Sandbox vs manual analysis v2.1
-
Upload
michael-gough -
Category
Technology
-
view
129 -
download
2
Transcript of Sandbox vs manual analysis v2.1
![Page 1: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/1.jpg)
Are malware sandboxes as good as manual analysis?
Michael Gough – FounderMalwareArchaeology.com
Co-creator of
MalwareArchaeology.com
![Page 2: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/2.jpg)
Who am I• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How
Creator of
• Malware Management Framework
• Several Windows Logging Cheat Sheets
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast• @BrakeSec
• @HackerHurricane and also my Blog
MalwareArchaeology.com
![Page 3: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/3.jpg)
Malware evolves
• So must we
• Darwin says so
• Evolve or die
• Well… Evolve or get breached anyways
• Getting breached means an RGE !!!– Resume Generating Event
MalwareArchaeology.com
![Page 4: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/4.jpg)
Define Sandbox
• A VM you build to evaluate malware
• An on premise virtual malware analysis like Cuckoo sandbox
• A specific malware analysis eco-system like RemNUX
• A cloud based malware analysis like Payload Security/ Reverse.IT, Lastline, Malwr.com, etc.
• Email Gateways like FireEye, Cisco AMP, etc.
• Web Proxies like FireEye, Lastline, etc.
• Advanced features in Firewalls like Palo Alto WildFire
• And of course anything you specifically build
MalwareArchaeology.com
![Page 5: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/5.jpg)
Ways to bypass Automated Sandbox
Analysis
MalwareArchaeology.com
![Page 6: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/6.jpg)
How do the malwarians evade sandbox analysis?
Look for indicators of a VM
• VM Tools
• Registry keys
• Hardware (is virtual not real)
Look for ‘Recent Files’
• Have you opened several misc. documents
Processor related indicators
• Some API calls take MUCH longer on a VM
MalwareArchaeology.com
![Page 7: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/7.jpg)
How do the malwarians evade sandbox analysis?
Password protected files
• Can’t scan what you can’t access
MalwareArchaeology.com
![Page 8: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/8.jpg)
How do the malwarians evade sandbox analysis?
OLE~
• Embed OLE objects and the sandbox may not know where to click to execute the payload
MalwareArchaeology.com
![Page 9: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/9.jpg)
How do the malwarians evade sandbox analysis?
URL’s in the document
• Can be anywhere in the document
MalwareArchaeology.com
![Page 10: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/10.jpg)
How do the malwarians evade sandbox analysis?
Time
• They wait you out
• Your automated queue will just backup
• How long can you wait? Or the automated sandbox wait?
MalwareArchaeology.com
![Page 11: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/11.jpg)
How do the malwarians evade sandbox analysis?
Time
• They wait you out
• Your automated queue will just backup
• How long can you wait? Or the automated sandbox wait?
MalwareArchaeology.com
![Page 12: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/12.jpg)
How do the malwarians evade sandbox analysis?
Time• The automated
sandbox gave up• So did our email
“Advanced Malware Protection”
But WE did not• +LOG-MD caught it
all
MalwareArchaeology.com
![Page 13: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/13.jpg)
Manual Analysis rules• We detonate everything in a lab that fits a
pattern like ‘has a password’ and anything that comes back ‘unknown’ or ‘look incomplete
MalwareArchaeology.com
![Page 14: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/14.jpg)
Manual Analysis rules
MalwareArchaeology.com
![Page 15: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/15.jpg)
Manual Analysis rules
• We even found persistence
MalwareArchaeology.com
![Page 16: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/16.jpg)
Time to disclose a Cloud provider that has had a
serious flaw ;-)
MalwareArchaeology.com
![Page 17: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/17.jpg)
Hey, I got a FAX!!!
• Typical Phish
• A FAX.. SERIOUSLY?
• So 90’s…
• Word Doc attached
• Date: 08/30/16
• Time: 11:15am
MalwareArchaeology.com
![Page 18: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/18.jpg)
Simple Manual Analysis
• 7-Zip
• Contains Macros
MalwareArchaeology.com
![Page 19: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/19.jpg)
Simple Manual Analysis
• Strings or Type
• Shows a Macro
• “Document_Open” shows autorun when the document is opened
MalwareArchaeology.com
![Page 20: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/20.jpg)
Simple Manual Analysis
• OfficeMalScanner – Seems malicious
MalwareArchaeology.com
![Page 21: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/21.jpg)
Email Gateway
MalwareArchaeology.com
• Date: 08/30/16
• Time: 12:02pm
• 47 Mins later, another copy
CLEAN ???
![Page 22: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/22.jpg)
And a couple more…
• Clean???
MalwareArchaeology.com
VawTrak
![Page 23: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/23.jpg)
Even AV actually caught it
• Same Day !
• McAfee knew
MalwareArchaeology.com
VawTrak
![Page 24: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/24.jpg)
Simple Manual Analysis
• In 1 minute or less I was able to tell this Word DOC is malicious with very basic analysis– 7Zip, Strings & OfficeMalScanner
• To be certain the file is bad, we could detonate it in a lab or an online solution
• Let’s see what the fancy pants Cloud and Sandbox solutions say about it
• By the way, auto processing your documents to the cloud may contain PII ;-(
MalwareArchaeology.com
![Page 25: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/25.jpg)
VirusTotal
• VT Score 28/53
• Date: 9/8/16
• 8 Days later
• AV has a Sig
• Clearly BAD
MalwareArchaeology.com
![Page 26: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/26.jpg)
Unknown???
