Malware Analysis 101
Malware Analysis 101
What is Malware Analysis?
Malware analysis is the study of the unique features, objectives, sources, and potential effects of harmful software and code, such as spyware, viruses, malvertising, and ransomware. It analyzes malware code to understand how it varies from other kinds.
In this post, we will only have headlines and some of malware techniques which will not go further for Reverse Engineering part.
Main PE Sections
1
2
3
4
5
------- Sections of PE header -------
.text `Executable Code`
.data `Global data access throught the program`
.rdata `read-only data that is globally accessible`
.rsrc `resourcs such as icons,menus, dialogs, version information, and font information` -> resources hacker (APT can hide data here)
Static Analysis
- Check Strings in file (exe/bin)
- Strings
- FLOSS (encoded/UTF-XX strings)
- PeStudio
- ida
- Check OS Malicious Calls
- PeStudio (import/export) tables
- ida
- Speakeasy
- Capa
Dynamic Analysis
- Regshot
- Wireshark & Protocol Analysis
- fakenet-ng (better than fakenet)
- INetsim/FakeDns
- X64 Debug / IDA Pro Debugger
Note: in case malware use IP address, you need to change IPtables to forward the traffic to gateway/fakenet machine
1
2
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.233.131
Sandbox Analysis & report
- Online sandboxes:
- VirusTotal sandboxes
- any.run
- Hybrid Analysis
- Joe sandbox
- Offline sandboxes:
- Cuckoo sandbox
- CAPE sandbox v2
- Sandboxie
- Buster Sandbox Analyzer
Reverse Engineering for Malware Capabilities
- Code review
- prologue and epilogue
- Windows Api Calls
- Malicious malware calls
High level lang
- .Net
- Jar
- Decompilter: JD-GUI / Recaf
- Deobfuscation:Java Deobfuscator
- AudoIT
- myExe2Au/myAut2Exe then use Autoit Debugger
- Python
- Android
Andrriod can run in two modes (AVD Manager)
- VM: Andriod X86
- Emulator :QEMU
Malicious document analysis
- PDF
- oletools
pip install --upgrade pip oletools
- pdfid
- pdf-parser.py
- Didier stevens suite
- scdbg
- CMDwatcher
- peepdf
py -2 -m pip install --upgrade pip peepdf
py -2 -m pip install --upgrade pip peepdf
- oletools
- Office and VBA (OLE/Zip(OOXML(OLE)))
- VBA dump
- OLE dump
- JS Analysis
Note: VBS can be dubbged by word macro devugger and JS can be debugged with Visual studio
Ida Addons/Plugins & Scripts
- findCrypt
- “highlight all calls.py” plugin
- mkyara
- idapython_color_all_CALL_instr.py
- idapython_detect_antiVM_instr.py
- idapython_NOP_bytes.py
- “Snowman decompiler” IDA plugin
- “Ghida” IDA plugin
This post is licensed under CC BY 4.0 by the author.