tasty malware analysis with t a c o
play

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into - PowerPoint PPT Presentation

Jan 12, 2023 •206 likes •648 views

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently Welcome to the

  1. Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones

  2. Who Am I? • Sr. Security Research Analyst for Arbor Networks’ ASERT • Attend AHA! in Austin semi-frequently • Welcome to the track! • Speaker at – BlackHatUSA / Botconf / AusCERT / REcon • Research interests – RE automation – Malware clustering – Graph database applications to Reverse Engineering / Threat Intel 2

  3. Agenda • Similar Work • Malware Behaviors • Cuckoo Sandbox • TACO – Features – UI – Demo – Future Work 3

  4. Similar Work

  5. Similar Work • Nothing (that I know of) uses Cuckoo as it's mechanism for propagating data into an IDB • Inspired by similar work from many authors • UI takes inspiration from IDAScope by Daniel Plohmann (@push_pnx) • Excellent plugin, in my toolbox 5

  6. funcap • https://github.com/deresz/funcap • IDA Pro script to add some useful runtime info to static analysis. 6

  7. IDA Pro pintracer • Maintained by Hex-Rays • Highlights executed instructions • Can also track registers 7

  8. Joe Sandbox • Commercial product from Joe Security • Can produce execution graphs • Claims to have similar plugin • Never used personally • Seeing that they were using API traces gave inspiration to look into doing similar with Cuckoo • Opted to not attempt to find code so my plugin would be "clean" 8

  9. Malware Analysis Challenges 9

  10. Packers / Crypters • Compress or encrypt code, designed to make malware less detectable • UPX most popular packer (also watch out for things that look like, but are not UPX) • Lots of packers with various trial licenses • TitaniumCore by ReversingLabs can help automate • No known (to me) auto un-crypters • PIN, Dynamo Rio have tools to facilitate • IDA Pro as a "universal unpacker" that has been useful at times 10

  11. Self Modifying Code • Exhibited by numerous malware families • Shylock • Andromeda / Gamarue • Modify code that already exists instead of allocating new memory to unpack • Usually will be stomped during execution • More problematic to do automated dumps 11

  12. Process / DLL Injection • Can be done via • CreateRemoteThread (Suspended) • QueueUserAPC • Process Hollowing • Cuckoo uses injection to get monitor DLL into malicious processes 12

  13. DLL Side Loading • Popular technique with targeted malware • PlugX • HTTP Browser RAT • Load malicious DLL into legit (signed) executable • Bypass (some) AV • Bypass requirements of running code in signed exe 13

  14. Cuckoo Sandbox 14

  15. Cuckoo Sandbox • Likely most popular open-source / free sandbox available • 2.0 Supports Android (via emulator), Linux, and x64 analysis • Switch to new monitor code • Third-party kernel introspection support - "zer0m0n" • Popular fork "cuckoo-modified" by @spender of Optiv, Inc. (Accuvant) • https://github.com/brad-accuvant/cuckoo-modified • Contains bugfixes + additions to old cuckoomon not available in - trunk • Cuckoo 2.0 solves many of the issues we relied on -modified fork for and adds new things 15

  16. Cuckoo Sandbox • Multiple analysis methods • Cuckoo Monitor DLL injected into spawned process • Injects into any other spawned / injected processes • Hooks many common API calls • Nothing is immune to un-hooking, including Monitor • Logs • Win32 API calls • Registry • Created / Modified Files • Postprocessing Signatures 16

  17. Cuckoo Behavior Report 17

  18. Cuckoo Behavior - Calls Caller / Parent Caller Addresses 18

  19. Cuckoo Behavior JSON -Modified 19

  20. Cuckoo Behavior JSON -2.0 20

  21. ASERT's Sandbox Usage • Treat Cuckoo (and other sandboxes) as a black-box • Malware in, report / memory dumps / files out • Tasks deleted upon completion • Centralized malware processing system • Normalize + insert results • Post-processing of memory, network traffic, behavior • Custom post-processing of specific families to extract various sample properties 21

  22. Cuckoo API Additions needed • Cuckoo can produce a process dump • This is not loadable by IDA Pro (AFAIK) • Can be extremely large, especially in case of {explorer,svchost,iexplore,etc.}.exe • Can also produce full RAM dump • Volatility has plugins to dump processes, DLLs, VADs • Dumping process as a PE not supported natively by Cuckoo • Due to time needed to use volatility, decided that was not the right place • Don't always want dumps, sometimes we need to do "extra" • Added new API call to allow for arbitrary volatility plugins to run "on-demand" 22

