrike Ramnit NodeRAT NetWire HawkEye njRAT PlugX Lokibot TrickBot RedLeaves Bebloh Remcos QuasarRAT 14
  16. 16. Copyright ©2018 JPCERT/CC All rights reserved. Supported Malware Families Supported Malware Families Ursnif TSCookie AZORult Emotet TSC_Loader NanoCore RAT Smoke Loader xxmm AgentTesla PoisonIvy Datper FormBook CobaltStrike Ramnit NodeRAT NetWire HawkEye njRAT PlugX Lokibot TrickBot RedLeaves Bebloh Remcos QuasarRAT 15
  17. 17. Copyright ©2018 JPCERT/CC All rights reserved.16 Question Why use Volatility?
  18. 18. Copyright ©2018 JPCERT/CC All rights reserved. Advantages of Dumping Configuration Data from Memory • Unpacking malware is not necessary when extracting configuration data. No Need to Unpack • Configuration data may be already decoded. • No need to know how to decrypt configuration data. No Need to Decode 17
  19. 19. Copyright ©2018 JPCERT/CC All rights reserved. This tool also dumps more than configuration data if needed. In Addition Configuration Data Decoded Strings DGA Domains 18
  20. 20. Copyright ©2018 JPCERT/CC All rights reserved. Example (Bebloh configuration data and DGAs) 19
  21. 21. Copyright ©2018 JPCERT/CC All rights reserved. Example (FormBook decoded strings) 20
  22. 22. Copyright ©2018 JPCERT/CC All rights reserved. malstrscan function can list strings to which the hollowed process refers. Additional Feature Configuration data is usually encoded by malware. Most of malwares writes decoded configuration data on memory. This feature list decoded configuration data when possible. 21
  23. 23. Copyright ©2018 JPCERT/CC All rights reserved. Example 22
  24. 24. Copyright ©2018 JPCERT/CC All rights reserved. D E M O N S T R A T I O N 23
  25. 25. Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan Wiki https://github.com/JPCERTCC/MalConfScan/wiki How to Use 24
  26. 26. Copyright ©2018 JPCERT/CC All rights reserved. Automation! Next Stage 25
  27. 27. Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan-with-Cuckoo is Cuckoo Sandbox plugin for MalConfScan. The plugin adds the function to extract known malware's configuration data from memory dump and add the MalConfScan report to Cuckoo Sandbox. What is MalConfScan-with-Cuckoo? 26
  28. 28. Copyright ©2018 JPCERT/CC All rights reserved. This tool uses Cuckoo's memory dump function to extract configuration data of executed malware from memory dumps. How it Works 27
  29. 29. Copyright ©2018 JPCERT/CC All rights reserved. Overview 28
  30. 30. Copyright ©2018 JPCERT/CC All rights reserved. GUI 29
  31. 31. Copyright ©2018 JPCERT/CC All rights reserved. Anti-analysis functions disturbs the analysis in sandbox Some of the malware have these functions — Ursnif variants (targeting Japan) etc. 30 Anti-analysis
  32. 32. Copyright ©2018 JPCERT/CC All rights reserved. Generic — Language settings — Execution after reboot — Total physical memory — Count of processors etc. Virtualization — CPUID (CPU brand, virtualization setting, etc.) — Device info (Device name, MAC address, etc.) — Registry keys etc. Processes — Process name (wireshark, OllyDbg, Process Monitor, etc.) 31 Anti-analysis techniques
  33. 33. Copyright ©2018 JPCERT/CC All rights reserved.32 How to bypass anti-analysis Configure your VM.
  34. 34. Copyright ©2018 JPCERT/CC All rights reserved. Malware Analysis • Understand anti-analysis techniques 33 How to bypass anti-analysis Step 1
  35. 35. Copyright ©2018 JPCERT/CC All rights reserved. Configure VM settings 34 How to bypass anti-analysis Step 2 That's all.
  36. 36. Copyright ©2018 JPCERT/CC All rights reserved.35 How to configure you VM Ursnif have some anti-analysis functions. CPU Brand Detection Device Name Detection Debugger Detection Boot-time Detection
  37. 37. Copyright ©2018 JPCERT/CC All rights reserved.36 Anti-Analysis : CPU Brand Name Detection Call CPUID opcode to dump the CPU brand name. Check the CPU brand name if it includes “XEON”. mov eax, 8000000[2-4]h __cpuid
  38. 38. Copyright ©2018 JPCERT/CC All rights reserved.37 Anti-Anti-Analysis: Fake the CPU Brand Name (VMware) Fake the return value of CPUID with VM configuration cpuid.80000002.0.eax = "0110:0101:0111:0100:0110:1110:0100:1001" cpuid.80000002.0.ebx = "0010:1001:0101:0010:0010:1000:0110:1100" cpuid.80000002.0.ecx = "0111:0010:0110:1111:0100:0011:0010:0000" cpuid.80000002.0.edx = "0100:1101:0101:0100:0010:1000:0110:0101" cpuid.80000003.0.eax = "0011:0101:0110:1001:0010:0000:0010:1001" cpuid.80000003.0.ebx = "0011:0101:0101:1001:0011:0111:0010:1101" cpuid.80000003.0.ecx = "0101:0000:0100:0011:0010:0000:0011:0100" cpuid.80000003.0.edx = "0010:0000:0100:0000:0010:0000:0101:0101" cpuid.80000004.0.eax = "0011:0000:0011:0010:0010:1110:0011:0001" cpuid.80000004.0.ebx = "0000:0000:0111:1010:0100:1000:0100:0111" cpuid.80000004.0.ecx = "0000:0000:0000:0000:0000:0000:0000:0000" cpuid.80000004.0.edx = "0000:0000:0000:0000:0000:0000:0000:0000" Insert following settings to your .vmx file
  39. 39. Copyright ©2018 JPCERT/CC All rights reserved.38 Before After
  40. 40. Copyright ©2018 JPCERT/CC All rights reserved.39 Anti-Analysis : Device Name Detection Call Win32API to get the device name Check the device name includes specific strings
  41. 41. Copyright ©2018 JPCERT/CC All rights reserved.40 Anti-Anti-Analysis: Modify the Device Name (VMware) Modify the device name. scsi0:0.productID = "Toshiba SSD" scsi0:0.vendorID = "Toshiba" scsi1:0.productID = "Toshiba SSD" scsi1:0.vendorID = "Toshiba" Insert following settings to your .vmx file
  42. 42. Copyright ©2018 JPCERT/CC All rights reserved.41 Recommended setting for Anti-Anti-Analysis Do NOT use VMware tools or VirtualBox guest additions. Use local language OS for VM Modify the CPUID response Modify the Device name Modify the NIC (MAC address)
  43. 43. Copyright ©2018 JPCERT/CC All rights reserved. D E M O N S T R A T I O N 42
  44. 44. Copyright ©2018 JPCERT/CC All rights reserved. MalConfScan with Cuckoo wiki https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki How to Use 43
  45. 45. Copyright ©2018 JPCERT/CC All rights reserved.44 Feature works Volatility3 is out!
  46. 46. Copyright ©2018 JPCERT/CC All rights reserved. T h a n k y o u ! @jpcert_en ir-info@jpcert.or.jp PGP https://www.jpcert.or.jp/english/pgp/ Contact https://github.com/JPCERTCC/MalConfScan https://github.com/JPCERTCC/MalConfScan-with-Cuckoo 45

×