5. Basic Dynamic Analysis 5.基本动态分析

Task 1. Basic Static Analysis任务1.基本静态分析

Using PEview使用PEview

Open Lab03-01.exe in PEview.在PEview中打开Lab03-01.exe。 As shown below, the only DLL imported is kernel32.dll, and the only function imported is ExitProcess.如下所示，导入的唯一DLL是kernel32.dll，导入的唯一函数是ExitProcess。 That doesn't tell us much--perhaps this malware is packed and the real imports will come at runtime.这并没有告诉我们很多 - 也许这种恶意软件是封装的，真正的进口产品将在运行时发布。

Using Strings使用字符串

Examine the strings in Lab03-01.exe and find these items, as shown below.检查Lab03-01.exe中的字符串并找到这些项目，如下所示。

SOFTWARE\Classes\http\shell\open\commandV -- A registry location SOFTWARE \ Classes \ http \ shell \ open \ commandV - 注册表位置
www.practicalmalwareanalysis.com -- a URL www.practicalmalwareanalysis.com - 一个URL
VideoDriver VideoDriver

These readable strings are surprising--if the malware were packed, the strings would not be readable.这些可读的字符串是令人惊讶的 - 如果恶意软件被打包，字符串将不可读。 Something strange is going on, and the easiest way to learn more is dynamic analysis.奇怪的事情正在发生，学习更多的最简单的方法是动态分析。

Task 2. Preparing for Dynamic Analysis任务2.准备动态分析

Dynamic analysis is simple: run monitoring tools, then run the malware, and let it have its way with our virtual machine.动态分析很简单：运行监控工具，然后运行恶意软件，并让它在我们的虚拟机中有效。 This is a sloppy technique, trusting a system that is being infected, but it usually works.这是一种马虎的技术，相信一个正在被感染的系统，但它通常起作用。

We will use these three programs to see what the malware does:我们将使用这三个程序来查看恶意软件的功能：

Process Explorer Process Explorer
Wireshark Wireshark的
Process Monitor进程监视器

Run Process Explorer运行Process Explorer

Process Explorer shows currently running processes, with far more detail than Task Manager. Process Explorer显示当前正在运行的进程，比任务管理器详细得多。 It doesn't keep a log of them, so it's harmless to leave running.它没有记录它们，所以离开运行是无害的。

Run Wireshark运行Wireshark

Start Wireshark and begin capturing packets from the interface that goes to the Internet, which is normally "Local Area Connection".启动Wireshark并开始从通往Internet的接口捕获数据包，这通常是“本地连接”。

If your virtual machine is in "NAT" networking mode, there shouldn't be a lot of traffic.如果您的虚拟机处于“NAT”联网模式，则应该不会有很多流量。

Start Process Monitor启动进程监视器

Process Monitor logs all the events in Windows Event Viewer, which will typically be hundreds of thousands of events.进程监视器记录Windows事件查看器中的所有事件，通常会有数十万事件。 Don't leave it running for too long or it will use up all the RAM and crash.不要让它跑太长时间，否则会耗尽所有内存和崩溃。

It's best to start Process Monitor last, so you can exclude all the harmless processes the other tools are using.最好先启动进程监视器，以便排除其他工具正在使用的所有无害进程。

Launch Process Monitor.启动进程监视器。 If a Security Warning box pops up, allow the software to run.如果弹出安全警告框，请运行软件。

Agree to the license.同意许可证。

You should see Process Monitor, with a lot of processes visible, as shown below:您应该看到Process Monitor，其中有很多进程可见，如下所示：

Excluding Harmless Processes排除无害过程

To make the analysis easier, we will ignore all the processes that are already running before the malware starts.为了简化分析，我们将忽略恶意软件启动之前已经运行的所有进程。

In Process Monitor, right-click the name of one of the visible processes, such as explorer.exe , and click " exclude 'lsass.exe' ", as shown below:在Process Monitor中，右键单击其中一个可见进程的名称，例如explorer.exe ，然后单击“ exclude'lsass.exe' ”，如下所示：

Right-click a remaining process, such as "lsass" and exclude it too.右键单击剩余的进程，例如“lsass”并将其排除。

