dynmx (spoken dynamics) is a signature-based detection strategy for behavioural malware options based mostly on Home windows API name sequences. In a simplified manner, you possibly can consider dynmx as a kind of YARA for API name traces (so referred to as perform logs) originating from malware sandboxes. Therefore, the info foundation for the detection strategy should not the malware samples themselves that are analyzed statically however knowledge that’s generated throughout a dynamic evaluation of the malware pattern in a malware sandbox. At the moment, dynmx helps perform logs of the next malware sandboxes:
- VMRay (perform log, text-based and XML format)
- CAPEv2 (
report.json
file) - Cuckoo (
report.json
file)
The detection strategy is described intimately within the grasp thesis Signature-Primarily based Detection of Behavioural Malware Options with Home windows API Calls. This challenge is the prototype implementation of this strategy and was developed in the middle of the grasp thesis. The signatures are manually outlined by malware analysts within the dynmx signature DSL and will be detected in perform logs with the assistance of this device. Options and syntax of the dynmx signature DSL may also be discovered within the grasp thesis. Moreover, yow will discover pattern dynmx signatures within the repository dynmx-signatures. Along with detecting malware options based mostly on API calls, dynmx can extract OS assets which are utilized by the malware (a so referred to as Entry Exercise Mannequin). These assets are extracted by analyzing the API calls and reconstructing operations on OS assets. At the moment, OS assets of the classes filesystem, registry and community are thought-about within the mannequin.
Instance
Within the following part, examples are proven for the detection of malware options and for the extraction of assets.
Detection
For this instance, we select the malware pattern with the SHA-256 hash sum c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3
. In line with MalwareBazaar, the pattern belongs to the malware household Amadey. There’s a public VMRay evaluation report of this pattern obtainable which additionally supplies the perform log traced by VMRay. This perform log shall be our knowledge foundation which we’ll use for the detection.
If we want to know if the malware pattern makes use of an injection approach referred to as Course of Hollowing, we are able to attempt to detect the next dynmx signature within the perform log.
dynmx_signature:
meta:
identify: process_hollow
title: Course of Hollowing
description: Detection of Course of hollowing malware characteristic
detection:
proc_hollow:
# Create legit course of in suspended mode
- api_call: ["CreateProcess[AW]", "CreateProcessInternal[AW]"]
with:
- argument: "dwCreationFlags"
operation: "flag is ready"
worth: 0x4
- return_value: "return"
operation: "is just not"
worth: 0
retailer:
- identify: "hProcess"
as: "proc_handle"
- identify: "hThread"
as: "thread_handle"
# Injection of malicious code into reminiscence of beforehand created course of
- variant:
- path:
# Allocate reminiscence with learn, write, execute permission
- api_call: ["VirtualAllocE x", "VirtualAlloc", "(Nt|Zw)AllocateVirtualMemory"]
with:
- argument: ["hProcess", "ProcessHandle"]
operation: "is"
worth: "$(proc_handle)"
- argument: ["flProtect", "Protect"]
operation: "is"
worth: 0x40
- api_call: ["WriteProcessMemory"]
with:
- argument: "hProcess"
operation: "is"
worth: "$(proc_handle)"
- api_call: ["SetThreadContext", "(Nt|Zw)SetContextThread"]
with:
- argument: "hThread"
operation: "is"
worth: "$(thread_handle)"
- path:
# Map reminiscence part with learn, write, execute permission
- api_call: "(Nt|Zw)MapViewOfSection"
with:
- argument: "ProcessHandle"
operation: "is"
worth: "$(proc_handle)"
- argument: "AccessProtection"
operation: "is"
worth: 0x40
# Resume thread to run injected malicious code
- api_call: ["ResumeThread", "(Nt|Zw)ResumeThread"]
with:
- argument: ["hThread", "ThreadHandle"]
operation: "is"
worth: "$(thread_handle)"
situation: proc_hollow as sequence
Primarily based on the signature, we are able to discover some DSL options that make dynmx highly effective:
- Definition of API name sequences with different paths
- Matching of API name perform names with common expressions
- Matching of argument and return values with a number of operators
- Storage of variables, e.g. to be able to observe handles within the API name sequence
- Definition of a detection situation with boolean operators (
AND
,OR
,NOT
)
If we run dynmx with the signature proven above in opposition to the perform of the pattern c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3
, we get the next output indicating that the signature was detected.
