Skip to main content

0800 | Intro to Malware Analysis

Malware Analysis | Intro to Malware Analysis | Summary:

The aim of this room is to provide SOC analysts with steps to determine whether suspicious content (files or traffic) is malicious or not. It will cover the basics of malware, how to start analyzing it, and different analysis methods, as well as resources for further assistance.

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

warning

When analyzing malware, it's crucial to take precautions to prevent harm. Follow these guidelines:

  • Analyze malware only on isolated machines with sole purpose for analysis
  • Store malware samples in password-protected archives when not in use
  • Extract and analyze malware inside an isolated environment
  • Create a dedicated VM for malware analysis, with the ability to revert to a clean slate after each session
  • Disconnect or monitor internet connections during analysis
  • Revert the VM to its original state after each analysis session to avoid cross-contamination

Learning Objectives

  • What is malware?
  • How to start analyzing a malware
  • Static and Dynamic malware analysis
  • Resources to help you analyze malware

1 | Introduction

Recommended OS for Malware Analysis

2 | Malware Analysis

  • Malware refers to any software with malicious intent, categorized by its behavior
  • here we focus on the steps to take when suspecting malware in a machine, rather than delving into detailed classifications
  • Malware analysis is an essential skill for various security teams
    • Security Operations | Writing detections for malicious activity
    • Incident Response | Determining damage and remediating it
    • Threat Hunt | Identifying IOCs to hunt for malware
    • Malware Researchers | Adding detections in security products
    • Threat Research | Discovering vulnerabilities and adding security features

3 | Techniques of malware analysis

  • Malware Analysis is like solving a puzzle by joining different pieces (tools and techniques) to get the complete picture of what the malware is trying to do.
  • Categories of techniques
    • Static Analysis | Analyzing malware without executing it
      • Checking strings in malware
      • Examining PE headers
      • Disassembling code
      • Techniques to avoid static analysis
        • Obfuscation
        • Packing
    • Dynamic Analysis| Running malware in a controlled environment to observe its behavior
      • Running malware in a VM
      • Using sandboxes for automatic analysis
      • Techniques to avoid dynamic analysis
        • Detecting the environment in which it is being run
  • Malware often uses techniques to avoid static and dynamic analysis, but these methods can be overcome using advanced analysis techniques
    • Advanced Analysis techniques
      • Disassemblers | Converting binary code to assembly for static analysis
      • Debuggers | Attaching to programs to monitor instructions while running

4 | Basic Static Analysis

  • When analyzing new malware, the first step is usually performing basic static analysis
  • This "sizing up" process provides an overview of the malware and its properties
  • Basic static analysis can reveal important information
    • API calls made by the malware
    • Packing status (whether it's packed or not)
    • Effort required to analyze the malware
  • Basic static analysis is a crucial step in understanding what you're dealing with, even if it doesn't always provide critical information.

Basic Techniques

  • Examining the file type | file <filename>
  • Examining Strings | strings <filename>
  • Calculating Hashes | md5sum <filename | sha1sum <filename> | sha256sum <filename>
  • AV scans and VirusTotal | use VirusTotal to upload the hashes

5 | The PE file Header

  • The PE File Header contains metadata about Portable Executable files, providing valuable information for analysis.

  • key aspects of the PE header

    • Imports/Exports | reveal functions reused by the file from outside (imports) or exposed to other binaries (exports)
      • Imports can indicate malware functionality, such as communicating with the internet
    • Sections | A PE file is divided into sections, each serving a specific purpose
      • .text | Contains CPU instructions executed when the file runs
      • .data | Holds global variables and data used by the file
      • .rsrc | Stores resources like images, icons, etc

  • Check the PE header | pecheck <malwarename>

  • Check the PE header (GUI-based) | pe-tree <malwarename>

6 | Basic Dynamic Analysis

To create an effective sandbox for malware analysis, consider the following elements:

  • Virtual Machine | Mimic the target environment where the malware will run.
  • Snapshotting and Reversion | Be able to take snapshots and revert to a clean state to easily reset the environment.
  • OS Monitoring Tools | Utilize software like Procmon or Regshot to monitor system activity.
  • Network Monitoring Tools | Employ tools like Wireshark or tcpdump to track network activity.
  • Controlled Network Access | Set up a dummy DNS server and webserver to control network access and prevent malicious behavior.
  • Secure Data Transfer | Implement a mechanism to transfer analysis logs and malware samples in and out of the Virtual Machine without compromising the host system.

Open Source Sandboxes

Online Sandboxes

7 | Anti-analysis techniques

Packing and Obfuscation

  • Malware authors frequently employ packing and obfuscation techniques to hinder analysis
  • Packer tools can encrypt, compress, or obscure malware contents, making static analysis challenging
  • This complexity prevents analysts from easily identifying key information through string searches on packed malware samples

Sandbox evasion techniques

  • Long Sleep Calls | Malware waits for an extended period before performing any activity, causing the sandbox to time out
  • User Activity Detection | Malware checks for user interaction (e.g., mouse movement or keyboard typing) before executing malicious actions
    • Advanced malware also detects patterns of automated activity in sandboxes
  • Footprinting User Activity | Malware examines user files or browsing history to determine if the system is a sandbox, and terminates if no significant activity is found
  • Detecting VMs | Malware identifies virtual machines (VMs) by detecting specific drivers or artifacts associated with VM software like VMware or Virtualbox
    • If a VM is detected, the malware may terminate.