Repeat the process until all current processes are hidden, as shown below.重复该过程，直到隐藏所有当前进程，如下所示。 There are a lot of processes to ignore, perhaps 20 or 30.有许多过程可以忽略，大概20或30。

Run the Lab03-01.exe File运行Lab03-01.exe文件

On your desktop, open the " Practical Malware Analysys Labs " folder.在桌面上，打开“ 实用恶意软件易观实验室 ”文件夹。 Open the " Binary Collection " and Chapter_3L folders.打开“ Binary Collection ”和Chapter_3L文件夹。 Now double-click the Lab03-01.exe File.现在双击Lab03-01.exe文件。

Viewing the Running Malware in Process Explorer在Process Explorer中查看正在运行的恶意软件

In Process Explorer, in the top pane, find Lab03-01.exe and click it.在Process Explorer中的顶部窗格中，找到Lab03-01.exe并单击它。

Troubleshooting故障排除
If the Lab03-01.exe process does not appear in Process Explorer, that probably means that the malware has already been run on this VM.如果Lab03-01.exe进程没有出现在Process Explorer中，那可能意味着恶意软件已经在该VM上运行。
To make the malware run properly again, open Process Explorer and kill the vmx32to64.exe process.要使恶意软件再次正常运行，请打开Process Explorer并终止vmx32to64.exe进程。 Then delete this file:然后删除这个文件：
C:\Windows\System32\vmx32to64.exe C：\ WINDOWS \ SYSTEM32 \ vmx32to64.exe

In Process Explorer, click View , " Lower Pane View ", Handles .在Process Explorer中，单击查看，“ 下窗格视图 ”，句柄。

You see the WinVMX32 mutant, as highlighted below.您将看到WinVMX32突变体，如下所示。 A mutant, also called a mutex, is used for interprocess connunication.一个突变体，也称为互斥体，用于进程间通信。 A wonderful explantion of mutexes in terms of rubber chickens is here .关于橡胶鸡的互斥体的精彩解说在这里。

In Process Explorer, click View , " Lower Pane View ", DLLs .在Process Explorer中，单击查看，“ 下窗格视图 ”， DLL 。

Scroll to the bottom to find ws2_32.dll and WSHTCPIP.DLL , as shown below.滚动到底部以查找ws2_32.dll和WSHTCPIP.DLL ，如下所示。 This shows that the malware has networking functionality.这表明该恶意软件具有网络功能。

Viewing the Malicious Process's Events in Process Monitor在进程监视器中查看恶意进程的事件

In Process Monitor, click the magnifying glass icon on the toolbar to stop capturing events.在进程监视器中，单击工具栏上的放大镜图标以停止捕获事件。

In Process Monitor, click Filter , Filter .在进程监视器中，单击筛选器 ， 筛选器 。 Enter a Filter for " Process Name " is Lab03-01.exe , Include , as shown below.为“ 进程名称 ”输入过滤器Lab03-01.exe ，包括，如下所示。

Click Add to add the filter.点击添加以添加过滤器。

Add two more filters:再添加两个过滤器：

Operation of RegSetValue RegSetValue的 操作
Operation of WriteFile WriteFile的 操作

In the "Process Monitor Filter" box, click OK .在“进程监视器筛选器”框中，单击确定。

You end up with the two events shown below.您最终会看到下面显示的两个事件。

Double-click the event with a Path ending in vmx32to64.exe .双击带有以vmx32to64.exe结尾的路径的事件。 The Properties sheet shows that this event creates a file named vmx32to64.exe, as shown below.属性表显示此事件会创建一个名为vmx32to64.exe的文件，如下所示。

The malware wrote 7,168 bytes--the same size as Lab03-01.exe itself.该恶意软件写入7,168字节 - 与Lab03-01.exe本身大小相同。 The malware copied itself to a file named vmx32to64.exe, so that filename is a useful Indicator of Compromise.恶意软件将其自身复制到一个名为vmx32to64.exe的文件中，以便文件名是一个有用的妥协指标。