MalwareArchaeology.com
• This is obviously bad Word Doc, same as the others
• This one had the added benefit of an embedded OLE object
• Still easily bad
• This one was KOVTER
![Page 27: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/27.jpg)
Let’s see what a
Cloud analysis shows
MalwareArchaeology.com
![Page 28: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/28.jpg)
Reverse.IT
MalwareArchaeology.com
![Page 29: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/29.jpg)
Reverse.IT
MalwareArchaeology.com
![Page 30: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/30.jpg)
Reverse.IT
MalwareArchaeology.com
![Page 31: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/31.jpg)
Artifacts / Indicators• What do we want to get out of any analysis?
– URL’s What websites were visited– IP’s Communications– Filenames What files were added– Directories used Where does it live– Autoruns used How does it launch– Config changes What changed– Metadata Details– Signed Digital Signatures– Behavior What actually happened– Network info Traffic behavior - Net Flow
MalwareArchaeology.com
![Page 32: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/32.jpg)
Artifacts / Indicators
• Why do we want this data?
• We need to know who else got infected
– The IP’s and URL’s
• What was added
• What was changed
• So we know whether to
– Re-image
– IF we can clean it up
MalwareArchaeology.com
![Page 33: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/33.jpg)
Let’s look at another Manual analysis
MalwareArchaeology.com
![Page 34: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/34.jpg)
Artifacts URL’s• A little script I run during analysis
• And…
MalwareArchaeology.com
![Page 35: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/35.jpg)
Process Artifacts
• What launched
• Linked processes – Bad EXE calls WinHost32.exe
MalwareArchaeology.com
CreatorID
ProcessID
Process Name
Sandbox Found
![Page 36: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/36.jpg)
Artifacts IP’s
• What talked to Whom
• Wait… WinHost32 did not show up in the Cloud Analysis
MalwareArchaeology.com
![Page 37: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/37.jpg)
File & Dir Artifacts
• Files involved
• Directories involved
MalwareArchaeology.com
![Page 38: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/38.jpg)
Persistence
• Run Key created
MalwareArchaeology.com
![Page 39: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/39.jpg)
Artifacts - Sysmon
• What loaded the image
• Signed or not
• Hashes
MalwareArchaeology.com
![Page 40: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/40.jpg)
• Another little script I run
MalwareArchaeology.com
![Page 41: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/41.jpg)
Let’s compare
Manual to Cloud
MalwareArchaeology.com
![Page 42: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/42.jpg)
Artifacts / Indicators
– URL’s
– IP’s
– All Filenames
– All Directories used
– Autoruns used
– Config changes
– Metadata
– Signed
– Behavior
MalwareArchaeology.com
No/Yes Yes
No Yes
Some Yes
Some Yes
No Yes
No Yes
Yes Yes
Yes Yes
No Yes
Cloud Manual
![Page 43: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/43.jpg)
Sandbox or Manual?
• Paid solutions work better than Free ones
• Many samples failed to execute due to VM aware
• Not as much detail as you can get yourself (IMHO)
• You CAN do as good a job, or better as sandbox solutions
• Sandbox solutions are good for multiple samples after you have evaluated one using manual analysis so you can compare results
• You may, or will have to super harden VM sandboxes to make them look and act like a normal system
MalwareArchaeology.com
![Page 44: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/44.jpg)
So what do we use for manual analysis?
MalwareArchaeology.com
![Page 45: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/45.jpg)
Free Edition
MalwareArchaeology.com
• Audit your settings – Do you comply?
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process and File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden payloads
![Page 46: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/46.jpg)
MalwareArchaeology.com
• Everything the Free Edition does and…• More reports, breakdown of things to look for• Specify the Output directory• Harvest Sysmon logs• Whitelist Hash compare results• Whitelist Registry compare results• Create a Master-Digest to exclude unique files• WhoIs lookups of IP Addresses called• SRUM netflow data (Win 8.1 & 10 64bit)
• Free updates for 1 year, expect a new release every quarter• Manual – How to use LOG-MD Professional
![Page 47: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/47.jpg)
MalwareArchaeology.com
Future Versions – In the works!• PowerShell details
• AutoRuns report• VirusTotal lookups of discovered files
• Find parent-less processes• Assess all processes and create a Whitelist• Assess all services and create a Whitelist• VirusTotal lookups of unknown or new processes and
services• Other API calls to security vendors
![Page 48: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/48.jpg)
So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!
![Page 49: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/49.jpg)
Resources
MalwareArchaeology.com
• Websites– Log-MD.com The tool
• The “Windows Logging Cheat Sheet”– MalwareArchaeology.com
• Malware Analysis Report links too– To start your Malware Management program
• This presentation is on SlideShare and website– Search for MalwareArchaeology or LOG-MD
![Page 50: Sandbox vs manual analysis v2.1](https://reader034.fdocuments.net/reader034/viewer/2022042619/58eff9401a28ab34168b45cd/html5/thumbnails/50.jpg)
Questions?
MalwareArchaeology.com
You can find us at:
• Log-MD.com
• @HackerHurricane• @Boettcherpwned
• MalwareArchaeology.com• HackerHurricane.com (blog)• MalwareManagementFramework.Org
• http://www.slideshare.net – LinkedIn now