Skip to main content

THM | Intro to Malware Analysis

· 8 min read

Malware Analysis | Intro to Malware Analysis | Summary:

The aim of this room is to provide SOC analysts with steps to determine whether suspicious content (files or traffic) is malicious or not. It will cover the basics of malware, how to start analyzing it, and different analysis methods, as well as resources for further assistance.

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

warning

When analyzing malware, it's crucial to take precautions to prevent harm. Follow these guidelines:

  • Analyze malware only on isolated machines with sole purpose for analysis
  • Store malware samples in password-protected archives when not in use
  • Extract and analyze malware inside an isolated environment
  • Create a dedicated VM for malware analysis, with the ability to revert to a clean slate after each session
  • Disconnect or monitor internet connections during analysis
  • Revert the VM to its original state after each analysis session to avoid cross-contamination

Learning Objectives

  • What is malware?
  • How to start analyzing a malware
  • Static and Dynamic malware analysis
  • Resources to help you analyze malware

Task | 1 | Introduction

Recommended OS for Malware Analysis

Question 1: Let's learn Malware Analysis!

No answer needed

Task | 2 | Malware Analysis

  • Malware refers to any software with malicious intent, categorized by its behavior
  • here we focus on the steps to take when suspecting malware in a machine, rather than delving into detailed classifications
  • Malware analysis is an essential skill for various security teams
    • Security Operations | Writing detections for malicious activity
    • Incident Response | Determining damage and remediating it
    • Threat Hunt | Identifying IOCs to hunt for malware
    • Malware Researchers | Adding detections in security products
    • Threat Research | Discovering vulnerabilities and adding security features

Question 1: Which team uses malware analysis to look for IOCs and hunt for malware in a network?

Threat hunt team

Task | 3 | Techniques of malware analysis

  • Malware Analysis is like solving a puzzle by joining different pieces (tools and techniques) to get the complete picture of what the malware is trying to do.
  • Categories of techniques
    • Static Analysis | Analyzing malware without executing it
      • Checking strings in malware
      • Examining PE headers
      • Disassembling code
      • Techniques to avoid static analysis
        • Obfuscation
        • Packing
    • Dynamic Analysis| Running malware in a controlled environment to observe its behavior
      • Running malware in a VM
      • Using sandboxes for automatic analysis
      • Techniques to avoid dynamic analysis
        • Detecting the environment in which it is being run
  • Malware often uses techniques to avoid static and dynamic analysis, but these methods can be overcome using advanced analysis techniques
    • Advanced Analysis techniques
      • Disassemblers | Converting binary code to assembly for static analysis
      • Debuggers | Attaching to programs to monitor instructions while running

Question 1: Which technique is used for analyzing malware without executing it?

Static analysis

Question 2: Which technique is used for analyzing malware by executing it and observing its behavior in a controlled environment?

Dynamic analysis

Task | 4 | Basic Static Analysis

  • When analyzing new malware, the first step is usually performing basic static analysis
  • This "sizing up" process provides an overview of the malware and its properties
  • Basic static analysis can reveal important information
    • API calls made by the malware
    • Packing status (whether it's packed or not)
    • Effort required to analyze the malware
  • Basic static analysis is a crucial step in understanding what you're dealing with, even if it doesn't always provide critical information.

Basic Techniques

  • Examining the file type | file <filename>
  • Examining Strings | strings <filename>
  • Calculating Hashes | md5sum <filename | sha1sum <filename> | sha256sum <filename>
  • AV scans and VirusTotal | use VirusTotal to upload the hashes

Question 1: In the attached VM, there is a sample named 'redline' in the Desktop/Samples directory. What is the md5sum of this sample?

ca2dc5a3f94c4f19334cc8b68f256259

Question 2: What is the creation time of this sample?

2020-08-01 02:44:18 UTC

Task | 5 | The PE file Header

  • The PE File Header contains metadata about Portable Executable files, providing valuable information for analysis.

  • key aspects of the PE header

    • Imports/Exports | reveal functions reused by the file from outside (imports) or exposed to other binaries (exports)
      • Imports can indicate malware functionality, such as communicating with the internet
    • Sections | A PE file is divided into sections, each serving a specific purpose
      • .text | Contains CPU instructions executed when the file runs
      • .data | Holds global variables and data used by the file
      • .rsrc | Stores resources like images, icons, etc

  • Check the PE header | pecheck <malwarename>

  • Check the PE header (GUI-based) | pe-tree <malwarename>

Question 1: In the attached VM, there is a sample named 'redline' in the directory Desktop/Samples. What is the entropy of the .text section of this sample?

6.453919

Question 2: The sample named 'redline' has five sections. .text, .rdata, .data and .rsrc are four of them. What is the name of the fifth section?

.ndata

Question 3: From which dll file does the sample named 'redline' import the RegOpenKeyExW function?

ADVAPI32.dll

Question 4: Check out the GUI-based Petree tool and see what information it shows. You can use the following command for using the pe-tree tool to analyze the 'redline' malware. (The pe-tree tool might take some time to initiate.)

  • Note: Use pe-tree redline

No answer needed

Task | 6 | Basic Dynamic Analysis

To create an effective sandbox for malware analysis, consider the following elements:

  • Virtual Machine | Mimic the target environment where the malware will run.
  • Snapshotting and Reversion | Be able to take snapshots and revert to a clean state to easily reset the environment.
  • OS Monitoring Tools | Utilize software like Procmon or Regshot to monitor system activity.
  • Network Monitoring Tools | Employ tools like Wireshark or tcpdump to track network activity.
  • Controlled Network Access | Set up a dummy DNS server and webserver to control network access and prevent malicious behavior.
  • Secure Data Transfer | Implement a mechanism to transfer analysis logs and malware samples in and out of the Virtual Machine without compromising the host system.

Open Source Sandboxes

Online Sandboxes

Question 1: Check the hash of the sample 'redline' on Hybrid analysis and check out the hybrid analysis report. In the process tree, which is the first process launched when the sample is launched?

setup_installer.exe

Question 2: In the process tree, there are two Windows utilities utilized by the malware to perform its activities. What are the names of the two utilities? (Format: utility1.exe and utility2.exe)

cmd.exe and powershell.exe

Task | 7 | Anti-analysis techniques

Packing and Obfuscation

  • Malware authors frequently employ packing and obfuscation techniques to hinder analysis
  • Packer tools can encrypt, compress, or obscure malware contents, making static analysis challenging
  • This complexity prevents analysts from easily identifying key information through string searches on packed malware samples

Sandbox evasion techniques

  • Long Sleep Calls | Malware waits for an extended period before performing any activity, causing the sandbox to time out
  • User Activity Detection | Malware checks for user interaction (e.g., mouse movement or keyboard typing) before executing malicious actions
    • Advanced malware also detects patterns of automated activity in sandboxes
  • Footprinting User Activity | Malware examines user files or browsing history to determine if the system is a sandbox, and terminates if no significant activity is found
  • Detecting VMs | Malware identifies virtual machines (VMs) by detecting specific drivers or artifacts associated with VM software like VMware or Virtualbox
    • If a VM is detected, the malware may terminate.

Question 1: Which of the techniques discussed above is used to bypass static analysis?

packing

Question 2: Which technique discussed above is used to time out a sandbox?

long sleep calls

Task | 8 | Conclusion

Question 1: Head over to our social channels for further discussion

No answer needed