- Introduction
- Static Analysis
- Dynamic Analysis
- Debugging and Disassembly Technques
- Obfuscation Techniques
- Cheatsheet
- Malware Analysis is the art of dissecting the malware (malicious Software) to answer three main questions :
- How does it work?
- How can it be detected?
- How can the threat be eliminated ?
- It is an art as the techniques to analysis differs based on personality. As such, what is in this note is my interpretation of malware analysis.
- The end goal of MA is to identify the signature of the malware and detect similar or the same malware based on these signature which are also known as Indicators of Compromise (IOCs).
- MA and RE are two different skillset but RE is complementary to MA.
- RE is the art of dissecting a product to understand its blueprint and it helps to answer the three mains questions MA set out to answer.
- Malware need not only be from one class, it is classified as below :
| Type | Definition | Type | Definition |
|---|---|---|---|
| Virus | malware that infects the target and requires user intervention to copy itself and spread to other computer or systems | Worm | Similar to virus, but just that it does not require human intervention to spread. |
| Scareware | malware that uses social engineering to trick user into buying or downloading unwanted software | Ransomware | Malware that lock's or encrypt's the victim's sensitive information/data and blackmailing the user for decryption |
| Botnet | A group of system infected with the same malware controlled by the attacker through a Command & Control (C2) server usually used for DDoS attack. | Trojan | Software that behaves like a regular program but has malicious code running within it. |
| Spyware | Malware that attacker use to eavesdrop, gather information or destroy the victim's machine | Rootkit | malware that evades detection by hiding in the system |
| Keylogger | malware that logs a user's keystroke | Logic Bomb | A code or portion of code that remains dormant for a period of time and triggered only when the time is right or with certain triggers |
| Backdoor/RAT | a malware that gives attacker remote access to the user's system | Information Stealer | malware whose main purpose is to steal infromation and exfiltrate it back |
| Downloader | malware that is paired with other malware, that helps to download and install the other malware | Dropper | Malware thar has another malware executable embedded within. |
| Adware | malware that gives user unwanted advertisements |
!!!Important!!!
- There is no need to waste time, effort and resources to understand every single instruction and detail that does not answer the three core questions above.
!!!Important!!!
- Static Analysis is done by dissecting the malware without executing it.
- Basic : analysis of file, file structure, imported and exported function etc.
- Advanced : attempt to understand the malware based on the low-level instruction used using disassembler and/or decompiler
- Dynamic Analysis is done by dissecting the malware by executing it and monitoring its behaviour.
- Basic : analyst runs sample in a contained environment (sandbox) with different monitoring tools pre-installed and tries to understand malware behaviour through output of the tools
- Advanced : basic analysis does not give a clear picture and sample is runned through a debugger so that analyst can have more control in the execution of the malware.
- Below is a non-exhaustive list of web pages that contains malware samples
| Completely Free | Free but needs Registration | Commercial |
|---|---|---|
| theZoo 1 and 2 | Hybrid Analysis | Hybrid Analysis |
| malware traffic analysis | Any.Run | Any.Run |
| Malware-Samples | Virus Share | VirusTotal |
| TekDefense Malware Samples | Malware Bazaar | |
| Inquest Malware Samples | MalShare | |
| Contagio |
- Tools change with time, but the nature of the tool remains the same. Hence it is more important to understand the nature of the tool than the tool in specific.
- Tools needed for MA are classified as such:
| S/N | Tool Name | S/N | Tool Name |
|---|---|---|---|
| 1 | File Format Analyser | 4 | Virtualisation Tools i.e VMs |
| 2 | System Monitoring Tools | 5 | Other tools like data converters, decryptors, registry tools etc. |
| 3 | Debuggers and Disassemblers | 6 | IDE to write custom script. |
| CPU | RAM | SSD/HDD | Network Card | |
|---|---|---|---|---|
| Minimum | AMD or Intel 4+ Core | 16gb | 512gb | 1Gbps |
| Recommended | AMD or Intel 8+ Core | 32gb | 52gb | 1Gbps |
- SecurityOnion
- Tsurugi Linux
- Windows 10
- The brand of VM used VMware or Virtualbox is not important, what is most important is to have a golden image by doing snapshot.
| Open Source | Functions | Commercial | Functions |
|---|---|---|---|
| FTK Imager | Acquire Hard or removable drives and memory | Belkasoft | Acquires Hard or removable drive, mobile devices, memory, cloud |
| Magnet Aqcuire | Acquire iOS and Android Devices as well as hard or removable media |
| Open Source | Commercial |
|---|---|
| Nirsoft memdump | Dumpit(beta) |
| Belkasoft Ram Capturer | |
| Magnet Ram Capturer |
| S/N | Tool Name | S/N | Tool Name |
|---|---|---|---|
| 1 | Shadow Defender | 3 | RollbackRX Professional |
| 2 | DeepFreeze |
| Open Source | Functions |
|---|---|
| KAPE | Efficient Triage program that targets most forensically useful artifacts and parses it |
| Rawcopy | Copying files offf ntfs volume by using low level disk reading methods |
| GRR rapid response | Open Source EDR (Endpoint Detection and Response) |
| osquery | Open Source EDR |
| Velociraptor | Open Source EDR |
| S/N | Tool Name | S/N | Tool Name |
|---|---|---|---|
| 1 | Process Explorer | 4 | Handles.exe |
| 2 | WinObj | 5 | ProcMon |
| 3 | ListDLLs.exe |
| Name | Functions |
|---|---|
| ProcDOT | A tool that can visualise and correlate process activities and network traffic |
| Fiddler | * A web debugging proxy tool to log all HTTP(S) traffic between computer and the internet. * Can be used to intercept traffic of malware that uses HTTP(S) for C2. |
| DependencyWalker | A tool that can scan Windows executables and build a hierarchy of libraries and functions that are being referenced by the executable. |
| RegShot | * Tools that provides the capability to compare between two registry snapshots. * It can also be configured to compare changes to a file or directory. |
| Process Hacker | An extended Process Explorer with powerfeatures like searching and dumping strings from specific memory regions of running processes. |
| S/N | Tool Name | S/N | Tool Name |
|---|---|---|---|
| 1 | Noriben | 5 | WinDump |
| 2 | API Monitor | 6 | CaptureBAT |
| 3 | PE Capture | 7 | NetworkMiner |
| 4 | FireEye ApateDNS | 8 | Cuckoo |
| S/N | Tool Name | S/N | Tool Name |
|---|---|---|---|
| 1 | Cuckoo Sandbox | 2 | Sandboxie |
| S/N | Tool Name | S/N | Tool Name |
|---|---|---|---|
| 1 | VirusTotal | 4 | Joe Sandbox |
| 2 | Hybrid Analysis | 5 | Malwr |
| 3 | ANY.RUN |