MAL: Malware Introductory - Easy
- Understanding Malware Campaigns
- Identifying if a Malware Attack has Happened
- Obtaining MD5 Checksums of Provided Files
- Identifying if the Executables are obfuscated / packed
- What is Obfuscation / Packing?
- Introduction to Strings
- Introduction to Imports
- Practical Summary
Understanding Malware Campaigns
-
Types of malware attacks:
-
Targeted - for specific purpose, against specific target
-
Mass campaign - purpose is to infect as many devices as possible; also known as APTs (Advanced Persistent Threats)
-
1. What is the famous example of a targeted attack-esque Malware that targeted Iran? - Stuxnet
2. What is the name of the Ransomware that used the Eternalblue exploit in a "Mass Campaign" attack? - Wannacry
Identifying if a Malware Attack has Happened
-
Processes of a malware attack:
-
Delivery
-
Execution
-
Maintaining persistence
-
Propagation
-
-
Two categories of fingerprints left behind by malware:
-
Host-based signatures
-
Network-based signatures
-
1. Name the first essential step of a Malware Attack? - Delivery
2. Name the second essential step of a Malware Attack? - Execution
3. What type of signature is used to classify remnants of infection on a host? - Host-based signatures
4. What is the name of the other classification of signature used after a Malware attack? - Network-based signatures
-
Categories of analysing malware:
-
Static analysis - to gain a high-level abstraction of the sample.
-
Dynamic analysis - involves executing the sample and observing what happens.
-
Obtaining MD5 Checksums of Provided Files
1. The MD5 Checksum of aws.exe - D2778164EF643BA8F44CC202EC7EF157
2. The MD5 Checksum of Netlogo.exe - 59CB421172A89E1E16C11A428326952C
3. The MD5 Checksum of vlc.exe - 5416BE1B8B04B1681CB39CF0E2CAAD9F
4. Does Virustotal report this MD5 Checksum / file aws.exe as malicious? - Nay
5. Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? - Nay
6. Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? - Nay
Identifying if the Executables are obfuscated / packed
- The compiler/packer of the file can be found with the
PEiDtool.
1. What does PeID propose 1DE9176AD682FF.dll being packed with? - Microsoft Visual C++ 6.0 DLL
2. What does PeID propose AD29AA1B.bin being packed with? - Microsoft Visual C++ 6.0
What is Obfuscation / Packing?
-
Packing is a form of obfuscation that malware authors employ to prevent the analysis of programs.
-
Obfuscated code is much harder to analyze at the static level.
1. What packer does PeID report file "6F431F46547DB2628" to be packed with? - FSG 1.0 -> dulek/xt
Introduction to Strings
-
Strings are the ASCII/text contents of a program.
-
PE Explorertool can be used as a GUI application for Strings.
1. What is the URL that is outputted after using "strings" - practicalmalwareanalysis.com
2. How many unique "Imports" are there? - 5
Introduction to Imports
-
Disassemblers reverse the compile code of a program from machine code to human-readable instructions (assembly).
-
Debuggers use the same technique as disassemblers, and facilitate execution of the program, to view the changes through each step of the program.
-
We can use
IDA Freewareas a tool for both static and dynamic analysis.
1. How many references are there to the library "msi" in the "Imports" tab of IDA Freeware for "install.exe" - 9
Practical Summary
1. What is the MD5 Checksum of the file? - F5BD8E6DC6782ED4DFA62B8215BDC429
2. Does Virustotal report this file as malicious? - Yay
3. What is the last string outputted? - d:h:
4. What is the output of PeID when trying to detect what packer is used by the file? - Nothing found *