tasty malware analysis with t a c o
play

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into - PowerPoint PPT Presentation

Jan 12, 2023 •206 likes •648 views

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently Welcome to the

  1. Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones

  2. Who Am I? • Sr. Security Research Analyst for Arbor Networks’ ASERT • Attend AHA! in Austin semi-frequently • Welcome to the track! • Speaker at – BlackHatUSA / Botconf / AusCERT / REcon • Research interests – RE automation – Malware clustering – Graph database applications to Reverse Engineering / Threat Intel 2

  3. Agenda • Similar Work • Malware Behaviors • Cuckoo Sandbox • TACO – Features – UI – Demo – Future Work 3

  4. Similar Work

  5. Similar Work • Nothing (that I know of) uses Cuckoo as it's mechanism for propagating data into an IDB • Inspired by similar work from many authors • UI takes inspiration from IDAScope by Daniel Plohmann (@push_pnx) • Excellent plugin, in my toolbox 5

  6. funcap • https://github.com/deresz/funcap • IDA Pro script to add some useful runtime info to static analysis. 6

  7. IDA Pro pintracer • Maintained by Hex-Rays • Highlights executed instructions • Can also track registers 7

  8. Joe Sandbox • Commercial product from Joe Security • Can produce execution graphs • Claims to have similar plugin • Never used personally • Seeing that they were using API traces gave inspiration to look into doing similar with Cuckoo • Opted to not attempt to find code so my plugin would be "clean" 8

  9. Malware Analysis Challenges 9

  10. Packers / Crypters • Compress or encrypt code, designed to make malware less detectable • UPX most popular packer (also watch out for things that look like, but are not UPX) • Lots of packers with various trial licenses • TitaniumCore by ReversingLabs can help automate • No known (to me) auto un-crypters • PIN, Dynamo Rio have tools to facilitate • IDA Pro as a "universal unpacker" that has been useful at times 10

  11. Self Modifying Code • Exhibited by numerous malware families • Shylock • Andromeda / Gamarue • Modify code that already exists instead of allocating new memory to unpack • Usually will be stomped during execution • More problematic to do automated dumps 11

  12. Process / DLL Injection • Can be done via • CreateRemoteThread (Suspended) • QueueUserAPC • Process Hollowing • Cuckoo uses injection to get monitor DLL into malicious processes 12

  13. DLL Side Loading • Popular technique with targeted malware • PlugX • HTTP Browser RAT • Load malicious DLL into legit (signed) executable • Bypass (some) AV • Bypass requirements of running code in signed exe 13

  14. Cuckoo Sandbox 14

  15. Cuckoo Sandbox • Likely most popular open-source / free sandbox available • 2.0 Supports Android (via emulator), Linux, and x64 analysis • Switch to new monitor code • Third-party kernel introspection support - "zer0m0n" • Popular fork "cuckoo-modified" by @spender of Optiv, Inc. (Accuvant) • https://github.com/brad-accuvant/cuckoo-modified • Contains bugfixes + additions to old cuckoomon not available in - trunk • Cuckoo 2.0 solves many of the issues we relied on -modified fork for and adds new things 15

  16. Cuckoo Sandbox • Multiple analysis methods • Cuckoo Monitor DLL injected into spawned process • Injects into any other spawned / injected processes • Hooks many common API calls • Nothing is immune to un-hooking, including Monitor • Logs • Win32 API calls • Registry • Created / Modified Files • Postprocessing Signatures 16

  17. Cuckoo Behavior Report 17

  18. Cuckoo Behavior - Calls Caller / Parent Caller Addresses 18

  19. Cuckoo Behavior JSON -Modified 19

  20. Cuckoo Behavior JSON -2.0 20

  21. ASERT's Sandbox Usage • Treat Cuckoo (and other sandboxes) as a black-box • Malware in, report / memory dumps / files out • Tasks deleted upon completion • Centralized malware processing system • Normalize + insert results • Post-processing of memory, network traffic, behavior • Custom post-processing of specific families to extract various sample properties 21

  22. Cuckoo API Additions needed • Cuckoo can produce a process dump • This is not loadable by IDA Pro (AFAIK) • Can be extremely large, especially in case of {explorer,svchost,iexplore,etc.}.exe • Can also produce full RAM dump • Volatility has plugins to dump processes, DLLs, VADs • Dumping process as a PE not supported natively by Cuckoo • Due to time needed to use volatility, decided that was not the right place • Don't always want dumps, sometimes we need to do "extra" • Added new API call to allow for arbitrary volatility plugins to run "on-demand" 22

  23. API Additions needed (cont) • Run volatility against ramdump to get process dumps for all PIDs known • Injection detected = run malfind and dump pages • Stitch dumped memory pages into process dumps for "complete" view • Supports family specific behavior • DLL dump • Specific process / memdumps 23

  24. Dumping Memory • That said... malfind doesn't always find everything • Will not dump DLL injected with CreateRemoteThread by design • Permissions stomp = undetected • Walk the Cuckoo API Calls per process • Get list of memory ranges that contain executed code • Run vadwalk for the PID • Parse the output and find all the required VAD's to cover what got executed • Request those VADs and then order with malfind VAD's and stitch an executable together • Using that dump, can now follow execution much better 24

  25. Creating the Memory Dump • Attempted to add as sections using http://git.n0p.cc/?p=SectionDoubleP.git • Works great for any case where section is above ImageBase • BUT many malwares like to inject below the ImageBase • Modify ImageBase • Modify each existing section's VirtualAddress • Modify AddressOfEntryPoint • Add Sections... • Fail. • Fallback to using IDA Pro segment create / put_many_bytes • Non-ideal, but IDA plugin requires IDA Pro... • Non-trivial method of creating dumps, but worth it 25

  26. Memory Dump Process Output python create_voldump.py --task 294832 --pid 3816 • • [+] Base memory range: 01000000 -> 01005600 • [+] Interesting page: 0x000C0000 • [+] Interesting page: 0x00B40000 • [+] Interesting page: 0x00B50000 [+] Interesting page: 0x00B60000 • • [+] Interesting page 0x000C0000 is in VAD 0x000C0000 - 0x000DCFFF • [+] Interesting page 0x00B40000 is in VAD 0x00B40000 - 0x00B70FFF • [+] Interesting page 0x00B50000 is in VAD 0x00B40000 - 0x00B70FFF • [+] Interesting page 0x00B60000 is in VAD 0x00B40000 - 0x00B70FFF [+] Retrieving VAD 0x000C0000 • • [+] Retrieving VAD 0x00B40000 • [+] Generating IDB with new memory regions • [+] IDB available at explorer.exe-3816.idb 26

  27. TACO 27

  28. Overview • Started out as dynamically generated Python scripts • Clunky, prevented from doing "cool" things • Dynamically generating "clean" IDAPython is hard • Some features incompatible with Cuckoo 1.2 due to lack of call metadata • Cuckoo-Modified and current Cuckoo 2.0-dev branch supported supported for markup • Cuckoo 2.0-dev is still a WIP as some oddities are encountered • Idea sprung out of Joe Security's posts about execution graphs and seeing they imported analysis info into IDA • Prior usage of tools like funcap and IDA's pintracer 28

  29. TACO Overview • What does TACO stand for? • It's fluid.. • Considered naming TACOZ - Tasty Analysis using Cuckoo Output and Zoidberg • Because why not Zoidberg? • Consists of Cuckoo-based tabs for showing: • Processes • API Calls • Signatures • Imports • Also includes other IDAPython scripts I have developed • Byte / Stack String viewer • "Interesting" XOR locator • Switch Jump / Case statement viewer 29

  30. Loader Tab • Main location to show a process tree and allow for specific processes to be inspected Injected, not created so does not appear in the tree under the main process 30

  31. API Call Tab • Reproduction of Cuckoo's Output • Filterable / Searchable / Clickable Filterable by Category Filterable by Call / Argument value Each row Color-coded and double-clickable 31

  32. API Call Tab (cont.) • Add / Remove Markup to IDB • All • Category • Context menu • Markup per Instruction • Copy value 32

  33. Imports Tab • Tries to detect dynamic imports via direct / indirect calls 33

  34. Cuckoo Signatures Tab • Simple Display of Cuckoo Triggered Signatures 34

  35. Switch Viewer • Switch jumps in malware can indicate config or cmd parsing 35

  36. Byte String / Stack String Finder 36

  37. XOR Locator 37

  38. DEMO • TACO Time! • Shifu (banker) • Andromeda (loader / stealer) • PlugX (targeted) • Etumbot (targeted) • Fobber (banker, Cuckoo 2.0-dev) • HttpBrowserRAT (targeted, Cuckoo 1.2) 38

  39. Wrap-Up 39

  40. Wrap-Up • Hopefully you agree that a TACO is both a tasty treat and is a useful tool to bring run-time info into IDA Pro • All code is / will be freely available on GitHub • https://github.com/arbor-jjones/idataco • https://github.com/arbor-jjones/malware/create_voldump.py • https://github.com/arbor-jjones/malware/ida_load_mem.py • https://gist.github.com/arbor-jjones/18dd572e6b3e391e8418 40

Recommend

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes.

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes.

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes. www.bbqsecrets.ca The best BBQ Recipes Online Tasty BBQ Ribs Tasty Steak Chewy Chicken Beef Ka Bobs Melt In Your Mouth Meatloaf More Great Recipes Fish Cakes

325 views • 30 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User

Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User

Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User Study Khaled Yakdan Sergej Dechand Matthew Smith Elmar Gerhards-Padilla Fraunhofer FKIE University of Bonn University of Bonn University of Bonn

426 views • 19 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius,

Automatic Analysis of Malware Behavior using Machine Learning Konrad Rieck, Philipp Trinius, Carsten Willems, Thorsten Holz Peng Su CISC850 Cyber Analytics CISC850 Cyber Analytics Automatic Analysis of Malware Behavior Malware threaten

451 views • 25 slides
Malware Analysis Using Visualized Image Matrices Tzu-Ming Huang CISC850 Cyber Analy@cs CISC850

Malware Analysis Using Visualized Image Matrices Tzu-Ming Huang CISC850 Cyber Analy@cs CISC850

Malware Analysis Using Visualized Image Matrices Tzu-Ming Huang CISC850 Cyber Analy@cs CISC850 Cyber Analy@cs Overview malware visual analysis method convert binary files into images Reduce computa@on major block

805 views • 22 slides

More recommend