Malware Analysis

Introduction

Malware, short for malicious software, is a term used to describe any software specifically designed to harm, exploit, or compromise computer systems, networks, and data. As the digital landscape continues to evolve, the sophistication and diversity of malware threats have also increased. To effectively combat these threats, cybersecurity experts employ a process known as malware analysis. In this blog post, we'll explore the concept of malware analysis and delve into the different categories that make up this essential field of cybersecurity.

What is Malware Analysis?

Malware analysis is the process of examining and dissecting malicious software to understand its behavior, functionality, and impact on a system or network. The primary goal of malware analysis is to gain insight into how a piece of malware operates, its purpose, and any potential vulnerabilities it may exploit. This information is critical for developing effective countermeasures, such as antivirus signatures, intrusion detection rules, and network filters.

Different Categories of Malware Analysis

1. Static Analysis

Static analysis involves examining the malware without executing it. Analysts use various tools and techniques to inspect the code and structure of the malicious software. Key elements of static analysis include:

a. File Signature Analysis: This method involves comparing the binary file's hash value to known malware signatures in antivirus databases.

b. Code and File Structure Analysis: Analysts study the malware's code and file structure, looking for anomalies, obfuscation techniques, or hidden functions.

c. API Calls and Dependencies: Analyzing the malware's API calls and dependencies can reveal its intended functions and communication channels.

d. String Analysis: This involves searching for specific strings within the malware code that may reveal its purpose or origin.

1. Dynamic Analysis

Dynamic analysis, in contrast to static analysis, involves executing the malware in a controlled environment (sandbox) to observe its behavior. This method allows analysts to uncover runtime behaviors, such as:

a. Network Activity: Observing network connections and data exchanges between the malware and external servers or systems.

b. File System Activity: Monitoring file operations to identify any file modifications or attempts to spread to other files or directories.

c. Registry Activity: Tracking changes made to the Windows Registry, which may indicate persistence mechanisms or system manipulation.

d. Memory Analysis: Examining the malware's interaction with system memory, including code injection and anti-analysis techniques.

1. Behavioral Analysis

Behavioral analysis focuses on understanding the malware's actions and effects on a system. Analysts collect information on how the malware behaves when executed. Key aspects of behavioral analysis include:

a. System Calls and Events: Recording system calls and events triggered by the malware, such as process creation, file access, and registry modifications.

b. Payload Delivery and Exploitation: Identifying how the malware delivers payloads, exploits vulnerabilities, and escalates privileges.

c. Persistence Mechanisms: Determining how the malware maintains persistence on the compromised system, such as through startup processes or scheduled tasks.

d. Communication and Data Exfiltration: Studying the methods used by the malware to communicate with command and control servers and exfiltrate sensitive data.

1. Hybrid Analysis

Hybrid analysis combines elements of both static and dynamic analysis. Analysts employ this approach to gain a comprehensive understanding of malware by examining its code, structure, and behavior in a controlled environment. Hybrid analysis is particularly effective for sophisticated malware that employs evasion techniques to thwart analysis.

1. Code Reversing

Code reversing, or reverse engineering, involves disassembling the malware's binary code to understand its underlying logic and functionality. This technique can reveal hidden features, encryption methods, and vulnerabilities that may be exploited to develop countermeasures or patches.

Conclusion

Malware analysis is a vital aspect of modern cybersecurity, as it allows experts to understand, detect, and mitigate the ever-evolving threat of malicious software. By employing a combination of static, dynamic, behavioral, hybrid analysis, and code reversing, cybersecurity professionals can effectively combat malware and protect systems and networks from potential harm.

As malware continues to evolve in complexity and sophistication, the field of malware analysis remains a dynamic and essential component of cybersecurity, helping organizations stay one step ahead of cyber threats.

What is Malware Analysis ?

What is Malware ?