  23. API Additions needed (cont) • Run volatility against ramdump to get process dumps for all PIDs known • Injection detected = run malfind and dump pages • Stitch dumped memory pages into process dumps for "complete" view • Supports family specific behavior • DLL dump • Specific process / memdumps 23

  24. Dumping Memory • That said... malfind doesn't always find everything • Will not dump DLL injected with CreateRemoteThread by design • Permissions stomp = undetected • Walk the Cuckoo API Calls per process • Get list of memory ranges that contain executed code • Run vadwalk for the PID • Parse the output and find all the required VAD's to cover what got executed • Request those VADs and then order with malfind VAD's and stitch an executable together • Using that dump, can now follow execution much better 24

  25. Creating the Memory Dump • Attempted to add as sections using http://git.n0p.cc/?p=SectionDoubleP.git • Works great for any case where section is above ImageBase • BUT many malwares like to inject below the ImageBase • Modify ImageBase • Modify each existing section's VirtualAddress • Modify AddressOfEntryPoint • Add Sections... • Fail. • Fallback to using IDA Pro segment create / put_many_bytes • Non-ideal, but IDA plugin requires IDA Pro... • Non-trivial method of creating dumps, but worth it 25

  26. Memory Dump Process Output python create_voldump.py --task 294832 --pid 3816 • • [+] Base memory range: 01000000 -> 01005600 • [+] Interesting page: 0x000C0000 • [+] Interesting page: 0x00B40000 • [+] Interesting page: 0x00B50000 [+] Interesting page: 0x00B60000 • • [+] Interesting page 0x000C0000 is in VAD 0x000C0000 - 0x000DCFFF • [+] Interesting page 0x00B40000 is in VAD 0x00B40000 - 0x00B70FFF • [+] Interesting page 0x00B50000 is in VAD 0x00B40000 - 0x00B70FFF • [+] Interesting page 0x00B60000 is in VAD 0x00B40000 - 0x00B70FFF [+] Retrieving VAD 0x000C0000 • • [+] Retrieving VAD 0x00B40000 • [+] Generating IDB with new memory regions • [+] IDB available at explorer.exe-3816.idb 26

  27. TACO 27

  28. Overview • Started out as dynamically generated Python scripts • Clunky, prevented from doing "cool" things • Dynamically generating "clean" IDAPython is hard • Some features incompatible with Cuckoo 1.2 due to lack of call metadata • Cuckoo-Modified and current Cuckoo 2.0-dev branch supported supported for markup • Cuckoo 2.0-dev is still a WIP as some oddities are encountered • Idea sprung out of Joe Security's posts about execution graphs and seeing they imported analysis info into IDA • Prior usage of tools like funcap and IDA's pintracer 28

  29. TACO Overview • What does TACO stand for? • It's fluid.. • Considered naming TACOZ - Tasty Analysis using Cuckoo Output and Zoidberg • Because why not Zoidberg? • Consists of Cuckoo-based tabs for showing: • Processes • API Calls • Signatures • Imports • Also includes other IDAPython scripts I have developed • Byte / Stack String viewer • "Interesting" XOR locator • Switch Jump / Case statement viewer 29

  30. Loader Tab • Main location to show a process tree and allow for specific processes to be inspected Injected, not created so does not appear in the tree under the main process 30

  31. API Call Tab • Reproduction of Cuckoo's Output • Filterable / Searchable / Clickable Filterable by Category Filterable by Call / Argument value Each row Color-coded and double-clickable 31

  32. API Call Tab (cont.) • Add / Remove Markup to IDB • All • Category • Context menu • Markup per Instruction • Copy value 32

  33. Imports Tab • Tries to detect dynamic imports via direct / indirect calls 33

  34. Cuckoo Signatures Tab • Simple Display of Cuckoo Triggered Signatures 34

  35. Switch Viewer • Switch jumps in malware can indicate config or cmd parsing 35

  36. Byte String / Stack String Finder 36

  37. XOR Locator 37

  38. DEMO • TACO Time! • Shifu (banker) • Andromeda (loader / stealer) • PlugX (targeted) • Etumbot (targeted) • Fobber (banker, Cuckoo 2.0-dev) • HttpBrowserRAT (targeted, Cuckoo 1.2) 38

  39. Wrap-Up 39

  40. Wrap-Up • Hopefully you agree that a TACO is both a tasty treat and is a useful tool to bring run-time info into IDA Pro • All code is / will be freely available on GitHub • https://github.com/arbor-jjones/idataco • https://github.com/arbor-jjones/malware/create_voldump.py • https://github.com/arbor-jjones/malware/ida_load_mem.py • https://gist.github.com/arbor-jjones/18dd572e6b3e391e8418 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes.

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes.

