Travis Altman

Malware analysis tool, Capture-Bat

The main purpose of this write up is to create a tutorial for running, installing, and analyzing results of Capture-Bat. I didn’t really want to name this article “Capture-Bat tutorial” because not everyone is familiar with the tool and what its used for. When it comes to analyzing malware there are a handful of tools that every analyst should have, Capture-Bat is one of those tools.

Capture-Bat will monitor changes malware makes to your system so that you can effectively determine what the malware is attempting to do. Capture-Bat does a great job of eliminating noise and ignoring “regular” windows events. It is a behavioral analysis tool which means that it does not analyze the malware itself, it only monitors changes the malware makes to the windows system. In this article I hope to highlight the best way to use the tool and what options I always use when running the tool. Capture-Bat is a free tool which can be grabbed here. I’ll get into all the details later but whenever I run this tool I execute the following command right before I execute the malware.

C:\\Program Files\\Capture\\CaptureBAT.exe -c -n -l c:\\temp\\output.txt\

Below are what the options mean.

\-c   capture any deleted or modified files

\-n   capture network activity

\-l   save output to a specified location (lowercase L)

Let’s walk through an example using the zipped up malware located here (password is “malware”). For the inexperienced keep in mind you’ll need to run this malware in a virtual machine environment that is not connected to a network. Now that you’ve downloaded the malware open up two command prompts in windows (Start > Programs > Accessories > Command prompt). In the first command prompt you’ll need to start up Capture-Bat with the command above. Once you run this command you should see the following.

C:\Program Files\Capture>CaptureBAT.exe -c -n -l c:\temp\output.txt
Option: Collecting modified files
Option: Capturing network packets
Option: Logging system events to c:\temp\output.txt
Loaded kernel driver: CaptureProcessMonitor
Loaded kernel driver: CaptureRegistryMonitor
Loaded filter driver: CaptureFileMonitor
Creating network dumper
Loading network packet dumper
network adapter found: 192.168.94.130
---------------------------------------------------------

My output is going to c:\temp, you may have to create this directory before running the command. It looks like Capture-Bat is just sitting there but it’s actually monitoring changes to your system. It’s important to only run the malware while Capture-Bat is monitoring your system, if you launch another application it will muddy your output and you may not be able to tell it’s the malware making changes to your system or a benign application. Now that Capture-Bat is monitoring let’s go ahead run our malware. I’m a fan of running exe’s from the command line because you may get a more verbose output, so execute the command below to launch the malware.

C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe\

After you execute the malware let Capture-Bat sit there and monitor events for about 30 seconds to one minute, after that time period simply go into the command prompt running Capture-Bat and type “control + c” to kill the Capture-Bat process. Next step is to open up our output.txt to see what the malware has done to the system, my output is below.

"12/4/2010 11:30:36.81","process","created","C:\\WINDOWS\\system32\\cmd.exe","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:37.222","file","Write","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.222","file","Write","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.222","file","Write","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.222","file","Write","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\temp\\zcbgjy.bat" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache" "12/4/2010 11:30:37.300","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cookies" "12/4/2010 11:30:37.347","process","created","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\WINDOWS\\system32\\cmd.exe" "12/4/2010 11:30:37.378","process","created","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.331","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f04edc3-85c6-11de-af20-806d6172696f}\\BaseClass" "12/4/2010 11:30:37.347","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{cb7e6034-4640-11df-b8d9-806d6172696f}\\BaseClass" "12/4/2010 11:30:37.347","registry","SetValueKey","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{3f04edc0-85c6-11de-af20-806d6172696f}\\BaseClass" "12/4/2010 11:30:37.347","file","Write","System","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.362","file","Write","System","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.362","file","Write","System","C:\\WINDOWS\\system32\\spoolsvc.exe" "12/4/2010 11:30:37.597","process","terminated","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe","C:\\WINDOWS\\system32\\cmd.exe" "12/4/2010 11:30:37.581","file","Write","C:\\WINDOWS\\system32\\cmd.exe","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:37.581","file","Write","C:\\WINDOWS\\system32\\cmd.exe","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:37.581","file","Write","C:\\WINDOWS\\system32\\cmd.exe","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:37.581","file","Delete","C:\\WINDOWS\\system32\\cmd.exe","C:\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:37.581","file","Write","C:\\WINDOWS\\system32\\cmd.exe","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\zcbgjy.bat" "12/4/2010 11:30:37.597","file","Delete","C:\\WINDOWS\\system32\\cmd.exe","C:\\temp\\zcbgjy.bat" "12/4/2010 11:30:38.362","file","Write","System","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:38.472","file","Write","System","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:38.487","registry","SetValueKey","C:\\WINDOWS\\system32\\spoolsvc.exe","HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spooler SubSystem App" "12/4/2010 11:30:39.472","file","Write","System","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\40033d8063564d1b3e4b41f1d5c9a31f.exe" "12/4/2010 11:30:39.472","file","Write","System","C:\\Program Files\\Capture\\logs\\deleted\_files\\C\\temp\\zcbgjy.bat"

