For350‐Linux‐Ltrace - ConnorEast/Tech-Journal GitHub Wiki

Lab Setup

Install Podman: 
   ~~~ sudo apt install podman

Edit "/etc/containers/registry.conf" and add:

   ~~~ unqualified-search-registries = ["docker.io"]

Install python3-pip and podman-compose:

   ~~~ sudo apt install python3-pip
   ~~~ pip install podman-compose

Install malware sample using git:

   ~~~ sudo apt install git
   ~~~ git clone [INSERT-REPOSITORY]

Begin the testing process for the sample

   ~~~ bash linux_malware_analysis_container samples/test_malware_simulator

Use the Ltrace command

   ~~~ ltrace-full samples/test_malware_simulator
image

Contents of ltrace_behavior file

image
Lines Meaning
Example 1: fwrite("@reboot /tmp/test_script.sh\n", 1, 28, 0x60b6dbfc56b0)
  • fwrite: Writes content to a file/
  • "@reboot /tmp/test_script.sh\n": The string to be written/
  • 1: the size of each element/
  • 28: The number of items to write.
  • 0x60b6dbfc56b0: The file pointer
[none] puts(" [+] Created Executable Script: /tmp/test_script.sh") = 53
  • Output: This script prints a success message to stdout.
[none] chmod("/tmp/test_script.sh", 0755...) = 0
  • chmod: used to change read write and execute permissions.
  • /tmp/test_script.sh: The file path
  • 0755: The permission mode (rwxr-xr-x)
  • 0: Return value indicating success
[none] fopen("/tmp/test_script.sh", "w"...) = 0x60b6dbfc56b0
  • fopen: Opens a file
  • "/tmp/test_script.sh": The file path
  • W: opens the file in write mode
  • 0x60b6dbfc56b0: The file pointer returned
image
Lines Meaning
Example 1: fopen("/tmp/.bashrc_test", "W"...)
  • fopen: Opens a file
  • "/tmp/.bashrc_test": The file to open
  • W:The file will be opened with write permissions
fopen("/tmp/.bashrc_test", "W"...) = 0x60b6dbfc56b0
  • fopen: Opens a file
  • "/tmp/.bashrc_test": The file to open
  • W:The file will be opened with write permissions
  • 0x60b6dbfc56b0
    • : The file saved location
image
Lines Meaning
Example 1: fopen("/tmp/.test.service", "W"...)
  • fopen: Opens a file
  • "/tmp/.test.service": The file to open
  • W:The file will be opened with write permissions
fopen("/tmp/.test.service", "W"...) = 0x60b6dbfc56b0
  • fopen: Opens a file
  • "/tmp/.test.service": The file to open
  • W:The file will be opened with write permissions
  • 0x60b6dbfc56b0
    • : The file saved location
image
Lines Meaning
Example 1: fopen("/tmp/crontab_test", "W"...)
  • fopen: Opens a file
  • "/tmp/crontab_test": The file to open
  • W:The file will be opened with write permissions
fopen("/tmp/.test.service", "W"...) = 0x60b6dbfc56b0
  • fopen: Opens a file
  • "/tmp/crontab_test": The file to open
  • W:The file will be opened with write permissions
  • 0x60b6dbfc56b0
    • : The file saved location
image
Lines Meaning
[None] unlink("/tmp/temp_data.dat"...) = 0
  • unlink: Deletes a file from a filesystem.
  • /tmp/temp_data.dat: The file being removed.
  • 0: The returned value indicating success.
image
Lines Meaning
[None] fopen("/var/tmp/cache.dat", "w"...) = 0x60b6dbfc56b0
  • fopen: opens a file.
  • /var/tmp/cache.dat: The file to be opened
  • W: Allows for Write
  • 0x60b6dbfc56b0: Location of saved data
[None] unlink("/var/tmp/cache.dat"...) = 0
  • unlink: Deletes a file from a filesystem.
  • /var/tmp/cache.dat: The file being removed.
  • 0: The returned value indicating success.
image
Lines Meaning
[None] fopen("/tmp/test_file", "w"...) = 0x60b6dbfc56b0
  • fopen: Opens a file
  • /tmp/test_file: The file path
  • "w": The mode (write mode, creates or truncates file)
  • 0x60b6dbfc56b0: The file pointer returned
[None] puts(" [+] File Write: /tmp/test_file"...) = 37
  • Output: Prints a string to the test_file and returns 37.
[None] access("/tmp/test_file", "0") = 0
  • access: Checks file accessibility/existence
  • /tmp/test_file: The file path to check
  • 0: Checks if file exists
  • 0: Returns that the file exists
[None] chmod("/tmp/test_file", "0644"...) = 0
  • chmod: Changes file permissions
  • /tmp/test_file.txt: The file path
  • 0644: The permission mode (rw-r--r--)
  • 0: Return value indicating success
[None] rename("/tmp/test_file", "/tmp/test_renamed"...) = 0
  • rename:Renames/moves a file
  • /tmp/test_file.txt: The original file
  • /tmp/test_renamed.tx: The file path to the new file
  • 0: Return value indicating success
image
[None] rename("/tmp/test_file", "/tmp/test_renamed"...) = 0
  • rename:Renames/moves a file
  • /tmp/test_file.txt: The original file
  • /tmp/test_renamed.tx: The file path to the new file
  • 0: Return value indicating success
image
The content above shows the creation of an executable /tmp/test_dir/ directory location. It then shows the removal of the folder location.
image
Shows the changing of permissions of a "/tmp/test_script.sh" file. it then opens it with write permission, puts content in it and allows it to be run at startup in binbash. image
Opens the file test_file.txt, writes to it, reads it, changes permissions to simply allow read and write but not execute, and finally renames it to "test_renamed.txt". image
This shows that the "/etc/passwd" file is being read, opened and items are being printed showing access. image
This shows that the "/etc/shadow" file is being read, opened and items are being printed showing access.

Deliverables

image 
Shows the files which are still present on the system

Copy ltrace_behavior file to host

image 
With the box open, select "CNTR + ALT +F3" in order to open a new terminal.
image 
Run the command "podman cp [podmanID]:/tmp/ltrace_analysis/[FILENAME].txt trace_analysis.txt"
image 
cat the file to confirm the output is correct.

⚠️ **GitHub.com Fallback** ⚠️