The BBQ KING! Tasty Creations. I love to BBQ I enjoy sharing my tasty recipes. www.bbqsecrets.ca The best BBQ Recipes Online Tasty BBQ Ribs Tasty Steak Chewy Chicken Beef Ka Bobs Melt In Your Mouth Meatloaf More Great Recipes Fish Cakes

325 views • 30 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
On the Stackelberg strategies in control theory Enrique FERNNDEZ-CARA Dpto. E.D.A.N. - Univ. of

On the Stackelberg strategies in control theory Enrique FERNNDEZ-CARA Dpto. E.D.A.N. - Univ. of

On the Stackelberg strategies in control theory Enrique FERNNDEZ-CARA Dpto. E.D.A.N. - Univ. of Sevilla several joint works with F.D. ARARUNA Dpto. Matemtica - UFPB - Brazil S. GUERRERO Lab. J.-L. Lions - UPMC - France M.C. SANTOS Dpto.

426 views • 26 slides
Composite Event Recognition for Maritime Monitoring Manolis Pitsikalis 1 , Alexander Artikis 2 , 1

Composite Event Recognition for Maritime Monitoring Manolis Pitsikalis 1 , Alexander Artikis 2 , 1

Composite Event Recognition for Maritime Monitoring Manolis Pitsikalis 1 , Alexander Artikis 2 , 1 , Richard Dreo 3 ,Cyril Ray 3 , 4 , Elena Camossi 5 and Anne-Laure Jousselme 5 1 Institute of Informatics & Telecommunications, NCSR Demokritos,

448 views • 24 slides
Mode Callbacks Tarjei Mandt Black Hat USA 2011 Who am I 11. august 2011 Security Researcher

Mode Callbacks Tarjei Mandt Black Hat USA 2011 Who am I 11. august 2011 Security Researcher

Kernel Attacks through User- Mode Callbacks Tarjei Mandt Black Hat USA 2011 Who am I 11. august 2011 Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating system internals

1.4k views • 108 slides
FRANKLYSPEAKING A SERIES OF COMMUNITY MEETINGS ABOUT FRANKLIN COUNTYS FUTURE COMMUNITY MEETING

FRANKLYSPEAKING A SERIES OF COMMUNITY MEETINGS ABOUT FRANKLIN COUNTYS FUTURE COMMUNITY MEETING

FRANKLYSPEAKING A SERIES OF COMMUNITY MEETINGS ABOUT FRANKLIN COUNTYS FUTURE COMMUNITY MEETING #1 MAY 28/29/30, 2019 MCGILL | NEALON PLANNING | CITY EXPLAINED what is this all about? What is a comprehensive plan? A visionary

620 views • 29 slides
Deep convolutional acoustic word embeddings using word-pair side information Herman Kamper 1 ,

Deep convolutional acoustic word embeddings using word-pair side information Herman Kamper 1 ,

Deep convolutional acoustic word embeddings using word-pair side information Herman Kamper 1 , Weiran Wang 2 , Karen Livescu 2 1 CSTR and ILCC, School of Informatics, University of Edinburgh, UK 2 Toyota Technological Institute at Chicago, USA

1.03k views • 76 slides
Efficient Voice Activity Detection via Binarized Neural Networks Jong Hwan Ko Josh Fromm

Efficient Voice Activity Detection via Binarized Neural Networks Jong Hwan Ko Josh Fromm

Efficient Voice Activity Detection via Binarized Neural Networks Jong Hwan Ko Josh Fromm Matthai Philipose Shuayb Zarar Ivan Tashev Microsoft Georgia Tech U of Washington Voice Activity Detection (VAD) Need to run

269 views • 6 slides
Lecture III: Majorana neutrinos Petr Vogel, Caltech NLDBD school, October 31, 2017 Whatever

Lecture III: Majorana neutrinos Petr Vogel, Caltech NLDBD school, October 31, 2017 Whatever

Lecture III: Majorana neutrinos Petr Vogel, Caltech NLDBD school, October 31, 2017 Whatever processes cause 0 , its observation would imply the existence of a Majorana mass term and thus would represent ``New Physics : Schechter and

554 views • 34 slides
Costcompetitive Reduction of Carbon Emissions of up to 80% from the US Electric Sector by 2030

Costcompetitive Reduction of Carbon Emissions of up to 80% from the US Electric Sector by 2030

Costcompetitive Reduction of Carbon Emissions of up to 80% from the US Electric Sector by 2030 Alexander E. MacDonald Christopher Clack* Anneliese Alexander* Adam Dunbar Yuanfu Xie James Wilczak NOAA Earth System Research Laboratory

517 views • 28 slides

More recommend