Blog: How-Tos
Quick and dirty binary analysis using sandboxes
I won’t go over the usual lecture on patching, firewalling and Intrusion Detection here; we’ll skip straight to what happens if you think you might have an issue. Suffice to say that the first two will avoid some problems, and the last will help you work out what actually happened if you do.
This isn’t an article on malware reverse engineering – it’s an easy how to, showing you how you can use resources like malwr.com to analyse suspicious samples quickly and decide if they’re likely to be a real threat.
So, I can’t have been the only admin to have had a sheepish user approach and tell me they accidentally clicked on something that they possibly shouldn’t have. Alternatively, you may find it come to your attention when someone tries to put it on a share which is AV-scanned, or you may encounter it when a desktop PC has slowed to an unreasonable extent and you’re asked to fix it. Hint: if you’re in Sec Ops, and you have a separate team for desktop support, you will learn a lot by talking to them.
This is a randomly chosen sample that hit one of my honeypots recently. You’ll notice that it was recognised by only a handful of AV companies at the time of analysis. However, it’s enough to make you worry about the binary. I’ve analysed it at https://malwr.com/ – one of the many awesome things that ShadowServer does.
(I don’t intend to have a go at AV vendors here – but it’s important to realise that you will occasionally have malware which your chosen vendor does not immediately detect.)
Signature matching is also handy on the summary page. We can already see this is bad news.
And further down in behavioural analysis, you can see what domains and hosts it tries to interact with. “videos.p0rn-lover.us” doesn’t sound like one of the websites we thought about when writing the Internet Access policy, does it?
If you’re still unsure, or you want to try and see what the actual damage has been, you can dig into the behavioural analysis to find out step by step actions. This is a short excerpt of some of the registry activity of the sample:
| TIME | API | ARGUMENTS | STATUS | RETURN |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000007c DataLength: 4 ValueName: FromCacheTimeout Type: 124 |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000007c DataLength: 4 ValueName: SecureProtocols Type: 124 |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000007c DataLength: 4 ValueName:CertificateRevocation Type: 124 |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000007c DataLength: 4 ValueName: DisableKeepAlive Type: 124 |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000007c DataLength: 4 ValueName: DisablePassport Type: 124 |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000007c DataLength: 4 ValueName: CacheMode Type: 124 |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegOpenKeyExA | Handle: 0x00000000 Registry: 0x80000002 SubKey:SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegOpenKeyExA | Handle: 0x00000000 Registry: 0x80000001 SubKey:SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
failed | 0x00000002 |
| 2014-05-11 19:07:04,625 | RegOpenKeyExA | Handle: 0x00000088 Registry: 0x80000002 SubKey:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
success | 0x00000000 |
| 2014-05-11 19:07:04,625 | RegOpenKeyExA | Handle: 0x0000008c Registry: 0x80000001 SubKey:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
success | 0x00000000 |
| 2014-05-11 19:07:04,625 | RegQueryValueExA | Handle: 0x0000008c Data: 1 ValueName: EnableHttp1_1 |
success | 0x00000000 |
| 2014-05-11 19:07:04,625 | RegCloseKey | Handle: 0x00000000 | failed | 0x00000006 |
| 2014-05-11 19:07:04,625 | RegCloseKey | Handle: 0x00000088 | success | 0x00000000 |
At this point, you should be in a position where you know if you need to:
- do nothing.
- wipe the machine involved and send a sample to your AV vendor for inclusion in their next update.
- call in some experts.
- start circulating your Curriculum Vitae.
You’re welcome to have a poke around this sample here – https://malwr.com/analysis/OTJmMWEyOWFlMWViNDJjMThlNGRiYjAxNWZkNzY5YTg/ – it should be public access. As with all these things, it’s better to have a quick play before you have an incident on your hands.
If you want to get even deeper into this, you can run a Dionaea honeypot on a public IP address and see what you get – though your user base may keep supplying you with sufficient fresh samples if you’re really lucky. Someone built an image if you haven’t got time to do your own – but I can’t vouch it for it, not having given it a spin:
http://bruteforce.gr/honeydrive/
