Intro to Malware Analysis - Medium

1. Malware Analysis
2. Techniques of malware analysis
3. Basic static analysis
4. The PE file header
5. Basic dynamic analysis
6. Anti-analysis techniques

Malware Analysis

• Malware - software with malicious purpose.

• Malware analysis is done by the following teams:

  • Security Operations
  • Incident Response
  • Threat Hunt
  • Malware Research
  • Threat Research

1. Which team uses malware analysis to look for IOCs and hunt for malware in a network? - Threat Hunt team

Techniques of malware analysis

• Static analysis - malware is analyzed without being executed; this includes checking strings, PE header and code.

• To avoid static analysis, malware often uses techniques such as obfuscation and packing.

• Dynamic analysis - running malware in a controlled environment and monitoring its activity; sandbox environments are another example.

• To avoid dynamic analysis, malware can detect the environment in which it is being run.

• Advanced malware analysis:

  • Disassemblers - convert malware code from binary to assembly, so that we can look at instructions of malware.

  • Debuggers - attach to program and allow to monitor instructions in malware while it's running.

1. Which technique is used for analyzing malware without executing it? - Static analysis

2. Which technique is used for analyzing malware by executing it and observing its behavior in a controlled environment? - Dynamic analysis

Basic static analysis

#in Remnux VM

file redline
#detect file type

strings redline | less
#lists strings from file

md5sum redline
#calculate md5 hash
#this can be used to search on VirusTotal

1. In the attached VM, there is a sample named 'redline' in the Desktop/Samples directory. What is the md5sum of this sample? - ca2dc5a3f94c4f19334cc8b68f256259

2. What is the creation time of this sample? - 2020-08-01 02:44:18 UTC

The PE file header

• PE file header contains metadata about a Portable Executable file.

• A PE file is divided into different sections such as .text, .data and .rsrc; the info about sections can be found in PE file header.

• We can use pecheck utility to check the PE header of a file.

1. In the attached VM, there is a sample named 'redline' in the directory Desktop/Samples. What is the entropy of the .text section of this sample? - 6.453919

2. The sample named 'redline' has five sections. .text, .rdata, .data and .rsrc are four of them. What is the name of the fifth section? - .ndata

3. From which dll file does the sample named 'redline' import the RegOpenKeyExW function? - ADVAPI32.dll

Basic dynamic analysis

• Sandbox - isolated environment mimicking the actual target environment of a malware; malware analysis sandboxes rely on Virtual Machines due to their ability of taking snapshots and reverting to clean states when needed.

• Online sandboxes:

  • Online Cuckoo Sandbox
  • Online CAPE Sandbox
  • Any.run
  • Intezer
  • Hybrid Analysis

1. Check the hash of the sample 'redline' on Hybrid analysis and check out the report generated on 14 March 2022. Check the Incident Response section of the report.  How many domains were contacted by the sample? - 8

2. In the report mentioned above, a text file is created by the sample. What is the name of that text file? - fj4ghga23_fsa.txt

Anti-analysis techniques

• Packer - obfuscates, compresses, or encrypts contents of malware; this makes static analysis tough.

• Techniques for sandbox evasion:

  • Long sleep calls
  • User activity detection
  • Footprinting user activity
  • Detecting VMs

1. Which of the techniques discussed above is used to bypass static analysis? - Packing

2. Which technique discussed above is used to time out a sandbox? - Long sleep calls