Analyse Malware & Ransomware with Cuckoo

Cuckoo Malware

Analyse Malware and Ransomware with Cuckoo

Last week I started with manual debugging a file which I received from Advissa Ludvinka, a non-existing person. Since the beginning of this year I picked up my old passion for debugging malware & viruses, looking into buffer overflows, playing capture the flags on-line (root-me.org, ctf365), off-line (application) penetration testing (offline <> vulnhub, mutillidae, OWASP Juice shop, DVWA) and other general (information) security subjects. Some 20+ years ago I used to sit behind multiple screens for days in row figuring out (reverse engineering) the way viruses (with their encryption and stealth abilities), games (to give me more “lives”), worms and other software worked. At that time it was very hard to learn this by yourself because the only sources of information were the bulletin board systems of that time. No youtube, not that much documentation, no communities and no advanced/mature tools. I remember me sitting there behind the screen for days in a row with a load of assembly language on the screen and a big boring book in my hands trying to figure out what all those asm was about. I’ll refrain defining this as the good old days.

Nowadays there are a lot of online tutorials, online/offline and active communities, well written books (< not only very hardcore technical books) and last but not least there are a lot of very active open-source communities building highly advanced/mature tools. The advanced tools are a double-edged-sword in multiple ways. Having such advanced tools freely available (SQLMAP, OWASP ZAP, OpenVAS/Nessas, Metasploit, SET < basically whole KALI distro), lowers the level of knowledge needed to perform advanced “attacks”. This basically means everybody, with some basic knowledge about computers/networks, can use the tools and use them “effectively”. It doesn’t require deep SQL or application infrastructure knowledge to googledork a site, try the well known ” ‘ “, capture a request with BURP, feed it to SQLMAP and dump a database from a website vulnerable to an SQL Injection. On the other side the same tools are enablers for more secure corporate environments. They are of tremendous help in the daily work of professional penetration testers both for applications and infrastructure, security analysts and for other people in infosec jobs. People in those jobs need to be constantly aware of the knowledge trap inherent in using these tools. It has the risk of getting dependable on tools only instead of on acquired knowledge. Using tools only has the potential of ending up with a nice report without knowing, really knowing, what is in the report. Running an OpenVAS or Nessus scan and handing over a 100+ report to your customer will not be of much value for a customer.

What is Cuckoo?

Ok, long enough disclaimer for using advanced tools made by the open-source infosec community. One such tool, or more precisely one such system, is cuckoo.

What is it? In three words, Cuckoo Sandbox is a malware analysis system.

In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future

Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.

Source: https://cuckoosandbox.org/

General Cuckoo Setup.

I’m not going to give an extensive overview of how Cuckoo works. If you want a more detailed overview a good start would be the main Cuckoo page.

The basic setup I use consists of Ubuntu 16.0.4.1 LTS with all Cuckoo requirements installed inluding MongoDB and Python 2.7 and Virtualbox. MongoDB is needed if you want to run the Django-based web interface and virtualbox is off-course needed to have a virtual environment in which to run the sandboxed clients. A good start to get your setup going = http://docs.cuckoosandbox.org/en/latest/installation/host/requirements/

I have a windows 7 image running (64-bit) on Virtualbox, network in Host only mode, with Python 2.7 (completely) installed, the Cuckoo agent in the startup folder and the python imaging library (1.1.7) for windows installed. The latter is needed for the screenshots which are made during a malware run on the client. What I also installed (on the host) is the tesseract and suricata. The first for the screenshots (in combination with the python image library on the client) and the latter is a free and open source, mature, fast and robust network threat detection engine. Cuckoo sends the captured network traffic (pcap) to the suricate engine for analysis against the available rules.

IP Tables are adjusted to route traffic from the host-only network to internet and back. I do not use Nat or Bridge mode.

So basically I’m running all components on one host. I did not dive into the scaling options but I’m sure you can split the components (reporting, core, db) the way you want depending on your needs. Also different kinds of virtualization software are supported.

The Nemucod sample

In figuring out the exact workings of the Nemucod sample in my spam, I struggled with the obfuscation used by the author to make the sample very difficult to read. Probably the more samples you see, the easier it gets to immediately see the structure and the methods used.There are no easy to read strings so you cannot see which websites the sample contacts or what exactly is going on. The author of this sample calls it the Maze. (Maze.shuffle) Some part of the sample is also base64 encoded.

I have mailed Kahu Security about the sample and probably he is going to have a more detailed blog post about the sample.

So aside of throwing the Nemucod sample in the Cuckoo black box, I also have a printed version to learn from. A good book making this task easier is “Practical malware analysis” by Michael Sikorski and Andrew Honig”

Some sample code:

var efioppocsonny5jjik = "QURPREIuU3RyZWFt".efioppocAIRJORDAN(); 
 
var efioppocsonny5VARDOCF ="JVRFTRUCHIDOVAlRUCHIDO".efioppocAIRJORDAN(); 
String.prototype.efioppocsonny5center2 = function () { 
 var efioppoc44_H11_L22 = { 
 efioppocSUyaWON: this 
 }; 
 efioppoc44_H11_L22.efioppocsonny5VARDOCE = efioppoc44_H11_L22.efioppocSUyaWON["c3VRUCHIDOic3RyRUCHIDOaW5RUCHIDOn".efioppocAIRJORDAN()](efioppocsonny5DRUZA, efioppocsonny5chosen); 
 return efioppoc44_H11_L22.efioppocsonny5VARDOCE; 
}; 
var efioppocsonny5sirdallos ="RUCHIDORXhwYW5RUCHIDOkRW52aXRUCHIDOJvbm1lbnRTdHJRUCHIDOpbmdz".efioppocAIRJORDAN(); 
var efioppocsonny5Native = function(options){

I have submitted the sample using the submit option on the local website (runs by default on http://127.0.0.1:8000/ . Cuckoo automatically restores a predefined snapshot, starts the client (Windows 7 Machine), uploads the sample to the local machine and subsequently runs it using the configured settings. Data from the analysis (screenshots, network captures and much more) is sent to the host and the client is shutdown again. One important setting is to make use of the so called “dirty line”. This is the internet connection. You can run a sample without it being able to reach the outside world. In my case I want to enable the sample to reach out to the internet because I want to know what kind of data is fetched and from which locations. Be careful with this, you don want to end up looking at a web page with a timer and some instructions to how to pay in bitcoins to decrypt your files again.