Types of Malwares

• Virus

• Worms

• Botnets

• Polymorphic malware

• APT (Advanced Persistent Threat)

• Infostealer

• Exploit kits for drive-by attacks

• Trojan horses

• Wipers

• Ransomware

• Mobile malware

• Drive-by download

• Maldocs

• Rootkits

• IoT malware

• File less malwares

Malware Analysis helps to find charecterization and categorization of threat and helps at the time of impact analysis

Programming Languages

• Assembly Language

• C

• C++

• Java

• Python

• Go

• Rust

• Java Script

• PowerShell

• Perl

• Shell Script

• Apple Script

Operating System Internals

• Windows

• Unix

• Mac OS

Networking and TCP/IP Protocol Suite

• Most common protocols, Ports and Services

Operating System Security concepts

• Password management

What is organization Incident Response Plan

• For IT

• For OT/IOT

• For Mobile Devices

Tools

Debuggers	X64 dbg , X32 dbg, Radare , cutter, windbg, ollydbg
Disassembly	Ghidra, ida pro
PE Analysis	PE Studio, PEID, Detect it easy, CFF explorer, PE Bear, Hiew	Check entropy 0-8, 8 more likely packed
Process Monitoring	ProcMon, Process explorer, Proc dot, Process Monitor	Process creation and registry changes
API Monitoring	API Monito
Autoruns	Autoruns
Web Proxy	Fiddler
Network Traffic capture and analysis/monitoring	Wireshark, Tshark, TCP view
Sand Box Environment and services	Cuckoo, Limon for linux, sandboxie, drakvuf-sandbox
Dedicated distributions for Malware analysis/RE	Flare vm, Remnux
Additional	Hex editor
ASM	FASM
Dynamic Analysis	Triage Any.run Hybrid analysis Jose sandbox VirusTotal
Registry Monitoring	Reg Shot
Network Deception	FakeNet-NG ApateDNS Python's SimpleHTTPServer INetsim
System Monitoring	sysmon
Emulation	Atomic red team
De obfuscation tools	Js detox, floss
Framework	MITRE
Memory Forensics	Volalility
Document Analysis	OLE tools PDFStreamDumper
VB Script Analysis	VB DE compiler
Android App Analysis	APKtool, ADB
Java file analysis	JADX
Packer/Cryptor analysis	Upx, aspack
Urls/domain	Urlvoid Urlhaus urlscan
Malware Samples	Honeypot Zoo Vx underground Free Malware Sample Sources for Researchers: https://zeltser.com/malware-sample-sources/ theZoo - A Live Malware Repository | theZoo aka Malware DB: https://thezoo.morirt.com/ VirusShare.com: https://virusshare.com/ VirusBay: https://beta.virusbay.io/
Analysis Notes/writeups	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Lab/Malware Sandboxing :

Host only Network :

• Linux (security onion/ELK/fake dns)

• • Windows Flare

  • SIFT

  • Remnux

Build lab

• Remnux

• Sans SIFT

• Flare VM

• Collecting Malware samples

• Monitoring

• Installing end-user software's

• Opening multiple files

• Keeping the same file name

• Don’t install VM guest tools

• Collecting/Analyzing

• • PCAP Files

  • API calls

  • Logging file system and registry activity

  • Web hooks

  • API hooks

  • Process hallowing

  • Change in process handle table

  • Suspicious command logging

• Memory acquisition

• • RAM

Static Analysis

• Fast flux domains

• Get-fileHash -algorithm SHA256

• Python package hashlib

• SSdeep

• File

• Strings

• PE header analysis

• Python package "magic"

• Python code for PE analysis

• Is executable packed

• File hashing

• Fuzzing hashing

• • SSDEEP

• Virus total integration

• • Python program

IP Lookup

• www.ipchicken.com
• www.whatsmyip.com
• File hashes

• Compute hash

• Totalhash.cymru.com -> mutex search

• Is it packed ? Packer identification

• Imports and exports

• Strings

• Sections -> hashvalue -> search on vt

• Resources -> hashvalue

• File metadata

• Exeinfo pe

• HxD hex editor (https://mh-nexus.de/en/hxd/):
• File

• strings

• xxd -g 1 log.exe | more

• CFF explorer

• Bintext

• Virustotal

• https://www.winitor.com/
• https://www.mzrst.com/
• Virus scanner

• https://www.virscan.org/
• https://virusscan.jotti.org/en-US/scan-file

• Pe studio

• • Optional-header -> subsystem

  • Libraries

  • • Imports and exports

  • Strings

  • Virtual allocation

• Detect it easy

• Process Hacker

• • Mutants

  • Mutex

• Process Monitor

• Fakenet

• Regshot

• • Plain TXT

  • Scan dir c:\

• Procmon

• • Save in native format and csv format

  • Filter

  • • Process name/malicious file name

    • Process write, create, delete, registry changes

Dynamic Analysis:

