xercise 1.7: Experimenting with Brbbot’s C2 Functionality Objectives ® Learn how to examine C2 capabilities of malware through behavioral experiments. Preparation 1. Keep REMnux and Windows REM Workstation virtual machines running after you've completed the previous exercises. No need to revert their state, 2. Confirm that the brbbot.exe process is not running on Windows REM Workstation. Ifit is, terminate it using Process Hacker. 3. On Windows REM Workstation, exit the tools you were using for examining Brbbot in Keep fakedns and the web server running on REMInux. Wireshark can remain open as well, but it should not be capturing network traffic. Exercise Steps 1. Create the ads.php file on REMnux to issue the cexe C2 command to Brbbot. 2. Reinfect the system and examine the web server's C2 command on Brbbot. 3. Modify the ads.php file on REMnux to issue the tixe C2 command to Brbbot. Detailed Instructions Step 1: Create the ads.php file on REMnux to issue the cexe C2 command to Brbbot. On REMnux, change into the /var/www directory. Then create the ads.php file by typing the following command: echo “cexe c:\windows\notepad.exe” > ads. php Go to your Windows REM Workstation, open Internet Explorer and manually visit http://brb..3dtuts.by to confirm the VM can access the file you've just created, You should see ads.php in the browser's listing of files. If you get an error, confirm that both tools are runnii and, if necessary, validate your lab’s network configuration to match the directions in exercise 1.2. If the browser connects successfully, but you don’t see ads.php, confirm that you've placed the file on REMnux in the /var/wuw directory. FOR610 Reverse-Engineering Malware: Lab Workbook: Section 1 © 2015 Lenny Zeltser Page 38Step 2: Reinfect the system and examine the web server’s C2 command on Brbbot. Activate capture in Wireshark on REMnux (CtP1+E). Then reinfect the Windows REM Workstation virtual machine with brbbot.exe. Wireshark should show the specimen connecting to the REMnux web server. Spot the HTTP request initiated by the specimen, right-click on one of its packets and select Follow TCP Stream to examine the session's payload. You should see the web server responding to the GET request by serving the ads.php file, Allow brbbot.exe to run for a couple of minutes on Windows REM Workstation, as you observe the process using Process Hacker. You should see brbbot.exe spawning notepad.exe child processes every 30 seconds. |) Step 3: Modify the ads.php file on REMinux to issue the tixe C2 command to Brbbot. While brbbot.exe continues to run on the Windows REM Workstation virtual machine, modify the ads.php file on REMnux to direct the specimen to exit. To do this, type the following command on REMnux from within the /var/www directory: echo tixe > ads.php Go to the Windows REM Workstation virtual machine and observe the brbbot.exe process using Process Hacker. Within 30 seconds the brbbot.exe should terminate. To complete this exercise, shut down the web server on REMinux by typing the following command: httpd stop FOR610 Reverse-Engineering Malware: Lab Workbook: Section 1 © 2015 Lenny Zeltser Page 39rcise 1.8: Decrypt the Alternative brbconfg.tmp File Objectives ® Reinforce the methodology employed earlier in the course to decode protected contents with the help of a debugger. Preparation 1. Keep REMnux and Windows REM Workstation virtual machines running after you've completed the previous exercises. No need to revert their state. 2. Confirm that the brbbot.exe process is not running on Windows REM Workstation. If it is, terminate it using Process Hacker. 3. On Windows REM Workstation replace the C:\Windows\system32\brbconfig.tmp file generated in earlier exercises with the file from the Malware\Day1\brbconfig.zip archive {see Book 1, page 182). Exercise Steps 1. Load brbbot.exe into OllyDbg, remove earlier breakpoints and set a new breakpoint after the call to CryptDecrypt. 2. Run brbbot.exe within OllyDbg to trigger the breakpoint and observe the decrypted file contents Detailed Instructions || Step 1: Load brbbot.exe into OllyDbg, remove earlier breakpoints and set a new breakpoint after the call to CryptDecrypt. Load brbbot.exe into OllyDbg. To start this analysis with a clean slate, remove any previously- set breakpoints by bringing up the Breakpoints window (Alt+8), then right-clicking on every breakpoint listed (if any) and selecting Delete. Close the Breakpoints window and open the Names window (Ctr1+N). Scroll down to locate BADVAPT32. CryptDecrypt. Select, then right-click on the CryptDecrypt line and select Find references. FOR610 Reverse-Engineering Malware: Lab Workbook: Section 1 © 2015 Lenny Zeltser Page 40Right-click on CryptDeerypt in the References window and select Follow in Disassembler. In the Disassembler, set a breakpoint on the instruction after that call (TEST EAX, EAX) by pressing F2 or selecting Breakpoint > Toggle. |. Step 2: Run brbbot.exe within OllyDbg to trigger the breakpoint and observe the decrypted file contents. Run brbbot.exe within OllyDbg by pressing F9 or selecting Debug > Run. The specimen will pause shortly at the breakpoint you've just defined. Once paused, glance at the Stack region in the bottom right corner of OllyDbe’s CPU window and make a note of the long ASCII string stored on the stack. Its contents will start with “uri=ads.php”. These appear to be decrypted contents of the brbconfig. tmp file. The file's contents will include the new deobfuscation key 2c, which is what we pursued as the objective of this exercise. FOR610 Reverse-Engineering Malware: Lab Workbook: Section 1 © 2015 Lenny Zeltser Page 41