[Malware Analysis Bootcamp] Let’s start your first malware analysis!!
What Is Malware Analysis?
Malware analysis is the process of analyzing a malware sample/binary and extracting to understand the scope of the functionality of the Malware, how the system was infected with the malware and how to defend against similar attacks
Objectives of malware analysis
- To understand the type of malware and the entire scope of what it can do (functionality). Is it a Keylogger, RAT or Ransomware
- How the system was infected with the malware. Is it a targeted attack or a phishing attack?
- How it communicates with the attacker.
- To exfiltrate useful indicators like registry entries/keys and filenames for the purpose generating signatures that can be used to detect future detection.
Types Of Malware Analysis
- Static analysis — Is the process of analyzing malware without executing or running it. The objective is to extract as much metadata from the malware as possible. Example; strings, PE headers.
- Dynamic analysis — Is the process of executing malware and analyzing it’s functionality and behavior. The objective is to understand exactly how and what the malware does during the execution. This is done in a debugger.
- Code Analysis — Is the process of analyzing/reverse engineering assembly code. This can be both statically and dynamically done (Static and dynamic code analysis)
- Behavioural analysis — Is the process of analyzing and monitoring the malware after execution. It involves monitoring the processes, registry entries and network monitoring to determine the workings of the malware.
Malware response process
- Detection > Log analysis (Splunk, Kibana)
- Collection > memory dump (DumpIt, Redline), Disk image (FTK imager), Packet capturing (WireShark)
- Investigation > Windows Forensics (Autopsy) (Master File Table, Change logs, Volume Shadow Copies, Prefetch, Event Logs, data streams, registry Hives) > Memory Forensics (Volatility)
- Malware analysis > Basic static, Behavioural, Dynamic Analysis
- proactive validation of the incident without an incident.
Setting Up Our Environment
- Hypervisor — VirtualBox or VMware
- Windows 10 VM 32/64bit — 64 bit preferable.
- FLARE VM — Windows malware analysis distribution
- Keep your Hypervisor updated.
- When executing malware ensure your network configuration is set to host-only.
- Do not plug any USB devices into the VM.
- Make sure you download compressed and password-protected samples to avoid accidental execution.
- Take snapshots!
- Do not store any valuable data on your analysis VM.
- Disable shared folders, before execution or analysis.
Tools & links
- Windows VM’s: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
- Fireye installation guide
- Github Repository: https://github.com/fireeye/flare-vm
Download Virtual Machines
The size is 4.7 G so it takes time to download.
Extract it and double click ovf file.
You are asked to set up. Click import
Lets configure network settings
click settings and network
Shared folders > set up your desktop path #
Dowload the zip file and move it to your desktop.
- Create and configure a new Windows Virtual Machine
- Allow for a total of 50–60 GB disk storage (including OS)
- Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain
- Install .NET 4.5 and WMF 5.1 from the following links:
- .NET 4.5 https://www.microsoft.com/en-us/download/details.aspx?id=30653
- WMF 5.1 https://www.microsoft.com/en-us/download/details.aspx?id=54616
- Make sure you restart the VM to complete the installation
- Take a snapshot of your machine!
After moving the zip file to VM, you can remove shared folder settings.
Right-click the zip > extract all
#In this stage, lets take snapshot. Machine > take snapshot
Open powershell as admin
Stop Windows update and defender
Disable it and click stop
Same as Windows defender
move to the Desktop directory
Change the permission
#before start installing, we need the Internet connection
Machine > settings > network >
Congratulations! You have successfully installed FLARE VM. At this point we recommend you power off the VM, switch the VM networking mode to Host-Only, and then take a snapshot to save a clean state of your analysis VM.
Introduction To Static Analysis
- Static analysis is the process of analyzing malware/binary without executing it.
- The objective is to extract useful information from the malware, this will help us get an idea of the type of malware and what the malware can do.
Static analysis flow — How we will approach a sample
- Identifying the file type — Target OS, architecture, and format (dll, exe)
- Identifying the malware — Generating a hash of the malware, will give the malware a unique identifier. Using the hash to see if anyone else has analyzed the malware.
- Strings — Strings give us an idea/glimpse of what the malware can do.
