Break Free from VirusTotal with ReversingLabs Threat IntelWatch AMA Replay
reversinglabs

Hunting SharpHounds with Spectra Analyze

ReversingLabs’ Advanced Search is a powerful feature that can gather related samples for threat hunting in your environment. Here's how.

Ashlee Benge
Ashlee Benge, Director of Threat Intelligence, ReversingLabs.
RL-Spectra-Analyze-In-Action.jpg

Executive Summary

  • ReversingLabs’ Advanced Search is a powerful feature that can be used to gather related samples for threat hunting in your environment
  • When analyzing malware behavior, Spectra Core, RL’s proprietary advanced static analysis engine that powers Spectra Analyze, produces metadata like Assembly References which can be used to build your Advanced Search queries
  • Spectra Core’s in-depth static binary analysis breaks down malware behavior in a way that can be used for detection and hunting rule development

Spectra Analyze is a powerful tool for analyzing and triaging malware samples. A common use case for Spectra Analyze is to use one of RL’s many third-party integrations to automate the analysis of samples through the analysis pipeline. Samples can also be submitted to Spectra Analyze on an ad-hoc basis.

The Secrets Lurking In Unknown Files

To help illustrate Spectra Analyze’s capabilities, let’s look at how customers might use it to assess an unknown file sample that has suddenly appeared in their environment. 

How did the sample arrive? There are any number of possibilities. It may have been dropped by another executable; downloaded by a user from an external website; or perhaps it is part of an ongoing campaign targeting your organization. 

To understand whether the file is malicious or harmless, the affected organization can submit it to Spectra Analyze to learn what exactly the file is, and what it may have been designed to do. 

In submitting the sample to Spectra Analyze, organizations should have two goals in mind: 

  1. Gathering a pool of indicators of compromise (IOCs) related to the sample, enabling them to hunt for other instances within their environment. 
  2. Understanding the behavior of the file sample so that the organization understands its intent (malicious, legitimate) and takes appropriate action, as well as improves future detection outcomes.

Gathering Indicators for Internal Threat Hunting

Taking a look at the hypothetical sample, shown below in Figure 1, we can see that it is a .NET executable and has the filename "SharpHound v. 2.6.6.0." 

The first order of business is to drill into the details of this file so that we can gather a group of related samples for hunting purposes.

hunting-sharphounds-image-4.png

Figure 1: Sample as viewed in Spectra Analyze

The Spectra Advanced Search feature is a query language that can be used to search RL’s file corpus of 422 billion samples using dozens of search fields. Since our initial sample is .NET, we first look at .NET features that can be used in an Advanced Search query. Our goal in developing this query is to gather the hashes of related samples so we can search for any additional samples that are present in our environment. This will help our incident response or security operations team scope and remediate any potential intrusion. Related samples may be other malware that behaves similarly, utilizes the same command and control infrastructure, stems from the same threat actor/campaign, or has other similar characteristics.

A powerful feature of Spectra Analyze’s comprehensive static analysis is the Assembly References section. Assembly References are the dependencies and calls to other modules made by the sample in question. These may be to another executable, or to a DLL (Dynamic Link Library) containing commonly used functions. Analyzing the Assembly References of a sample can help us to understand the high level structure and behavior of a sample without having access to the source code.

When we check the Assembly References for our SharpHound sample, shown below in Figure 2, we notice one of the listed references, “SharpHoundCommonLib,” does not have a public key token. A public key token is a unique string representing the key used to sign the assembly. Public key tokens usually indicate that the assembly reference in question is commonly used and probably available from a large- and widely known developer (think Microsoft DLLs and the like).  A reference without a public key token may be a custom component that other files in our environment related to SharpHound may share. That makes “SharpHoundCommonLib” a good term to include in our Advanced Search query.

hunting-sharphounds-image-7.png

Figure 2: Sample Assembly references in Spectra Analyze.
Navigate to the tab under Application (PE) [1], Microsoft .NET [2], and Assembly References [3]

Because our starting sample is .NET, we want to use the search term that looks for assembly references within .NET samples: “dotnet-assembly.” We include wildcards by adding an asterisk before and after our search string, “SharpHound” to allow for some differences before and after our string. We have also changed the timeframe of the search to include samples that were first seen dating back to 2020.

hunting-sharphounds-image-8.png

Figure 3: Results of our Advanced Search query using the Assembly Reference, described in the above section

In this example, RL’s Advanced Search returns 10 samples locally and 351 samples within the RL global data corpus, as seen under the “Cloud” tab. Local samples are those that have been seen or submitted by your own Spectra Analyze instance. Cloud samples are those available in the RL’s extensive body of malware samples. Some of these samples are private and unable to be downloaded (indicated by the grey cloud icon on the left). However, the hashes are accessible and can be used when threat hunting in your own environment. 

There are a number of different export formats that can be used to provide these hashes to the operations team to check around your environment, shown below (Figure 4).

hunting-sharphounds-image-3.png

Figure 4: Advanced Search cloud results, as seen with Export option selected. Samples with a grey cloud icon are private, while bold cloud icons are samples available publicly.

Malware Behavioral Analysis 

After exporting the hashes returned by our first search, we return to our initial sample of interest and continue our analysis. Now, we are looking to determine specific sample behavior, which we can do in a few ways. Spectra Core, the engine that drives Spectra Analyze, detects a set of behavioral indicators based on static analysis. There are many, many static behavioral indicators, so filtering it by the category of behavior can be helpful. You can then read the descriptions of the behaviors that were detected in the sample.

hunting-sharphounds-image-2.png

Figure 5: Behavioral indicators as displayed by Spectra Analyze

Sometimes, version information can give us useful background information about a sample, like who has developed the sample or what product it might be associated with. The version information parsed by RL’s static analysis gives us a clue as to what this file is. We can see that the CompanyName field is "SpecterOps," and that the ProductName field is SharpHound.

hunting-sharphounds-image-1.png

Figure 6: Sample version info as displayed by Spectra Analyze

Knowing this, we can look for a developer or organization with that name. In this case, some  quick searching online tells us that an organization calling themselves SpecterOps has written this code and that they produce many different red teaming tools available freely on Github. Malware source code can be hard to come by, but hacking and red teaming tools are commonly found on open source registries. Looking through the code SpecterOps has available on Github, we are able to identify the sample we’ve been analyzing as a compiled version of SharpHound, with the source code shown below. Having access to the source code allows us to much more easily understand the exact capabilities of the tool.

hunting-sharphounds-image-6.png

Figure 7: Publicly available SharpHound source code, on GitHub

When dealing with actual malware, however, access to the raw malware source code is often  not possible. For such files, RL Cloud Sandbox allows you to execute the code and identify behavioral signatures that may indicate the purpose of the software. We can also check the results of a sandbox session for behaviors detected during dynamic analysis. There are sections in dynamic analysis reports that highlight behavioral signatures triggered by the sample: network activity, dropped files, and more. 

hunting-sharphounds-image-5.png

Figure 8: RL Cloud Sandbox (RLCS) report for SharpHound, as viewed in Spectra Analyze

All of this behavioral analysis information, combined with publicly available source code, allows us to understand the intent of the file. We could use this information to develop recurring hunts, YARA rules for threat detection, and more. YARA rule development is covered in greater detail in this guide from the RL threat analyst team.

Up Next In This Series

In our next installment of this series, we’ll dive into analyzing malicious Office documents, commonly referred to as maldocs, with Spectra Analyze. Maldocs are widely used as phishing lures and Spectra Analyze can help expedite the analysis and triaging process. 

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:Products & Technology