MAL: Malware Introductory

malware analysis

When analysing malware, it is important to consider the following:

Point of Entry (PoE) I.e. Was it through spam that our e-mail filtering missed and the user opened the attachment? Let's review our spam filters and train our users better for future prevention!
What are the indicators that malware has even been executed on a machine? Are there any files, processes, or perhaps any attempt of "un-ordinary" communication?
How does the malware perform? Does it attempt to infect other devices? Does it encrypt files or install anything like a backdoor / Remote Access Tool (RAT)?
Most importantly - can we ultimately prevent and/or detect further infection?!

Malware Campaigns

Two types: Targeted and Mass Campaign

Targeted （標的型）

malware attacks that occur this way are created for a specific purpose against a specific target. Example: DarkHotel : is designed to steal information such as authentication details from government officials.

Mass Campaign「マス・キャンペーン」

Companies such as Kaspersky to name one, track these campaigns (known as Advanced Persistent Threats (APTs) and often report on their infection rate and indicators.

Identifying if a Malware Attack has Happened

The ultimate process of a malware attack can be broken down into a few broad steps:

Delivery
Execution: Here's the main part of how we classify Malware. What does it actually do? If it encrypts files - it's Ransomware! If it records information like keystrokes or displays adware - we can classify it as Spyware.
Maintaining persistence (not always the case!)
Propagation (not always!)

Two categories of fingerprints:

Host-Based Signatures
Network-Based Signatures

Static Vs. Dynamic Analysis

MD5 Checksums of Provided Files

MD5 sum against websites such as Virustotal

Identifying if the Executables are obfuscated / packed

PeID (https://github.com/wolfram77web/app-peid) PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

IDA Freeware IDA Freeware is a disassembler and debugger software for Windows, Linux, and macOS that allows you to analyze binary files, executable files, and firmware. It is often used by reverse engineers, malware analysts, and security researchers.

Click the Imports tab (second last tab)

Strings

Microsoft's Sysinternals "Strings" program to output the retained strings within the specified file. e.g strings "C:\Users\Analysis\Desktop\Tasks\Task 12\67844C01" Strings工具只有CUI界面，可以使用“PE Explorer”工具更方便！ After importing the target software, Navigate to "View -> Imports"

Why are "strings" important?

Illustrated below is an example of an Android Application containing sensitive credentials within strings:

其他工具

Ghidra ： https://ghidra-sre.org/

A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission。

REMnux

https://remnux.org/ A Linux Toolkit for Malware Analysis. REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.

Analysing Malicious PDF's

peepdf （https://github.com/jesparza/peepdf）

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not）

Analysing Malicious Microsoft Office Macros

vmonkey

Use REMnux's vmonkey which is a parser engine that is capable of analysing visual basic macros without executing (opening the document). e.g. vmonkey DefinitelyALegitInvoice.doc

　file entropy

file entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.

For example, files that are encrypted will have a very high entropy score. Where files that have large chunks of the same data such as “1's” will have a low entropy score.

Malware authors use techniques such as encryption or packing (we’ll come onto this next) to obfuscate their code and to attempt to bypass anti-virus. Because of this, these files will have high entropy. If an analyst had 1,000 files, they could rank the files by their entropy scoring, of course, the files with the higher entropy should be analysed first.

データ・ユニット内の各文字は 1 バイトから成るため、エントロピー値はそのデータ・ユニットの文字の変動および圧縮性を示します。ファイル内のエントロピー値の変動は、ファイル内に疑わしいコンテンツが隠されていることを示す可能性があります。例えば、高いエントロピー値は、データが暗号化および圧縮されて格納されていることを示す可能性があります。低いエントロピー値は、実行時にペイロードが暗号化解除され、別のセクションに格納されていることを示す可能性があります。

ファイルに悪質なコンテンツが含まれている可能性があるかどうかの指標として、エントロピー値を使用できます。例えば、ASCII テキスト・ファイルは一般的に圧縮性が高く、エントロピー値が低いです。暗号化データは一般的に圧縮性がなく、通常はエントロピー値が高いです。多くの場合、マルウェアはファイルと画像の両方の中に圧縮され隠されています。

analysing the memory dump

Tool: Volatility （Volatility是一款非常强大的内存取证工具,它是由来自全世界的数百位知名安全专家所合作开发的一套工具, 可以用于windows、linux、mac osx和android等系统内存取证）

用法：

volatility -f Win7-Jigsaw.raw imageinfo （比较花费时间） ⬆️ Profile Win7SP1x64 is the first suggested and just happens to be the correct OS version.
List the processes that were running via pslist volatility -f Win7-Jigsaw.raw --profile=Win7SP1x64 pslist We think that the process "drpbx.exe" with a PID of 3704 is suspicious。
List the DLL's that "drpbx.exe" references with dlllist: We found “CRYPTBASE.dll"

WDavid404 / THM_CyberDefense

Malware Analysis #9

history of malware