The first line is simply us executing the malware. Lines 2 - 4 is where the malware creates a file, an exe in this case, named spoolsvc.exe. Spoolsvc.exe doesn’t already exist on windows systems but spoolsv.exe does so the malware author is trying to be tricky in creating an exe that is very similar to what already exists on the system. It’s very important to note that spoolsvc.exe is not executed here but simply created, had it been executed you would have seen “process”,”created” as is seen in line one. Spoolsvc.exe is eventually executed on line 15. Line five is where a “.bat” file is created, for those that don’t know “.bat” files are windows batch scripts which contain a series of commands to be executed. Capture-Bat ends of saving this batch script which we will take a look at later. Lines 6 - 13 is where the malware is setting registry values. It appears that lines 6 - 11 are ensuring the “Local Intranet” has certain settings (see IE setting screen shot below) in internet explorer, this will allow internal connections to have a lower security setting than external connections.

My virtual machine is setup in a default and vulnerable setup, my registry values for lines 6 - 11 didn’t change after the malware was executed. Also I intentionally changed these settings before the malware executed but the malware failed to modify the registry so go figure. McAfee states that these settings are used to bypass firewalls? More information about internet explorer security settings and registry values can be found here. Also good information here about IE security zones. Lines 12 and 13 are modifying where temporary internet files and cookies are stored, in my case I didn’t notice a difference between before and after. Also I modified the default location where temporary internet files are located, the malware failed to change this location after execution so go figure once again. I haven’t contacted the developers of Capture-Bat but “SetValueKey” could also be used to query the registry? Either way the values stayed the same for me, it could have been that the malware authors wanted the registry settings for cache and cookies in a default state? Lines 14 - 15 are having cmd.exe execute the malware spoolsvc.exe. Lines 16 - 18 are setting a value in the registry. Once again these values did not change for me after the malware was executed and it appears that the value for BaseClass the value of “Driver” is default? I haven’t yet figured out why this piece of malware sets the value of BaseClass to driver but I have seen other malware perform these same actions. In lines 19 - 30 the malware and Capture-Bat delete and create certain files and processes so hopefully that output is clear to you. It gets interesting again on line 31. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ is the location of exe’s set to run when a user logs into the system. It is very common to see malware modify these registry values to have itself execute once the user logs into the system. In this case it only modified the Spooler SubSystem App value but it’s common to see it modify other values in that location. The last two lines of the output are Capture-Bat saving deleted files. So that’s a basic analysis of this malware. I only let the malware run for about 30 seconds so it may actually perform more actions than my output.

You may be wondering why the funny name for this particular piece of malware, 40033d8063564d1b3e4b41f1d5c9a31f.exe. The experienced will recognize the name as a MD5 hash, MD5 hashing is commonly used to uniquely identify malware or any exe for that matter. I will also google search the MD5 hash of the malware to see if anyone else has run across it. Turns out others have and Anubis has a good analysis of this malware as well. Anubis reports some of the same activities as we see in our output. You can also perform a hash search over at virus total, looks like other anti-virus vendors have signatures for this malware. For the uninformed virus total will query about 40 anti-virus vendors to see which ones have seen it before. I love malware analysis sites like Anubis and Virus Total but nothing beats performing analysis on a local system. For example we were able to capture the deleted batch script that the malware executed, below is the output of that batch script.

@echo off
:deleteagain
del /A:H /F 40033d8063564d1b3e4b41f1d5c9a31f.exe
del /F 40033d8063564d1b3e4b41f1d5c9a31f.exe
if exist 40033d8063564d1b3e4b41f1d5c9a31f.exe goto deleteagain
del zcbgjy.bat

Granted the batch script is lame, it’s a very basic script that deletes the malware and deletes itself but the batch script could have contained a lot of useful information. All deleted or modified files that Capture-Bat sees are located in the following directory.

C:\\Program Files\\Capture\\logs

Below is a screen shot of my deleted files for this malware.

Don’t forget that Capture-Bat collects pcap’s during the analysis under the same directory as the deleted malware, see screen shot below.

From a quick google search it doesn’t look like that memehehz.info has a great reputation. It could be that memehehz.info is a malware site or it could be that memehehz.info got infected with malware itself. The malware analyzed here isn’t the most recent malware I simply wanted to walk you through an example and how Capture-Bat can help you in the analysis of what the malware is trying to do. When it comes to analyzing malware I wouldn’t say only the tip of the iceberg has been analyzed but there is definitely more to cover. My main goal was to get others familiar with good malware analysis tools such as Capture-Bat so that they may be better able to react and respond to malicious activity on their own networks.