Malware Analysis
Last modified: 2023-02-21
Build a Sandbox
Before analyzing malware, it’s recommended to build a sandbox for malware analysis.
Below are useful tools for building such an environment.
-
FLARE VM
It is a collection of software installations scripts for Windows systems to maintain a reverse engineering environment on a virtual machine.
-
REMnux
A Linux toolkit for malware analysis.
-
An interactive online malware sandbox.
-
A free online malware analysis.
Get Information About Malware
First off, we get the hash of the malware.
# Linux
md5sum example
sha256sum example
# PowerShell
Get-FileHash -Algorithm MD5 example.exe
Get-FileHash -Algorithm SHA256 example.exe
We can use the hash for finding details of malware, so copy the output hash.
Google Search
We can search the information about malware by searching the hash.
In search form, input the hash value as below.
"47BA62CE119F28A55F90243A4DD8D324"
Now access to websites listed the search result.
VirusTotal
VirusTotal analyses suspicious files, domains, IPs and URLs to detect malware and
other breaches, automatically share them with the security community.
To search the information about suspicious files, first get the hash in our terminal.
MalwareBazaar in Abuse.ch
MalwareBazaar also analyses suspicious files.
We can input the hash in Browse Database as below.
md5:47BA62CE119F28A55F90243A4DD8D324
Resource Hacker
Resource Hacker is a resource extraction utility and resource compiler for Windows.
By opening a malware file, we can retrieve detail information about the file in “Version Info”.
CAPA
capa detects capabilities in executable files.
capa example.exe
# -vv: All feature match details
capa -vv example.exe
Strings
We can find specific text contained in the malware.
# Linux
strings example | grep "text_here"
# PowerShell
strings example.exe | findstr "text_here"
Reverse Engineering
Ghidra
Ghidra is a reverse engineering software.
PE-bear
PE-bear is a multi-platform reversing tool for PE files.
Analysis Tools
-
An open-source mobile threat Intelligence platform.
Softwares
-
It monitors system resources, debug software and detect malware.
-
ProcDOT is a visual malware analysis tool.
To investigate logs, in Monitoring Logs, open a log file (.csv) in Procmon and open a dump file in WinDump. Then click “Refresh”. Executable files and PID listed.
Programs
-
The pattern matching swiss knife for malware researchers.
-
Automation Tools
-
# Update first, then will add `signature-base` directory python ~/Loki/loki.py --update # Run python ~/Loki/loki.py -p ./suspicious_files_dir # Run & output a log file python loki.py -p ./suspicious_files_dir -l log.txt
-
# Update first python ~/yarGen/yarGen.py --update # Generate Yara ruls for specific file python ~/yarGen/yarGen.py -m ./suspicious_files_dir --excludegood -o ./suspicious_files_dir/rule.yar # Check if the file flagged yara ./suspicious_files_dir/rule.yar ./suspicious_files_dir/somefile.php # If flagged, copy this ruls to Loki's signature yara directory cp ./suspicious_files_dir/rule.yar ~/Loki/signature-base/yara # Then run Loki # ...
-
-
Manual
-
Find Files Matches Rules
yara rule.yar ./somedir # Print only number of matches yara -c rule.yar ./somedir # Print only not satisfied rules yara -n rule.yar ./somedir # Print metadata yara -m rule.yar ./somedir
-
Create Rules
Create "rule.yar".
rule rule_name { meta: author = "pentester" description = "test rule" created = "6/20/2022 00:00" strings: $hello = "Hello" $text_file = ".txt" condition: $hello and $text_file }
-
-
Static Analysis
Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.
-
It determines types of files.
-
[CAPA](https://github.com/mandiant/capa](https://github.com/mandiant/capa)
It identifies capabilities in executable files.
capa ./executable
If you found that the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.
upx -d ./executable
# Delete the cache of capa
del ./executable.viv
capa <suspicious-executable>
Dynamic Analysis
If our environment is Windows, we need to start the Process Monitor before running the dynamic analysis.
Process Monitor (ProcMon) is a Windows tool that analyze the behavior (real-time registry, file system, and process/threat activity) while analyzing malware.
In ProcMon, set “Process Name” “is” “executable.exe” then “Include” in the Process Monitor Filter, and click “Add” → “OK”.
After executing, you should see results appear in the ProcMon.
The first step is to unset all filters on the right of the tool bar, then set again a filter one by one.
-
Show Registry Activity
This filter allows us to determine if any significant Registry Modifications are executed by the binary. To focus on Registry Key Creations and Modifications, exclude RegOpenKey, RegQueryValue, RegQueryKey, RegCloseKey by right-clicking on the row of results.
-
Show File System Activity
This filter allows us to determint if the malware executes File Creations. To focus only on File Write events, exclude CreateFile, CreateFileMapping, QuerySecurityFile, QueryNameInformationFile, QueryBasicInformationFile, CloseFile, ReadFile.
-
Show Network Activity
This filter allows us to confirm if the malware attempts to make a network connection.
Malicious Document (.doc) Analysis
- Open CyberChef
- Upload the suspicious doc file on CyberChef.
- Use the “Strings” function to extract strings.
- If you found obfuscated strings in the results, add the “Find / Replace” function to remove extra strings.
- If necessary, add the “Drop bytes” function to remove extra bytes.
Attack with Malware
Programs
-
LKM Linux rootkit.