Exploit Notes

Malware Analysis

Last modified: 2023-04-04

Malware

Build a Sandbox

Before analyzing malware, it’s recommended to build a sandbox for malware analysis.
Below are useful tools for building such an environment.

  • FLARE VM

    It is a collection of software installations scripts for Windows systems to maintain a reverse engineering environment on a virtual machine.

  • REMnux

    A Linux toolkit for malware analysis.

  • ANY.RUN

    An interactive online malware sandbox.

  • Hybrid Analysis

    A free online malware analysis.


Get Information About Malware

First off, we get the hash of the malware.

# Linux
md5sum example
sha256sum example

# PowerShell
Get-FileHash -Algorithm MD5 example.exe
Get-FileHash -Algorithm SHA256 example.exe

We can use the hash for finding details of malware, so copy the output hash.

We can search the information about malware by searching the hash.

In search form, input the hash value as below.

"47BA62CE119F28A55F90243A4DD8D324"

Now access to websites listed the search result.

VirusTotal

VirusTotal analyses suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
To search the information about suspicious files, first get the hash in our terminal.

MalwareBazaar in Abuse.ch

MalwareBazaar also analyses suspicious files.

We can input the hash in Browse Database as below.

md5:47BA62CE119F28A55F90243A4DD8D324

Resource Hacker

Resource Hacker is a resource extraction utility and resource compiler for Windows.

By opening a malware file, we can retrieve detail information about the file in “Version Info”.

CAPA

capa detects capabilities in executable files.

capa example.exe
# -vv: All feature match details
capa -vv example.exe

Strings

We can find specific text contained in the malware.

# Linux
strings example | grep "text_here"

# PowerShell
strings example.exe | findstr "text_here"

Reverse Engineering

Ghidra

Ghidra is a reverse engineering software.

PE-bear

PE-bear is a multi-platform reversing tool for PE files.


Analysis Tools

  • Pithus

    An open-source mobile threat Intelligence platform.

Softwares

  • Process Hacker

    It monitors system resources, debug software and detect malware.

  • ProcDOT

    ProcDOT is a visual malware analysis tool.
    To investigate logs, in Monitoring Logs, open a log file (.csv) in Procmon and open a dump file in WinDump. Then click “Refresh”. Executable files and PID listed.

Programs

  • Yara

    The pattern matching swiss knife for malware researchers.

    • Automation Tools

      • Loki

        # Update first, then will add `signature-base` directory
python ~/Loki/loki.py --update

# Run
python ~/Loki/loki.py -p ./suspicious_files_dir

# Run & output a log file
python loki.py -p ./suspicious_files_dir -l log.txt

      • yarGen

        # Update first
python ~/yarGen/yarGen.py --update

# Generate Yara ruls for specific file
python ~/yarGen/yarGen.py -m ./suspicious_files_dir --excludegood -o ./suspicious_files_dir/rule.yar

# Check if the file flagged
yara ./suspicious_files_dir/rule.yar ./suspicious_files_dir/somefile.php

# If flagged, copy this ruls to Loki's signature yara directory
cp ./suspicious_files_dir/rule.yar ~/Loki/signature-base/yara

# Then run Loki
# ...

    • Manual

      • Find Files Matches Rules

        yara rule.yar ./somedir
# Print only number of matches
yara -c rule.yar ./somedir
# Print only not satisfied rules 
yara -n rule.yar ./somedir
# Print metadata
yara -m rule.yar ./somedir

      • Create Rules

        Create "rule.yar".

        rule rule_name {
    meta:
        author = "pentester"
        description = "test rule"
        created = "6/20/2022 00:00"
    strings:
        $hello = "Hello"
        $text_file = ".txt"
    condition:
        $hello and $text_file
}

Attack with Malware

Programs