RTMA Part 9 - Indicators of Compromise (IOCs)
Yeah, we're using Regex
Hello all. Welcome back to the Autist’s Guide to Malware Analysis. This week’s topic will discuss Indicators of Compromise, also knows as IOC.
What
IOCs are identifiable information that is captured, utilized, or interacted with by malware. Contrary to identifying what the malware does and how the malware works, IOCs are extremely important to collect because without them, you won’t understand the scale damage that the malware as wrought.
Let’s look at it this way:
“Hey boss, I’ve reversed the sample we got from Freaky Foresters Inc. Looks like it’s a VMProtected ransomware”
“Well, what does it encrypt, and how?”
“Uhhhh”
You don’t want to be caught pretending. IOCs are an important part of your report writing process. Usually, clients will try their best to explain what happened and how it happened, but are you really gonna trust the IT knowledge of Sally from HR? Malware doesn’t lie, but people do.
IOCs can range from IP addresses, file hashes, imports, domain names, registry keys, file names, signatures, and more. It’s up to you to extract them.
How
Many IOCs are a given, these are file hashes and names. Any PE exploring program can give you those. There are also strings but it’s a bit difficult to find those without some finesse.
If you’ve read the majority of the previous RTMA posts, you might be familiar with the analysis techniques that involve finding “clues”. These “clues” are IOCs. You should write these down as you make your report. Odds are, you won’t be able to remember all of them, so write them down! IDA even includes a built-in notes tab you can use.
Some IOCs can be acquired statically (like strings and imports), but others can only really be retrieved through dynamic analysis.
Why
IOCs are important for 2 mains reasons:
Your Report
This one is pretty obvious. You should figure out what the heck is going on and tell the people who need to be told. If this malware sample deploys persistence techniques, which weren’t mentioned in your briefing, you need to tell someone.
Prevention
Some IOCs can be functions signatures, file hashes, and strings. These can be used in IDS/IPS rules which can prevent future infection.
Another important reason is because you may be able to identify the creators of the malware specimen. Common domain names and IP addresses/subnets can identify authors and even induce functionality.
How
Extracting IOCs is a straightforward process. If you’ve followed along in the previous RTMA posts, you’ve already been doing it. Now, you just need to separate and list them for your report.
One thing you should also note: be aware of misdirection techniques. A self-defending malware specimen may try to feign functionality and then muddy the waters of your IOC collection.
Let’s roll through some examples.
I wrote a basic HTTP program, and I need to extract the IP address(es) that it uses. The thing about WinHTTP, is that it requires Unicode for the majority of its functions. Fortunately, Sysinternals’ strings.exe can extract both in ASCII and Unicode. Secondly, we need to figure out which strings are IP addresses, and for this we get to use regex. Regex is about as fun as surgery. PowerShell helps us out here to combine strings.exe and regex into a neat one-liner.
PS C:\dev\ioc> strings ioc.exe | select-string -pattern "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
127.0.0.1Sometimes a PE explorer program can extract IP addresses for you, but maybe you have a chunk of data that gets manually mapped into a program, then you won’t have a PE header to explore.
You can sometimes do this with domain names like .com, .ru, .me, etc. Once again, you get to use regex here.
strings ioc.exe | select-string -pattern "\b([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+com\b"
Sysinternals - www.sysinternals.com google.com(Ignore the Sysinternals message)
One last thing I’d like to touch is signatures. Signatures in malware analysis are unique sequences of bytes that are used by external programs to scan data with. Let’s say, for example, you create a signature from a malware’s main() function. This extended sequence of bytes can be used in IDS and IPS defense mechanisms to prevent similarly made malware specimens from reinfecting the network. This is called signature scanning.
Wildcarding in signature creation is the act of ignoring bytes in a signature that could be changed or altered. For example, let’s say your signature is:
55 8B EC 83 EC 44 A1 00 60 41 00 33 C5 89 45 FC 56 57And the 4 bytes between A1 and 33 are an offset that can change depending on a build or version.
To do so, you would then create a mask over the signature.
xxxxxxx????xxxxxxxAs you scan a binary, you would ignore the bytes with question marks. This gives your signature a wider breadth of strength.
That’s all for this post.
Have a great rest of your weekend.
Go!
-BowTiedCrawfish