$ python3 dynmx.py detect -i 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json -s process_hollow.yml|
__| _ _ _ _ _
/ | | | / |/ | / |/ |/ | //
_/|_/ _/|/ | |_/ | | |_/ /_/
/|
|
Ver. 0.5 (PoC), by 0x534a
[+] Parsing 1 perform log(s)
[+] Loaded 1 dynmx signature(s)
[+] Beginning detection course of with 1 employee(s). This in all probability takes a while...
[+] Outcome
process_hollow c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3.txt
We are able to get into extra element by setting the output format to element
. Now, we are able to see the precise API name sequence that was detected within the perform log. Moreover, we are able to see that the signature was detected within the course of 51f0.exe
.
$ python3 dynmx.py -f element detect -i 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json -s process_hollow.yml|
__| _ _ _ _ _
/ | | | / |/ | / |/ |/ | //
_/|_/ _/|/ | |_/ | | |_/ /_/
/|
|
Ver. 0.5 (PoC), by 0x534a
[+] Parsing 1 perform log(s)
[+] Loaded 1 dynmx signature(s)
[+] Beginning detection course of with 1 employee(s). This in all probability takes a while...
[+] Outcome
Operate log: c0832b1008aa0fc828654f9762e37bda019080cbdd92bd2453a05cfb3b79abb3.txt
Signature: process_hollow
Course of: 51f0.exe (PID: 3768)
Variety of Findings: 1
Discovering 0
proc_hollow : API Name CreateProcessA (Operate log line 20560, index 938)
proc_hollow : API Name VirtualAllocEx (Operate log line 20566, index 944)
proc_hollow : API Name WriteProcessMemory (Operate log line 20573, index 951)
proc_hollow : API Name SetThreadContext (Operate log line 20574, index 952)
proc_hollow : API Name ResumeThread (Operate log line 20575, index 953)
Sources
In an effort to extract the accessed OS assets from a perform log, we are able to merely run the dynmx command assets
in opposition to the perform log. An instance of the detailed output is proven under for the pattern with the SHA-256 hash sum 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9
. This can be a CAPE sandbox report which is a part of the Avast-CTU Public CAPEv2 Dataset.
$ python3 dynmx.py -f element assets --input 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json|
__| _ _ _ _ _
/ | | | / |/ | / |/ |/ | //
_/|_/ _/|/ | |_/ | | |_/ /_/
/|
|
Ver. 0.5 (PoC), by 0x534a
[+] Parsing 1 perform log(s)
[+] Processing perform log(s) with the command 'assets'...
[+] Outcome
Operate log: 601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json (/Customers/sijansen/Paperwork/dev/dynmx_flogs/cape/Public_Avast_CTU_CAPEv2_Dataset_Full/extracted/601941f00b194587c9e57c5fabaf1ef11596179bea007df9bdcdaa10f162cac9.json)
Course of: 601941F00B194587C9E5.exe (PID: 2008)
Filesystem:
C:WindowsSysWOW64en-USSETUPAPI.dll.mui (CREATE)
API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)
C:WindowsSysWOW64ntdll.dll (READ)
USER32.dll (EXECUTE)
KERNEL32. dll (EXECUTE)
C:WindowsGlobalizationSortingsortdefault.nls (CREATE)
Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLEAUT (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSetup (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSetupSourcePath (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionDevicePath (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet Settings (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsDisableImprovedZoneCheck (READ)
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings (READ)
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsSecurity_HKLM_only (READ)
Course of: 601941F00B194587C9E5.exe (PID: 1800)
Filesystem:
C:WindowsSysWOW64en-USSETUPAPI.dll.mui (CREATE)
API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)
C:WindowsSysWOW64ntdll.dll (READ)
USER32.dll (EXECUTE)
KERNEL32.dll (EXECUTE)
[...]