- Packing & Obfuscation — Obfuscation & packing are techniques used to prevent detection. Unpacking or deobfuscating can reveal additional information.
- PE headers — The PE header reveals a lot of information on malware functionality.
Identifying the file type
- Identifying the file type is extremely important as it helps us identify the target OS and the corresponding architecture
- An example of a Windows executable file is the PE (Portable Executable).
- A PE could be in the form of; .exe, .dll etc.
- To accurately identify a file type we need to analyze the file signature. This is to avoid false positives caused by the use of double extensions.
- The file signature exists on the file header.
- The file signature for PE files are represented by hexadecimal values of 4D 5A or MZ in the first 2 bytes (0–1).
- PE programs also have the notice “This program cannot be run in DOS mode”
- The PE header begins at hex 50 45.
Extract file. The password is “infected”
This is a manual static analysis
Tool: Exeinfo PE
Tool: CFF Explorer
Malware hashing is the process of generating cryptographic hashes for the file content of the target malware. We are hashing the malware file.The hashing algorithms used in malware identification are:
The hashing process gives us a unique digest known as a fingerprint.This means we can create unique fingerprints for malware samples.
Why should you hash?
- For accurate identification of malware samples, rather than using file names for malware. Hashes are unique.
- Hashes are used to identify malware on malware analysis sites. (Virus Total).
- Hashes can be used to search for any previous detections or for checking online if the sample has been analyzed by other researchers.
Copy MD5 hash and go to Virus Total
copy and paste the hash and search
- Strings Analysis — This is the process of extracting readable characters and words from the malware.
- Strings can give us valuable information about the malware functionality.
- Malware will usually contain useful strings and other random strings, also known as garbage strings.
- Strings are in ASCII and Unicode format. ( We need to specify the type of strings we want to extract during analysis, as some tools only extract ASCII.
- The types of strings we are looking for are: File names, URL’s (Domains the malware connects to), IP Addresses, Registry Keys
strings -a -n 6 <path to the sample file> > <path to save>
You can search “http”
Packers & Unpacking
- A packer is a tool that is used to compress the content of the malware.
- Attackers will use packers to obfuscate the content of the malware, this makes it difficult to analyze strings.
- Packers compress an executable and when executed the packed executable will be decompressed. This allows us to analyze the original unpacked executable.
How to pack the malware
It is not packed now
upx -9 -qvfk <path>
You can see the difference between the packed and unpacked version sizes
Hashes are also different
Understanding The PE Header
- The PE header contains the information the OS requires to run the executable.
- This information is very useful, as it can give us more information about the functionality of the malware and how the malware interacts with the OS.
Why is the PE header important?
- It contains all of the important and necessary information required by the OS to execute the executable.
- It contains information that specifies where the executable needs to be loaded into memory.
- It contains the libraries that the executable requires to be loaded (dll).
- It contains information that specifies where the execution begins.
PE Header Structure
What information are we interested in?
- ompiler Stamp — When and where the malware was compiled.
- Subsystem — What subsystem is being used?
- Sections — Is the executable packed and are there any inconsistent permissions.
- Libraries & Imports — What libraries and imports are being used, and what information do they give us about the functionality of the malware.
Drag unpacked version onto pestudio
- indicator section
- sections show permissions
- libraries show some blacklist
- Check functions such as loadlibrary
As you can see, the packed version does not show the details
Examining The Resources Section
The resources section contains all the necessary files and information that are used/required by the executable. For example: icons, dialogs
Why is it important?
- Attackers can utilize the resources section to store more malicious files and data like payloads, droppers, configuration info etc.
- The resource section is also useful as it may contain information about the origin of the malware.
Download Locky Ransomware from here
Then, drag Locky Ransomware file to the Resource Hacker
Creating YARA Rules
- YARA rules are used to identify samples based on specific strings or binary data.
- we use these three URLs as command & control
Lets create our first YARA rule
description = "First YARA rule"strings:
$a = "http://reninparwil.com/zapoy/gate.php"
$b = "http://leftthenhispar.ru/zapoy/gate.php"
$c = "http://reptertinrom.ru/zapoy/gate.php"condition:
($a or $b or $c)}
Open command prompt and move to the directory that yara rule stays.
yara32 -s -r <rule file> <file path>
You can see three URLs are detected.