One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 795252 |
| Date de publication | 2018-09-06 13:00:00 (vue: 2018-09-06 15:04:19) |
| Titre | Malware Analysis using Osquery Part 2 |
| Texte |
In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload.
In this post, we are going to see another common technique that malware uses, persistence. To do so, we will continue using Osquery to explore the registry and startup_items tables.
Registry Persistence
In this case, we will analyze a piece of malware built using the .NET framework, in particular a sample of Shrug ransomware. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back.
https://otx.alienvault.com/indicator/file/a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707
Opening the sample with a .NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersion\Run” registry key for the user space pointing to that file. The malware will be executed every time the user logs on. This is a common persistence mechanism that malware droppers use in order to stay in the system.
If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. We are just searching for files written on Users directories in the last 100 seconds.
Additionally, we can search for the new entry created in the registry hive. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We can also use the ‘startup_items’ table. This second table contains a set of predefined paths that the system uses to run programs automatically at startup. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query.
The file shrug.exe is also written on .NET framework, so we can open it again with the debugger and see some interesting parts. This file first checks if the system is already infected. If not, it creates a new registry key with the same name to write the installation parameters.
|
| Envoyé | Oui |
| Condensat | $bitcoin $pdb* $pdb1 $pdb2 $s* $s1 $s2 $s3 $s4 rule '; select 'c: 'hkey 000webhostapp 0x5a4d 100 and 100; select 119 145 1hr1grgh9viegux73irrjlvkh3pfjutenx 4920 a554b92036fbbc1c5d1a7d8a4049b01c5b6b7b30f06843fcdccf1f2420dfd707 a6ab6b1f account action address admin alienvault analysis any appdata appendix are author b144 b14a57ad391d9ba5b2714dad4773118f118ed8d64b523466bb60f3b18336efc1 bb90ec6fc22e be42 catalogued com/endpoint com/marthas com/pulse/5b899bd8694f420825bbdfdd compromise condition: connections data debug display dotnet dropped enabled endpoint exe executable file filename files free: from get guids harmedfiles http://tempacc11vl https://otx hunter hunter/welcome import iocs items; select key labs like local malware meta: mtime name next number osquery otx part path pdb php registry run sample scheduled searches select services; shrug shrug'; select shrug2 shrugdecryptor shruginstaller shrugransomware shrugtwo size source start started startup strings: stuff/uploadhash tasks; select temp threat time type typelib uint16 upoldhash user users using where yara |
| Tags | Malware Threat |
| Stories | APT 34 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.