C:UserscompAppDataLocalvscmouse (READ)
C:UserscompAppDataLocalvscmousevscmouse.exe:Zone.Identifier (DELETE)
Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLEAUT (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSetup (READ)
[...]
Course of: vscmouse.exe (PID: 900)
Filesystem:
C:WindowsSysWOW64en-USSETUPAPI.dll.mui (CREATE)
API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)
C:WindowsSysWOW64ntdll.dll (READ)
USER32.dll (EXECUTE)
KERNEL32.dll (EXECUTE)
C:WindowsGlobalizationSortingsortdefault.nls (CREATE)
Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLEAUT (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsC urrentVersionSetup (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSetupSourcePath (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionDevicePath (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet Settings (READ)
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionInternet SettingsDisableImprovedZoneCheck (READ)
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settings (READ)
HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsCurrentVersionInternet SettingsSecurity_HKLM_only (READ)
Course of: vscmouse.exe (PID: 3036)
Filesystem:
C:WindowsSysWOW64en-USSETUPAPI.dll.mui (CREATE)
API-MS-Win-Core-LocalRegistry-L1-1-0.dll (EXECUTE)
C:WindowsSysWOW64ntdll.dll (READ)
USER32.dll (EXECUTE)
KERNEL32.dll (EXECUTE)
C:WindowsGlobalizationSortingsortdefault.nls (CREATE)
C: (READ)
C:WindowsSystem32uxtheme.dll (EXECUTE)
dwmapi.dll (EXECUTE)
advapi32.dll (EXECUTE)
shell32.dll (EXECUTE)
C:UserscompAppDataLocalvscmousevscmouse.exe (CREATE,READ)
C:UserscompAppDataLocaliproppassiproppass.exe (DELETE)
crypt32.dll (EXECUTE)
urlmon.dll (EXECUTE)
userenv.dll (EXECUTE)
wininet.dll (EXECUTE)
wtsapi32.dll (EXECUTE)
CRYPTSP.dll (EXECUTE)
CRYPTBASE.dll (EXECUTE)
ole32.dll (EXECUTE)
OLEAUT32.dll (EXECUTE)
C:WindowsSysWOW64oleaut32.dll (EXECUTE)
IPHLPAPI.DLL (EXECUTE)
DHCPCSVC.DLL (EXECUTE)
C:UserscompAppDataRoamingMicrosoftNetworkConnectionsPbk_hiddenPbk (CREATE)
C:UserscompAppDataRoamingMicrosoftNetworkConnectionsPbk_hiddenPbkrasphone.pbk (CREATE,READ)
Registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOLEAUT (READ )
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSetup (READ)
[...]
Community:
24.151.31.150:465 (READ)
http://24.151.31.150:465 (READ,WRITE)
107.10.49.252:80 (READ)
http://107.10.49.252:80 (READ,WRITE)
Primarily based on the proven output and the accessed assets, we are able to deduce some malware options:
- Throughout the course of
601941F00B194587C9E5.exe
(PID 1800), the Zone Identifier of the fileC:UserscompAppDataLocalvscmousevscmouse.exe
is deleted - Some DLLs are loaded dynamically
- The method
vscmouse.exe
(PID: 3036) connects to the community endpointshttp://24.151.31.150:465
andhttp://107.10.49.252:80
The accessed assets are attention-grabbing for figuring out host- and network-based detection indicators. As well as, assets can be utilized in dynmx signatures. A preferred instance is the detection of persistence mechanisms within the Registry.
In an effort to use the software program Python 3.9 should be obtainable on the goal system. As well as, the next Python packages should be put in:
anytree
,lxml
,pyparsing
,PyYAML
,six
andstringcase
To put in the packages run the pip3
command proven under. It is suggested to make use of a Python digital setting as a substitute of putting in the packages system-wide.
pip3 set up -r necessities.txt
Utilization
To make use of the prototype, merely run the principle entry level dynmx.py
. The utilization info will be considered with the -h
command line parameter as proven under.
