Skip to main content

Lupo — Malware IOC Extractor

Lupo — Malware IOC Extractor


Debugging module for Malware Analysis Automation

UPDATE: As requested by some readers, I have added a video walk-through at the end of this post, after the conclusion.

Note: I was supposed to be teaching a class at Paranoia 2020 in Norway this year but the conference couldn’t go ahead due to COVID-19. As part of the class I was planning to release the beta version of this tool I wrote — Lupo. Since I couldn’t teach at Paranoia 2020, I decided to go ahead and release the tool anyway. The show must go on…

Introduction

Working on security incidents that involve malware, we come across situations on a regular basis where we feel the need to automate parts of the analysis process as complete manual analysis is, more often than not, not possible for every case due to many factors (time, skills, scale etc.).

I wrote Lupo mainly to automate and accelerate the process as much as possible. Lupo is a dynamic analysis tool that can be used as a module with the debugger. The first version works with the popular Windows Debugger — WinDbg. I’ll release versions for other debuggers in the future.

The way the tool works is pretty straight forward. You load Lupo into the debugger and then execute it. It runs through the malware and collects predefined IOC and writes them to a text file on the disk. You can then use this information to contain and neutralise malware campaigns or simply respond to the security incident that you are working on.

Lupo — the tool

I’ll give some more details on the tool itself but not too much to the inner workings of it, at least not here. We need to keep in mind that the malware authors are smart enough to quickly tweak the code to create problems for us!

The tool is written in C++ and uses the Windows Debugging framework to execute the code. It can be used with WinDbg as a ‘plugin’ in order to help automate the analysis process.

If you want to know more about the tool, feel free to contact me or comment below.

Download 
You can get Lupo from my Github Repo here.

Usage

Using the tool is very easy. It works in this way:

  1. Save the Lupo extension in your extensions dir (default: sdk\samples\exts subdirectory of the installation directory). You can also define the extensions path by using the command ‘.extpath[+] [Directory[;…]]’.
  2. Start the debugger
  3. Attach the process to be debugged (malware in this case)
  4. Load Lupo using the ‘.load’ command.
  5. Execute Lupo by using this command: ‘lupo.go’
  6. All results will be displayed in the console and also written to a new textfile on the disk. Path and name of this textfile will be displayed in console as well. All done!
  7. You can optionally use the results from Lupo with this other tool that I wrote — Ragno, to advance your research and response by aggregating OSINT for the wider footprint of the campaign you are possibly dealing with. You can read about Ragno in another post here.

Step by Step Demo

Get the tool

You can download the files at GitHub: https://github.com/vithakur/lupo

Setup your debugging environment

You’ll need the WinDbg debugger installed and working before you can use Lupo for automating your C2i extraction.

Get WinDbg here: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

Once WinDbg is good to go, copy Lupo files into the extension dir, default being:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext

Start the debugging session

To start analyzing malware, first of all make sure your VM is off the network (preferably on a host-only config).

Execute the malware and once the process is active, attach it to the debugger. Once attached, the process will be paused after hitting the first breakpoint.

Load Lupo

Once the process has been attached successfully and the first interrupt has been reached, we can now load Lupo into the debugger. To load the plugin, use this command in the debugger:

.load lupo
Load the Lupo Plugin into your debugging session

After loading Lupo, you can check if it has been loaded successfully into the debugger by running the chain command:

.chain

The results will show you if the plugin is loaded and ready for use. You can also click on the plugin name in order to show the available plugin commands (based on plugin modules).

Check if the plugin has loaded successfully

As you can see in the image below, currently you have one command available, that executes the plugin:

Available Lupo Modules

Run Lupo

At this point, we are ready to execute Lupo by running the following command:

!lupo.go
Lupo Execution

The first set of results that Lupo returns is a list of all loaded modules:

List pf loaded Modules

Lupo will write the output to a text file on disk and will print the file name before it starts so that you can have a look after the analysis is complete:

Results

And the last thing Lupo will output to the console is the list of C2 IPs/URLs that it will extract from the malware. This list will also be available in the output file that is saved locally.

C2 IP address printed to console
Results written to a file on disk
Results file

And that’s it! You can use this extracted information to respond to malware incidents or for your threat intelligence purposes.

ToDo

These are the few things that need to done in the near future:

  1. Introduce termination functionality — as soon as all the info needed has been harvested, the execution should stop. At this time, if the malware doesn’t terminate, Lupo keeps going until manually broken (Debug → Break)
  2. Standalone Engine: this would result in Lupo functioning as an independent tool, not relying on a debugger
  3. Other debuggers: the plan is to integrate Lupo into other popular debuggers such as Olly, Immunity and x64/32Dbg.
  4. Feature requests will also be taken on the project at Github.

Conclusion

Lupo is a tool that was written completely based on the needs that came out of real-world Incident Response work. To respond to security incidents at scale, automation is required. Lupo aims to automate as much of the process as possible without losing sight of the importance of human skill in directing the analysis process. Lupo, in its current form, speeds up the process of extracting usable IOC from malicious binaries quite considerably and also allows new analysts to be super-productive when it comes to quick response. For everything else, there’s always your friendly(!) neighbourhood reverse engineer :)

Video Walk-through

Part 1: Copy the DLLs into the debugger extension dir

Part 2: Load the main DLL into the debugger

Part 3: Run Lupo, sit back and relax ;)



Labels:

Comments

Post a Comment

Popular posts from this blog

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18
Post a Comment
Read more

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also
Post a Comment
Read more

TrickBot C2i and Configs March 2019

There are some new additions in the latest target list. These are the targeted URIs extracted from the complete configs. Some of the regex'd URIs are very interesting and highly effective. Article by  Vishal Thakur C2: http://103.119.144.250:8082 http://75.183.130.158:8082 http://96.36.253.146:8082 http://75.183.130.158:8082 http://96.36.253.146:8082 http://14.102.107.114:8082 http://181.115.156.218:80 http://200.21.51.30:80 http://36.91.93.114:80 http://97.87.127.198:80 http://190.152.125.162:80 http://192.210.152.173:443 http://212.80.216.228:443 http://185.68.93.59:443 http://31.202.132.5:443 http://107.175.132.141:443 http://185.86.148.195:443 Target list: <lm>https://us.etrade.com/webapiagg/aggregator</lm> <lm>https://us.etrade.com/etx/hw/0/accountshome.json</lm> <lm>https://www.nwolb.com/*.aspx*</lm> <lm>https://www.rbsdigital.com/*.aspx*</lm> <lm>https://www.ulsterbankanytimebanking.
Post a Comment
Read more