Cuckoo

Cuckoo output of Nemucod sample

In the screenshot below you see a part of the summary page which is generated by the reporting server. There is just too much information in there to cover everything in short blog post. And I did not even enabled all possible reports or auxiliary options.

Cuckoo Analysis

  1. Behavioural Analysis -> here you find – whatś in the name -, a detailed analysis of the behavior of the sample when run on the client machine (in my case Windows 7 64 bit)
  2. Network Analysis -> here you find information about contacted hosts, DNS queries made, tcp packages sent, UDP packages sent, HTTP/HTTPS request made, ICMP traffic, IRC traffic, Suricata analysis, and if you use SNORT some output from SNORT.
  3. Dropped files -> this will show the files which were downloaded by the sample.
  4. Process memory -> you can disable this if you want. It will give a lot of information which is found in memory. The default list worries me a bit 🙂 Just take a look at it after submitting a benign file such as notepad.exe to Cuckoo.

About Nemucod

In the previous screenshot (5) you see the hashes calculated for this sample:

SHA256: 2d188dc6d2890ec1f33bb806382b377190a73492daea4ac1d643f949d878ad8c and others.

U can use the hash to see if this sample was already analyzed by somebody else and which anti-virus vendors will recognize the sample. Best site to go to is virustotal.

This sample, with this specific hash. has a detection ratio of 24/54. From the results you can see that the sample is a branch of other malware. This specific sample has a jobid named “uDvjhoi”. Probably the jobid is linked to a specific payload with specific actions. So the sample acts as an agent, much like a SCCM agent, waiting for jobs to execute.

Cuckoo WebsitesIn the second part of the summary you can quickly see which websites are approached by the sample. You see 4 request, from which only 1,drsearscoach.com, was successful. 3 of the sites have been notified and took countermeasures.

The keygame.com website gives the following error upon receiving the get request ->

buffer: <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don’t have permission to access /g7fb6v on this server.<br /> </p> <p>Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html>
request_handle: 0x0000000000cc0014

The naturesagro.com website gives the following error upon receiving the get request:

<b>Important note for site admins: </b>If you are the administrator of this website note that your access has been limited because you broke one of the Wordfence firewall rules. The reason your access was limited is: <b>”Access from your area has been temporarily limited for security reasons”</b>. <br /><br /> If this is a false positive, meaning that your access to your own site has been limited incorrectly, then you will need to regain access to your site, go to the Wordfence “options” pa

The kv6j.net swebsite fives the following error upon receiving the get request:
00000000: 4854 5450 2f31 2e31 2034 3033 2046 6f72 HTTP/1.1.403.For
00000010: 6269 6464 656e 0d0a 4461 7465 3a20 5765 bidden..Date:.We
00000020: 642c 2031 3920 4f63 7420 3230 3136 2031 d,.19.Oct.2016.1
00000030: 383a 3330 3a35 3820 474d 540d 0a53 6572 8:30:58.GMT..Ser
00000040: 7665 723a 2041 7061 6368 650d 0a43 6f6e ver:.Apache..Con

In the screenshot below you see that more DNS queries have been made. veddanagor.net, stenokeud.org & oofyming.com are taken offline so no response seen. msftncsi.com is used by Windows 7 to do some network checks.

Cuckoo DNS

Below you see some information about the two files downloaded by the sample. One thing I need to find out is if it’s possible with cuckoo to also run these files or give the downloader the opportunity to process the downloaded files. Both files will be processed to become executable files. Malware tries to trick IDS/IPS systems by dowloading normal looking idata instead of data which triggers those systems and block the download (such as .exe files Once downloaded the data is processed with as result a file that can be run in windows (this sample).

Cuckoo Malware

The screenshots for this sample are not that interesting. They show just a boring windows 7 desktop. No action going on.

There is really much much more to say about Cuckoo and this sample. Cuckoo is a perfect framework or system that allows you to analyze malware. It’s a good first step to see what happened during a security incident. You take the sample, feed it to cuckoo, and see what actions were performed by that specific sample. Did it spread to other servers? What was downloaded? Who is in control of the malware? Which actions were performed on the local server? It will give you a lot off information which you can use to adjust your security policy (on paper and in practice) and which you can use to respond to a security incident. (block trafffic/ip’s/websites, blacklist certain files from running with policies….)

Needless to say that setting up a Cuckoo Sandbox in a corporate environment needs to be implemented very carefully and not on a Monday morning. One can always go to malwr.com and use the online version of Cuckoo. It will have the disadvantage that it does not resemble the corporate setup, but off course the advantage of having 0 risk to infect yourself. (site seems to have some difficulties the last 24 hours)

Please leave some comments if you have questions. The above was not meant to be a complete overview of Cuckoo nor an in depth, annotated analysis of Nemucod.

Leave a Reply

Your email address will not be published. Required fields are marked *

fourteen − 5 =