$ python3 dynmx.py -h
utilization: dynmx.py [-h] [--format {overview,detail}] [--show-log] [--log LOG] [--log-level {debug,info,error}] [--worker N] {detect,examine,convert,stats,assets} ...Detect dynmx signatures in dynamic program execution info (perform logs)
non-obligatory arguments:
-h, --help present this assist message and exit
--format {overview,element}, -f {overview,element}
Output format
--show-log Present all log output on stdout
--log LOG, -l LOG log file
--log-level {debug,information,error}
Log stage (default: information)
--worker N, -w N Variety of staff to spawn (default: variety of processors - 2)
sub-commands:
job to carry out
{detect,examine,convert,stats,assets}
detect Detects a dynmx signature
examine Checks the syntax of dynmx signature(s)
convert Converts perform logs to the dynmx generic perform log format
stats Statistics of perform logs
assets Useful resource exercise derived from perform log
Normally, as proven within the output, a number of command line parameters concerning the log dealing with, the output format for outcomes or multiprocessing will be outlined. Moreover, a command wants be chosen to run a selected job. Please notice, that the variety of staff solely impacts instructions that make use of multiprocessing. At the moment, these are the instructions detect
and convert
.
The instructions have particular command line parameters that may be explored by giving the parameter -h
to the command, e.g. for the detect
command as proven under.
$ python3 dynmx.py detect -h
utilization: dynmx.py detect [-h] --sig SIG [SIG ...] --input INPUT [INPUT ...] [--recursive] [--json-result JSON_RESULT] [--runtime-result RUNTIME_RESULT] [--detect-all]non-obligatory arguments:
-h, --help present this assist message and exit
--recursive, -r Seek for enter information recursively
--json-result JSON_RESULT
JSON formatted end result file
--runtime-result RUNTIME_RESULT
Runtime statistics file formatted in CSV
--detect-all Detect signature in all processes and don't cease after the primary detection
required arguments:
--sig SIG [SIG ...], -s SIG [SIG ...]
dynmx signature(s) to detect
--input INPUT [INPUT ...], -i INPUT [INPUT ...]
Enter information
As a consumer of dynmx, you possibly can resolve how the output is structured. Should you select to indicate the go browsing the console by defining the parameter --show-log
, the output consists of two sections (see itemizing under). The log is proven first and afterwards the outcomes of the used command. By default, the log is neither proven within the console nor written to a log file (which will be outlined utilizing the --log
parameter). Resulting from multiprocessing, the entries within the log file should not essentially in chronological order.
|
__| _ _ _ _ _
/ | | | / |/ | / |/ |/ | //
_/|_/ _/|/ | |_/ | | |_/ /_/
/|
|
Ver. 0.5 (PoC), by 0x534a
[+] Log output
2023-06-27 19:07:38,068+0000 [INFO] (__main__) [PID: 13315] []: Begin of dynmx run
[...]
[+] Finish of log output
[+] Outcome
[...]
The extent of element of the end result output will be outlined utilizing the command line parameter --output-format
which will be set to overview
for a high-level end result or to element
for an in depth end result. For instance, for those who outline the output format to element
, detection outcomes proven within the console will comprise the precise API calls and assets that triggered the detection. The overview output format will simply point out what signature was detected through which perform log.
Instance Command Traces
Detection of a dynmx signature in a perform log with one employee course of
python3 dynmx.py -w 1 detect -i "flog.txt" -s dynmx_signature.yml
Conversion of a perform log to the dynmx generic perform log format
python3 dynmx.py convert -i "flog.txt" -o /tmp/
Examine a signature (solely primary sanity checks)
python3 dynmx.py examine -s dynmx_signature.yml
Get an in depth record of used assets utilized by a malware pattern based mostly on the perform log (entry exercise mannequin)
python3 dynmx.py -f element assets -i "flog.txt"
Troubleshooting
Please contemplate that this device is a proof-of-concept which was developed in addition to writing the grasp thesis. Therefore, the code high quality is just not at all times the most effective and there could also be bugs and errors. I attempted to make the device as sturdy as doable within the given timeframe.
One of the simplest ways to troubleshoot errors is to allow logging (on the console and/or to a log file) and set the log stage to debug
. Exception handlers ought to write detailed errors to the log which may help troubleshooting.