NTU Malware Reverse HW 2 write up

Posted on | Post modified | In |

NTU Malware Reverse HW 2 write up

tags: NTU_MR Malware Reverse Engineering and Analysis NTU

[TOC]

Task 1

執行勒索病毒Dharma與Process monitor並截圖Dharma的Process Tree,並分析說明每個Process行為 Ans:

  • Conhost.exe: It’s defined by Microsoft and is normally legal and safe. Working on Win7, Win8, and Win10. The main function of this PE file is to let Command Prompt and Windows File Explorer can interact. The other function is to support users who can drag the file or folder to the command prompt directly. Most of the time, it’s a safe file that even repeats execution many times. However, in some circumstances, the viruses will pretend a conhost.exe file to use massive memory or store it in the wrong folder.[1]

  • mode.com: MODE sets the mode of operation for devices or communications. It can be used to set the mode for printers, monitors, or the serial interface. It can be used to prepare and select code pages and to redirect printer output to the serial interface.[2] You can see in the command below that the virus wants to select code page #1251.[3]

  • vssadmin.exe: To display current volume shadow copy[4] backups and all installed shadow copy writers and providers. Applied to Win10 and other server-type OS. As the website said, this program will not execute automatically when the operating system startup. These kinds of programs are normally malware, such as viruses, trojan horses, and spyware.[5]

  • mshta.exe: It’s an executable file in Windows and this element is the object that starts the Microsoft HTML application. This application mainly executes a .hta file and runs a script in Windows.[6]

  • There is a growing trend for attackers to heavily utilize tools that already exist on a system rather than relying totally on their custom malware. Using .hta files or its partner in crime, mshta.exe is an alternative to using macro-enabled document for attacks and has been around for a long time. It is a tool so flexible it even has its cell on the MITRE ATT&CK matrix.[7]

  • rundll32.exe: It mainly executes the libraries in a .dll file with 32-bits.[8]

  • The autorun technique is as below. The ransomware will set the value in the autorun registry that will execute when the computer startup automatically. It’ll execute the RegSetValue function to set itself in the autorun key (snapshot is as below).

Task 2

請解釋MITRE ATT&CK中的 T1490: Inhibit System Recovery的Technique為何?如何偵測與防禦,並且在Dharma勒索病毒中找到攻擊的指令截圖 Ans:

  • As you can see below, it executes this command line which will delete or remove built-in operating system data and turn off the services that mainly to recover a corrupted system. This may deny access to available backups and recovery options. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[9] That is, it’ll increase the difficulty that recovering your files with data rescue software or services.

  • So, how to detect? There’re 4 types of techniques to detect this process such as • Use process monitoring to monitor the execution and command line parameters • using the Windows event logs, • monitoring the status of services involved in a system recovery or • monitoring the registry for changes associated with system recovery features The mitigation is data backuping or considering technical controls to prevent the disabling of services or deletion of files involved in the system recovery.

Task 3

執行勒索病毒Sodinokibi與Process monitor並找到MITRE ATT&CK中的 T1490: Inhibit System Recovery的Technique攻擊的指令截圖證明 Ans:

  • It’ll get a window object named Win32_shadowcopy and delete the backup files for each object just like Dharma. It just encrypts the command and bypasses the malware defender.

Task 4

執行勒索病毒Sodinokibi與Process monitor並將它所使用的MITRE ATT&CK的Technique列於下表(不夠請自行新增表格欄位) Ans:

  • As [10, 11] mentioned, the techniques that Sodinokibi has used are as below. But I can not actually find the event by process monitor of my poor usage skill.

    Technique名稱 Technique說明
    Command and Scripting Interpreter The macro in the Word document downloads and runs the Sodinokibi executable. After execution, it runs the following command using cmd.exe. REvil has used PowerShell to delete volume shadow copies and download files.
    Inhibit System Recovery REvil can use vssadmin to delete volume shadow copies and credit to disable recovery features. At first, this command runs vssadmin.exe to delete all volume shadow copies on the system to prevent recovery. Then, it uses bcdedit.exe twice to disable automatic Windows recovery features by modifying boot configuration data.
    Data Encrypted for Impact REvil can encrypt files on victim systems and demands a ransom to decrypt the files. Like most ransomware, Sodinokibi encrypts files and adds a random extension such as test.jpg.1cd8t9ahd5.

Reference

  1. 蒂姆費舍爾. 什麼是Conhost.exe?. Available from: https://zhtw.eyewated.com/%E4%BB%80%E9%BA%BC%E6%98%AFconhost-exe%EF%BC%9F/.
  2. mode.com in Microsoft. Available from: https://home.csulb.edu/~murdock/mode.html.
  3. MS-DOS and Windows command line mode command. Available from: https://www.computerhope.com/modehlp.htm.
  4. Volume Shadow Copy Service. Available from: https://zh.m.wikipedia.org/wiki/%E7%A3%81%E7%A2%9F%E5%8D%80%E9%99%B0%E5%BD%B1%E8%A4%87%E8%A3%BD%E6%9C%8D%E5%8B%99.
  5. vssadmin.exe in Microsoft. Available from: http://startup.filedict.com/vssadmin-vssadmin-exe-8854-8860/.
  6. mshta.exe Microsoft (R) HTML 主應用程式. Available from: https://win10.support/zh_tw/mshta-exe-microsoft-r-html-%E4%B8%BB%E6%87%89%E7%94%A8%E7%A8%8B%E5%BC%8F/.
  7. What Is Mshta, How Can It Be Used and How to Protect Against It. Available from: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/.
  8. rundll32:Rundll32.exe是什麼?. Available from: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjAps7IlYX7AhWqQfUHHbylBOAQFnoECBUQAQ&url=https%3A%2F%2Fwww.easyatm.com.tw%2Fwiki%2Frundll32&usg=AOvVaw2fLPE4XLV2J1RaPX3e0fo4.
  9. Inhibit System Recovery. Available from: https://attack.mitre.org/techniques/T1490/.
  10. A brief history and further technical analysis of Sodinokibi Ransomware. 2020; Available from: https://www.picussecurity.com/resource/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware.
  11. REvil. 2020; Available from: https://attack.mitre.org/software/S0496/.