[Malware Analysis Bootcamp] Let’s start your first malware analysis!!

What Is Malware Analysis?

Objectives of malware analysis

  • To understand the type of malware and the entire scope of what it can do (functionality). Is it a Keylogger, RAT or Ransomware
  • How the system was infected with the malware. Is it a targeted attack or a phishing attack?
  • How it communicates with the attacker.
  • To exfiltrate useful indicators like registry entries/keys and filenames for the purpose generating signatures that can be used to detect future detection.

Types Of Malware Analysis

  • Static analysis — Is the process of analyzing malware without executing or running it. The objective is to extract as much metadata from the malware as possible. Example; strings, PE headers.
  • Dynamic analysis — Is the process of executing malware and analyzing it’s functionality and behavior. The objective is to understand exactly how and what the malware does during the execution. This is done in a debugger.
  • Code Analysis — Is the process of analyzing/reverse engineering assembly code. This can be both statically and dynamically done (Static and dynamic code analysis)
  • Behavioural analysis — Is the process of analyzing and monitoring the malware after execution. It involves monitoring the processes, registry entries and network monitoring to determine the workings of the malware.

Malware response process

  • Detection > Log analysis (Splunk, Kibana)
  • Collection > memory dump (DumpIt, Redline), Disk image (FTK imager), Packet capturing (WireShark)
  • Investigation > Windows Forensics (Autopsy) (Master File Table, Change logs, Volume Shadow Copies, Prefetch, Event Logs, data streams, registry Hives) > Memory Forensics (Volatility)
  • Malware analysis > Basic static, Behavioural, Dynamic Analysis
  • Containment
  • Remediation
  • Reporting

Security operations

Security roles

Threat Hunting

  • proactive validation of the incident without an incident.
  • types

Setting Up Our Environment

  • Hypervisor — VirtualBox or VMware
  • Windows 10 VM 32/64bit — 64 bit preferable.
  • FLARE VM — Windows malware analysis distribution

Security guidelines

  • Keep your Hypervisor updated.
  • When executing malware ensure your network configuration is set to host-only.
  • Do not plug any USB devices into the VM.
  • Make sure you download compressed and password-protected samples to avoid accidental execution.
  • Take snapshots!
  • Do not store any valuable data on your analysis VM.
  • Disable shared folders, before execution or analysis.

Tools & links

Download Virtual Machines

Download flare-vm

https://github.com/mandiant/flare-vm

Stop Windows update and defender

Install flare-vm

Introduction To Static Analysis

  • Static analysis is the process of analyzing malware/binary without executing it.
  • The objective is to extract useful information from the malware, this will help us get an idea of the type of malware and what the malware can do.

Static analysis flow — How we will approach a sample

  • Identifying the file type — Target OS, architecture, and format (dll, exe)
  • Identifying the malware — Generating a hash of the malware, will give the malware a unique identifier. Using the hash to see if anyone else has analyzed the malware.
  • Strings — Strings give us an idea/glimpse of what the malware can do.
  • Packing & Obfuscation — Obfuscation & packing are techniques used to prevent detection. Unpacking or deobfuscating can reveal additional information.
  • PE headers — The PE header reveals a lot of information on malware functionality.

Identifying the file type

  • Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture
  • An example of a Windows executable file is the PE (Portable Executable).
  • A PE could be in the form of; .exe, .dll etc.
  • To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.
  • The file signature exists on the file header.
  • The file signature for PE files are represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0–1).
  • PE programs also have the notice “This program cannot be run in DOS mode”
  • The PE header begins at hex 50 45.

