Malware Analysis 101

What is Malware Analysis?

Malware analysis is the study of the unique features, objectives, sources, and potential effects of harmful software and code, such as spyware, viruses, malvertising, and ransomware. It analyzes malware code to understand how it varies from other kinds.

In this post, we will only have headlines and some of malware techniques which will not go further for Reverse Engineering part.

Main PE Sections

------- Sections of PE header -------
    .text `Executable Code`
    .data  `Global data access throught the program` 
    .rdata `read-only data that is globally accessible` 
    .rsrc  `resourcs such as icons,menus, dialogs, version information, and font information` -> resources hacker  (APT can hide data here)

Static Analysis

• Check Strings in file (exe/bin)
  • Strings
  • FLOSS (encoded/UTF-XX strings)
  • PeStudio
  • ida
• Check OS Malicious Calls
  • PeStudio (import/export) tables
  • ida
  • Speakeasy
  • Capa

Dynamic Analysis

• Regshot
• Wireshark & Protocol Analysis
• fakenet-ng (better than fakenet)
• INetsim/FakeDns
• X64 Debug / IDA Pro Debugger

Note: in case malware use IP address, you need to change IPtables to forward the traffic to gateway/fakenet machine

sudo sysctl -w net.ipv4.ip_forward=1 
sudo iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.233.131

Sandbox Analysis & report

• Online sandboxes:
  • VirusTotal sandboxes
  • any.run
  • Hybrid Analysis
  • Joe sandbox
• Offline sandboxes:
  • Cuckoo sandbox
  • CAPE sandbox v2
  • Sandboxie
  • Buster Sandbox Analyzer

Reverse Engineering for Malware Capabilities

• Code review
• prologue and epilogue
• Windows Api Calls
• Malicious malware calls

High level lang

• .Net
  • Decomiler: dnSpy
  • Deobfuscation: de4dot
• Jar
  • Decompilter: JD-GUI / Recaf
  • Deobfuscation:Java Deobfuscator
• AudoIT
  • myExe2Au/myAut2Exe then use Autoit Debugger
• Python
  • pyinstxtractor/deompyle3/uncompyle6
• Android
  • Decode mainfiest: axmldec
  • smali code disassmbler: apktool
  • Andriod Java Disassembler:
    • dex2jar then run jar with javaGUi/Recaf
    • jadx-gui

Andrriod can run in two modes (AVD Manager)

• VM: Andriod X86
• Emulator :QEMU

Malicious document analysis

• PDF
  • oletools pip install --upgrade pip oletools
  • pdfid
  • pdf-parser.py
  • Didier stevens suite
  • scdbg
  • CMDwatcher
  • peepdf
    • py -2 -m pip install --upgrade pip peepdf
    • py -2 -m pip install --upgrade pip peepdf
• Office and VBA (OLE/Zip(OOXML(OLE)))
  • VBA dump
  • OLE dump
• JS Analysis

Note: VBS can be dubbged by word macro devugger and JS can be debugged with Visual studio

Ida Addons/Plugins & Scripts

• findCrypt
• “highlight all calls.py” plugin
• mkyara
• idapython_color_all_CALL_instr.py
• idapython_detect_antiVM_instr.py
• idapython_NOP_bytes.py
• “Snowman decompiler” IDA plugin
• “Ghida” IDA plugin