OST: "Malware Reverse Engineering" Tools: SysInternals: PsExplorer, ProcMon, RegShot, Autoruns, Wireshark I. Dynamic Analysis Generally used as a first pass attempt to understand a piece of software, Dynamic Analysis uses an Execute and Monitor approach to understand observable behavior, and in the case of malware, the Initial Indicators of Compromise. Limitations: Dynamic Analysis is a task that is repeatable and is often automated to perform unattended analysis when the analysis resources are limited and volume of malware to analyze is high. In such cases, outcomes can be limited because the software being analyzed :
II. Dynamic Analysis of APT1 WEBC2_CSON This Downloader malware tries to "phone home" to IP 65.114.1995:80 by sending SYN packets (Exhibit A: Process Explorer Profess TPC/IP). Moreover, APT1 WEBC2_CSON attempts to re-connect to the CNC every 5 seconds as it is evident in Exhibit B: ProcMon Filter on APT1 WEBC2_CSON's Process Identifier. Final Verdict
I. WebServer logs can show how APT1 WEBC2_CSON sends (1) GET /Default.aspx?INDEX=[random characters] HTTP1./1 User-Agent-Mozilla/4.0 (compatible; MSIE 8.0; Win32) and (2) POST /Default.aspx?ID=[random characters] HTTP1./1 User-Agent-Mozilla/4.0 (compatible; MSIE 8.0; Win32). II. Additionally, this malware uniformly negotiates Window Size of 8192 with its SYN packets. APT1 WEBC2_CSON is a Downloader malware that communicates with a hard-coded C2 server 65.114.195.226, receiving commands via GET and POST web requests.
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |