In this article series, we will learn about malware behavioral and code analysis. For part 1, I will cover behavioral analysis of one of the specimens.
Behavioral analysis is analyzing malicious specimen behavior in an isolated fashion. It is a step by step approach where the analyst should run the specimen with normal and maximum privileges and notice any change.
Below tools will be used to observe malware behavior for this part:
- Process Hacker
- Process Monitor
Let’s start the analysis of a specimen named srvcp.exe (known malicious executable). Initially, we are running the program with normal privileges. Launch Process Hacker and then run the executable. We can see that srvcp.exe is a child process of explorer.exe which is normal since Explorer implements the GUI with which users interacts.
Side by Side, let’s open process monitor (A beast of a tool but sometimes it is difficult to find information but nevertheless Filters works). Let’s filter the output by filter: Process Name=srvcp.exe. We observe that the file is trying to read a file named gus.ini in System32. Straightaway we can conclude that this
Executable needs gus.ini for its operation. For now, we will continue to find all the information we can with normal privileges and without gus.ini.
Note: While performing code analysis, we will notice this decline with the result of CreateFile function output which is used for both creating and opening/reading a file. In this case, it is a read.
Now let’s check if this specimen is trying to achieve some persistence my modifying some of the known registry keys. Guess what, this specimen is trying to achieve persistence but got “Access Denied.” Reason: Running with normal privileges but at least we know what registry key it is modifying to achieve persistence.
Normally, specimen likes to create a channel back to its CnC server. Let’s see what this specimen is trying to do. Looking at the network connection status via Network tab of Process Hacker, we found out that this specimen has started listening but from what?
To answer that question, let’s use Wireshark to see the requests generated by the specimen. Below is the output.
OK, so looks like it is trying to find irc.mcs.net but since we are running in an isolated lab, this request is not fulfilled. Looking at the process monitor side looks like there are many threads created for srvcp.exe and it can be mapped to the requests being generated by them.
One of the important thing in the behavioral analysis is to feed the malware what it needs, step by step, to extract more information from malware. In this case, it needs to query a DNS, let’s provide it one. We will use FakeDNS which will act as a required server with the IP of the host it is installed on.
As we can see, it has fulfilled irc.mcs.net request. Let’s now see the packets in Wireshark. Below is the changed output.
As we can see the specimen got the response for the ‘A’ query. But wait, looks like it is trying to make a connection to 6667 and IRCs commonly use this port. Ok, again let’s give it what it needs. We can do this with Netcat and but we can also use IRC stub. We will use the latter in this case. After this need of the malware is also satisfied, it started communicating with the IRC by trying to join a channel.
After following TCP stream for the packets, we observe the above commands used by the specimen to join IRC channel. Some strings have been darkened since they were profane. So we observe all this behavioral analysis. However, remember this is all under normal privileges and without gus.ini. Let’s provide the system with both requirements and then observe the output.
Launch Process Hacker and Process Monitor and then run the specimen with admin rights and gus.ini in System32.
We observed that the CreateFile on gus.ini is now successful and also attempted registry change to achieve persistence is also successful.
After observing the Wireshark, there are completely new DNS requests being launched by the specimen. We again use FakeDNS to provide assistance to malware.
As you can notice, these are completely new IRC channel. Following TCP stream on these, we could see completely new commands to interact with IRC channel. These have some more commands which we will look while analyzing at code level because currently they are encrypted.
We can also see from Process Hacker’s Network tab that the connection of this specimen is Established and that too on 6666.
So these are all very basic steps to perform behavioral analysis of a specimen. In Part Two of this article, we will take a look at another specimen and some more behavioral analysis techniques plus the major section on code analysis.