• Submit to sandbox

• • Observe

  • • Process

    • Network

    • File

    • Registry

• Use debuggers to analyze the flow

Source Code Analysis:

Memory Analysis :

To Do Analysis:

• Analyze and create documentation

• JavaScript

• PDF

• Doc

• Office macros

• RTF

• One note

• Lnk file

• Xlsx

• Iso

• Executables

• VBS/VBA

• JS

• Powershell script analysis

• Phishing email headers

• • SPF/DKIM/DMARC

• Behavioral analysis

• Anti-analysis techniques (anti-debug, anti-vm)

• • Anti analysis strings

• Malware unpacking (encrypted/packed executables)

• Malware debugging

• Email header analysis

• Malicious RTF analysis

• Malicious PDF analysis

• Malicious docx analysis , macros

• Malicious iso analysis

• Malicious DLL analysis

• APT attack scenarios

• • Qakbot analysis

  • Emotet analysis

  • Dridex analysis

  • Trick bot

  • RunDll32.exe is then run with the TrickBot DLL, utilizing the DLLRegisterServer entrypoint. Shortly thereafter, WerMgr.exe is suspiciously spawned as a child process of RunDLL32

Malware Debugging

Malware de obfuscation

• Decode

• Decrypt

• Unpacking malware

Analysis

• Volatility

• Code injection and extraction

• API hooking

• File less

• Sandbox escaping

• Anti malware analysis

Learn

• Disassembling

• Decompiling

• Binary instructions

• Assembly Language

• Disassembler - produce assembly code

• Debuggers - manipulate execution of code

• PE structure portable executable

• Suspicious windows API patterns

• Packers

• • Compress and encrypt the executables

  • Obfuscates

  • Anti-analysis features

Techniques to learn

• Detecting fake trails

• Malware using encryption

• PE Header data Analysis

• Meta data analysis

• Detect the kill switch to stop spread

• Obfuscated code analysis

• Understanding new encoding and encryption schemes

• Detection evasion techniques

• • Delay of execution

  • Detection of VM env

  • Verifying user activity

  • Hiding malicious code

  • Sandbox evasion

  • Debugger detection

  • Flow misdirection

  • Anti-analysis

• Code injection

• API hooking

• File less techniques/malwares

• Registry persistence

Further Reading:

• Concepts/Tutorial https://exploitreversing.com/
• Review course content : https://courses.zero2auto.com/beginner-bundle
• Concepts https://www.malwaretech.com/challenges/windows-reversing
• Concepts/Tutorial https://zeltser.com/reverse-engineering-malware-methodology/
• https://gist.github.com/kimusan/475bf632009fc8eef9f22a6489b74a03
• Preparation https://www.secjuice.com/the-road-to-reverse-engineering-malware/
• Course https://ritcsec.wordpress.com/2022/04/30/beginners-guide-to-reverse-engineering-malware/
• Review tools https://awesomedfir.com/malware-reverse-engineering
• Course review : https://www.offensivecon.org/trainings/2023/modern-malware-opsec-and-anti-reverse-techniques-implementation-and-reversing.html
• Course https://opensecuritytraining.info/ReverseEngineeringMalware.html
• Tutorial https://intezer.com/blog/malware-analysis/malware-reverse-engineering-beginners/
• Tutorial https://www.varonis.com/blog/malware-analysis-tools
• Tutorial : https://www.hackers-arise.com/post/2017/01/18/Reverse-Engineering-Malware-Why-YOU-Should-Study-Reverse-Engineering-Malware
• Tutorial https://malwareunicorn.org/workshops/re101.html#11

University:

• https://alperovitch.sais.jhu.edu/

Books

• Michael Sikorski, Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, 2012. ISBN: 978-1593272906

• Chris Eagle. The IDA Pro Book. No Starch Press (2nd Edition), 2011. ISBN: 978-1593272890

• Randal E. Bryant, David R. O'Hallaron. Computer Systems: A Programmer's Perspective. Pearson (3rd Edition), 2015. Online: http://csapp.cs.cmu.edu/. ISBN: 978-0134092669
• Intel Developer’s manuals. http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

References:

https://blog.malwarebytes.com/glossary/