Hello Friend 🙂
In this part, we will learn about the basics of how malware is investigated & tools/techniques used during the investigation.
Prerequisite: Basic knowledge of Computers, networks, OS & Coding is required.
So, Let’s begin with some common terminologies you will hear as a malware analyst.
Malware - A general term used to describe any software that is designed to harm, steal or disrupt computer systems.
Virus - A type of malware that can replicate by infecting other files and spreading across computers through networks and email.
Trojan - A type of malware that is disguised as a legitimate program but can perform malicious actions such as stealing data, deleting files, or allowing unauthorized access.
Worm - A self-replicating malware that can spread quickly through networks and cause significant damage to computer systems.
Ransomware - A type of malware that encrypts the victim’s files and demands payment in exchange for a decryption key.
Rootkit - A type of malware that is designed to hide its presence on a computer system by manipulating system components such as drivers, APIs, and processes.
Payload - The malicious code or action that is executed by malware after it infects a computer system.
Backdoor - A hidden method of bypassing routine authentication procedures and gaining unauthorized access to a computer system.
But no matter which malware you’ll face in your investigation remember “All malware do have a common phase” that can be broken down into steps:
Phases of Malware:
- Delivery (via USB, Exploiting vulnerability, phishing)
- Execution (Execute malware code can be ransomware, spyware, or keylogger)
- Maintaining persistence (not always the case!) (Backdoors)
- Propagation (not always!) (Finding new hosts to diverse our attack)
These steps will generate lots of data. Namely: network traffic such as communicating with hosts, and file system interaction like read/writes and modification so it’s good for us.
And Yes if they’ve common phases that means they also have usually kind of Same behaviors.
Key Malware Behaviours
- Network connections - Malware tends to establish either external network connections or internal connections.
- Registry key modifications - Malware typically uses registry keys to establish persistence.
- File manipulations - Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.
Note: Fingerprint/traces malware leaves behind can be a host or network-based signatures
Now I think we established a good understanding of malware, its steps & behavior but the question is what approaches, tools & techniques do the malware analyst use during their malware investigation? So let’s jump into that:
There are commonly 3 types of Analysis/Approaches malware analysts do iteratively to investigate malware samples.
but before that always remember important precautions before an investigation.
Precautions during Analysing Malware Samples
WARNING: Handling a malware sample is dangerous. Always consider precautions while analyzing it.
- Only run the malware sample in a controlled environment such as a VM or Sandboxes that prevents potential compromise.
- Ensure that all internet connections are closed or at least monitored.
- Always keep them in password-protected zip/rar or other archives so that we can avoid accidental detonation.
- A controlled environment must be isolated as even a shared clipboard, Interface or any point linked to our main infrastructure can be dangerous.
Hope all precautions are taken care of 🙂
Approaches of Malware Analyst during an Investigation of Malware Sample
1. Static Analysis
Way of analyzing a malware sample without executing the code. This method mainly focuses on profiling the binary with its readable information, such as its properties, program flow, headers, metadata, API/system calls, strings & if it’s packed or not.
Note: Malware often uses techniques to avoid static analysis. Some of these techniques use obfuscation, Packing, compression, encryption, or other means of hiding its properties.
Tools & Techniques
1- PEid: Reads the magic numbers of a file & displays the file type based on the magic number regardless of the file extension as malware can spoof extension. It can also detect if the packing technique is done & through which tool.
2- strings: Give clues related to the behavior of malware. As some strings can give us hints of commands/code, functions & comments.
3- md5sum | sha1sum | sha256sum: File Hash is a unique identifier for a file. It can be used as an identifier for specific malware. This identifier can be used for searching in malware databases (virus Total, inquest, Malware Bazaar) which return the malware information.
4- diec: Provides information about the file, such as its architecture, significant headers, packer used (to pack the malware) & strings.
5- capa: Detects capabilities in executable files. You run it against a PE, ELF, .NET module or shell, code file and it tells you what it thinks the program can do. May it be for the installation of a service, invocation of network connections, registry modifications, and such.
6- pecheck: List all the PE Header (data structure) of .exe or .dll & other files. This header contains the metadata such as libraries (.dll) windows’s pre-build libraries/imports used via malware (PE file imports) & other 4-section information.
2. Dynamic Analysis
Focuses on understanding the malware by executing it in a safe environment. By doing this, you will see the malware live in action, its exact behavior, and how it infects the environment & no matter how much obfuscation is added to the code, it becomes an easy target for detection once it runs.
Malware often uses techniques to prevent an analyst from performing dynamic analysis. Some of these techniques are Long sleep calls, User activity detection, Footprinting user activity, and Detecting VMs.
Tools & Techniques
1- Open-Source Sandbox
2- Online Sandboxes
Setting up and maintaining a sandbox can be a time-consuming task. Keeping that in view, online sandboxes can be of great help
Online Cuckoo Sandbox
Online CAPE Sandbox
Hybrid Analysis: Additional features Maps malware’s behavior to MITRE ATT&AK Framework
3. Advanced Analysis
Used to analyze malware that evades basic static and dynamic analysis. For performing advanced malware analysis, disassemblers, and debuggers are used.
- Disassemblers convert the malware’s code from binary to assembly so that an analyst can look at the instructions of the malware statically.
- Debuggers attach to a program and allow the analyst to monitor the instructions in malware while it is running. A debugger allows the analyst to stop and run the malware at different points to identify interesting pieces of information while also providing an overview of the memory and CPU of the system.
Tools & Techniques
1- Ghidra: Powerful disassembler It can disassemble the compiled file into assembly code or even in the original code language.
2- IDA Freeware: Another Disassembler for the Windows environment. It can disassemble the compiled file into assembly code.
That’s it, Hope you’ve learned something new. Maybe the next series will cover how to use some of these tools during malware investigation.
if want to support us with coffee then ping us here
Question or any suggestion for a new Topic? Ping me on my socials