Demo

Malware sample:https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbU5KRkZTNWU4NktkaFltX1I5cmFRR09RVUM3UXxBQ3Jtc0tuNkRjLVhBek5SblNNeXpCTXZQcjU3cWJMZVk5WFBPQlExYWRDbVZ1LTNSd2pEZnN6UmhjS1FxUWZucGdRWGIwT2hhanpIQ0x5VTExejJwbkVkMGVPOHdhb2hqTkhlNWo5QWgteGVnVlV3eVByd1JINA&q=https%3A%2F%2Fs3.eu-central-1.amazonaws.com%2Fdasmalwerk%2Fdownloads%2Fdc030778938b8b6f98236a709d0d18734c325accf44b12a55ecc2d56b8bb9000%2Fdc030778938b8b6f98236a709d0d18734c325accf44b12a55ecc2d56b8bb9000.zip

Tool: HxD

Tool: Exeinfo PE

Tool: pestudio

Tool: CFF Explorer

Malware hashing

Malware hashing is the process of generating cryptographic hashes for the file content of the target malware. We are hashing the malware file.The hashing algorithms used in malware identification are:

  • MD5
  • SHA-1
  • SHA-256

Why should you hash?

  • For accurate identification of malware samples, rather than using file names for malware. Hashes are unique.
  • Hashes are used to identify malware on malware analysis sites. (Virus Total).
  • Hashes can be used to search for any previous detections or for checking online if the sample has been analyzed by other researchers.

DEMO

Tool: Hashcalc

Analyzing strings

  • Strings Analysis — This is the process of extracting readable characters and words from the malware.
  • Strings can give us valuable information about the malware functionality.
  • Malware will usually contain useful strings and other random strings, also known as garbage strings.
  • Strings are in ASCII and Unicode format. ( We need to specify the type of strings we want to extract during analysis, as some tools only extract ASCII.
  • The types of strings we are looking for are: File names, URL’s (Domains the malware connects to), IP Addresses, Registry Keys

Demo

Open powershell

strings -a -n 6 <path to the sample file> > <path to save>

Packers & Unpacking

  • A packer is a tool that is used to compress the content of the malware.
  • Attackers will use packers to obfuscate the content of the malware, this makes it difficult to analyze strings.
  • Packers compress an executable and when executed the packed executable will be decompressed. This allows us to analyze the original unpacked executable.

DEMO

How to pack the malware

upx -9 -qvfk <path>

Understanding The PE Header

  • The PE header contains the information the OS requires to run the executable.
  • This information is very useful, as it can give us more information about the functionality of the malware and how the malware interacts with the OS.

Why is the PE header important?

  • It contains all of the important and necessary information required by the OS to execute the executable.
  • It contains information that specifies where the executable needs to be loaded into memory.
  • It contains the libraries that the executable requires to be loaded (dll).
  • It contains information that specifies where the execution begins.

PE Header Structure

Sections

What information are we interested in?

  • ompiler Stamp — When and where the malware was compiled.
  • Subsystem — What subsystem is being used?
  • Sections — Is the executable packed and are there any inconsistent permissions.
  • Libraries & Imports — What libraries and imports are being used, and what information do they give us about the functionality of the malware.

DEMO

  • indicator section
  • sections show permissions
  • libraries show some blacklist
  • Check functions such as loadlibrary

Examining The Resources Section

The resources section contains all the necessary files and information that are used/required by the executable. For example: icons, dialogs

Why is it important?

  • Attackers can utilize the resources section to store more malicious files and data like payloads, droppers, configuration info etc.
  • The resource section is also useful as it may contain information about the origin of the malware.

DEMO

Download Locky Ransomware from here

Creating YARA Rules

  • YARA rules are used to identify samples based on specific strings or binary data.

DEMO

  • we use these three URLs as command & control
rule creds_ru
{
meta:
description = "First YARA rule"
strings:
$a = "http://reninparwil.com/zapoy/gate.php"
$b = "http://leftthenhispar.ru/zapoy/gate.php"
$c = "http://reptertinrom.ru/zapoy/gate.php"
condition:
($a or $b or $c)
}
yara32 -s -r <rule file> <file path>

--

--

Cloud security engineer https://www.linkedin.com/in/takahiro-oda-881423197/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store