Double-click the event with a Path ending in VideoDriver .双击VideoDriver中以Path结尾的事件。

This event creates a new a Run key in the registry named "VideoDriver" with a value of "C:\WINDOWS\system32\vmx32to64.exe" -- this is a persistence mechanism, to re-launch the malware when the machine restarts.此事件在名为“VideoDriver”的注册表中创建一个新的Run key，值为“C：\ WINDOWS \ system32 \ vmx32to64.exe” - 这是一种持久性机制，可在计算机重新启动时重新启动恶意软件。

Viewing Beacons in Wireshark在Wireshark中查看信标

In the Windows machine, in Wireshark, click Capture , Stop .在Windows机器的Wireshark中，单击捕获，停止。

At the top left of the Wireshark window, in the Filter bar, type a filter of在Wireshark窗口的左上角，在过滤器栏中，输入过滤器

frame contains malware

Press Enter to see the filtered packets, as shown below.按Enter查看过滤的数据包，如下所示。

Every 30 seconds, the malware performs a DNS lookup for the domain "www.practicalmalwaresnalysis.com".每隔30秒，恶意软件会为域名“www.practicalmalwaresnalysis.com”执行DNS查找。

Click the line showing the first DNS request for www.practicalmalwareanalysis.com -- in the example above, it is packet 174.点击显示www.practicalmalwareanalysis.com的第一个DNS请求的行 - 在上面的例子中，它是包174。

In the top right of Wireshark, in the green filter bar, click the X button to clear the filter.在Wireshark的右上角，在绿色的过滤器栏中，单击X按钮清除过滤器。

The packets following the DNS request appear, as shown below.出现DNS请求后的数据包，如下所示。 Notice these items:注意这些项目：

ARP request and reply to find the MAC address of the DNS resolver (colored pale yellow) ARP请求并回复查找DNS解析器的MAC地址（浅黄色）
DNS request and reply (colored pale blue) DNS请求和回复（浅蓝色）
TCP handshake (SYN, SYN/ACK, ACK) to open port 444 (colored gray and pale pink) TCP握手（SYN，SYN / ACK，ACK）打开端口444（灰色和淡粉色）
A packet labeled "SSL Continuation Data"标有“SSL延续数据”的数据包

This is intended to fool a firewall into thinking it's HTTPS traffic, but there is no actual encryption or key exchange.这是为了让防火墙认为它是HTTPS流量，但没有真正的加密或密钥交换。 A real HTTPS connection contains many more packets, such as "Client Hello", "Server Hello", and "Change Cipher Spec".一个真正的HTTPS连接包含更多的数据包，例如“Client Hello”，“Server Hello”和“Change Cipher Spec”。

Find the SYN packet sent to the https port, which may be marked "443".查找发送到https端口的SYN数据包，该数据包可能标记为“443”。 In the example above, it is packet 176. Right-click it and click " Follow TCP Stream ".在上面的示例中，它是数据包176.右键单击它并单击“ Follow TCP Stream ”。

You see 256 bytes of random data, as shown below.您会看到256个字节的随机数据，如下所示。 These are beacons and are used by malware to notify the Command and Control server that the machine is infected and ready to use.这些是信标，被恶意软件用来通知命令和控制服务器该机器已被感染并准备使用。

Examining Saved PCAP File检查保存的PCAP文件

Download this PCAP file and open it in Wireshark:下载这个PCAP文件并在Wireshark中打开它：

pDC5.pcap pDC5.pcap

The file contains two malware beacons, as shown below.该文件包含两个恶意软件信标，如下所示。

Follow the TCP stream in the second beacon.跟随第二个信标中的TCP流。 You should see random bytes, as shown below.你应该看到随机字节，如下所示。

The last line of the beacon contains six readable characters, which are redacted in the image above.信标的最后一行包含六个可读的字符，它们在上面的图像中被编辑。

Use the form below to put your name on the WINNERS PAGE .使用下面的表格将您的姓名放在赢家页面上 。

Last Bytes (10 pts)最后字节（10分）
Your Name: 你的名字：
Last Bytes: 最后字节：

Last modified 4-19-18最后修改4-19-18