Hey Guys Good Afternoon, back again with another blog we will be doing Malware analysis in the upcoming blogs may be 4 blogs totally.
Today we are going to take a look how Malware analysis is going with the flow,
Today’s blog will be fully theoretical, I hope you will find it interesting, please don’t try to sleep in the middle, I will try to make this as short as possible without leaving much behind.
Malfunctioning Software is named as Malware due to its malicious intent behaviour over the computer networks and systems.
There are lot of Malware pieces are circulation around the networking world and eagerly waiting for someone as prey might be to the one waiting with a listening portal.
Examples: – Virus, Worms, Trojans, Ransomwares, Bot, Adware, Rootkit, Backdoors, Crypter.
I Don’t want to explain all these here and make you get bored of these, if you really wanted to know then you can visit my previous blog post here
Ok let’s see how we are going to proceed when it comes to Malware analysis
There are 4 types of Malware analysis methods to be carried out while doing it:
- Static Analysis
- Dynamic Analysis
- Code Analysis
- Behavioural Analysis
STATIC ANALYSIS: – In this method we will be analysing the sample malware without executing or running it, we will be analysing the file in static condition,
Objective : Extract as much of Data like strings, PE headers, etc.
DYNAMIC ANALYSIS: – With this method we will analyse the malware by executing and analysing using a debugger like in reverse engineering
Objective: To get to know how it does work, how it proceeds with the files.
CODE ANALYSIS: – It is a process of Analysing or reverse engineering the assembly code, it combines both the static and dynamic analysis types, we can get lot of information in this analysis.
BEHAVIOURAL ANALYSIS: In this, process of analysing and monitoring the malware after execution, monitoring the process, registry entries of the malware, and network monitoring is also can be done to determine workings of the malware.
- To exfiltrate useful indicators (Eg. Registry keys, file names)
- To Understand type
- To know How it communicates with the Attacker
- To know how it behaves
Today we will be learning how Static Analysis Flow works.
It is of totally 5 steps.
- Identifying File type
- Generating Hash
- Packing & obfuscation
Identification of File type: To find which OS has been targeted( Windows, Linux, Mac), Architecture(32bit, 64bit), and format(.exe, .dll, etc).
Generating Hash: Why we need to generate a Hash, Hashing will give you Unique ID for the Malware, so we can identify easily when it is obfuscated or not, we can use this to check if anyone has analysed the malware before, we can use VirusTotal.com to check for earlier analysed ones
Strings: It will give the Idea what the Malware is, What it can do, what its purpose etc.
Packing & Obfuscation: This technique is being used by the attackers to prevent Detection from the Anti-malware and analysing situations, So unpacking and deobfuscating can reveal lot of additional info.
PEHeader: It will reveal lot of information on the malware functionality from the Portable Executable Header Section.
What we do?
STEP 1: FILE IDENTIFICATION
We wil be looking for Target OS and architecture for which the malware is designed to Attack.
We will look for the Portable Executable (PE) whether it is .exe, .dll etc.
We need to analyse the file signature to avoid false positives caused by using Double extensions like test.txt.exe, File signature exists on file header.
File signatures for PE files are represented by hexadecimal values of 4D, 5A or MZ in first two bytes(0-1)
PE will be having a notice “This cannot be run in DOS mode”
TOOLS: HxD – Hex editor
Exeinfo PE – Retrieves the windows PE header info and packing info.
CFF Explorer. – Architecture.
4D 5A indicates that it is a portable executable.
Remember : Malware should be always in Zip file with password protected.
STEP 2 : GENERATING HASH
It is the process of hashing entire content of malware using different types of hashes like MD5, SHA1, SHA-256, it will gives an unique fingerprint for malware samples.
Instead of using name using of Hash to identify and to use in analysing the sites to search for previous analysis.
TOOLS: HashMyFiles, HashCalc
STEP 3: STRINGS
In this step we will be extracting strings from the sample malware we are analysing, extracting readable characters and words from the malware.
Strings can give us valuable information in ASCII and UNICODE formats.
We can get File Names, URLs, IP Addresses, Registry keys.
It will give glimpse of what malware can do. Strings can give us valuable information.
Strings comes in both CLI tools and also in GUI interface tools.
STEP 4 : PACKAGING AND OBFUSCATION
Compressing and archiving is done to avoid detection and used to compress the content of the malware, Attackers will be using packers to obfuscate the content of the malware, so it will be difficult to analyse the strings.
TOOLS: UPx, EXEinfoPE
Packed and unpacked files differ only in size and hashes.
STEP 5: PE HEADER
It contains the information that OS requires to run the executable, It gives more info about the functionality of malware and how the malware interacts with OS, It contains libraries that executable requires to be loaded (dll). It contains information that specifies when the execution begins.
If we need to know about the PEHeader then we need to look for PE Header structure and Sections
PE HEADER STRUCTURE
|MZ Header/DOS Header||Executable Binary|
|DOS stub||Prints a message (Program cannot run in DOS mode)|
|PE File Heder(Signature)||Define exe as PE|
|Image optional Header||Important info like subsystem and entry point|
|Section Table||How to load the executable into memory|
|Sections||Executable sections of code and data|
|.rdata||Stores data (Read only)|
|.idata||Stores import data|
|.edata||Stores export data|
|.rsc||Stores resources(strings and icons)|
We will be looking for some crucial information here in PE header, i.e Compiler stamp – When and where the malware was compiled
Sub System – What subsystem is being used by Malware like GUI or CLI
Sections – Is the executable packed, any inconsistent permissions
Libraries and Imports – what libraries and imports are being used, what information do they give us about functionality of malware.
Import file will be having Socket information
Resources Section – Attacker can utilize the resource section to store malicious file and payload, droppers and configuration files etc. Some malware have resources section, some don’t.
Strings – Strings block will list you all the strings available in the Sample.
The above said tools are preinstalled with FlareVM which we will see how to merge it with the sand boxing environment in the upcoming blog, if you see this after some days obviously you can that blog by clicking here.
TWIST with Malware classification and Identification;
We were using Hashing technique to identify Samples earlier but a small change in content and code will change the whole hash of the file, Attackers add Random Strings(Garbage text) with the code so it will be no use of it to identify it for further investigation, So there comes YARA to play in it.
I know its getting lengthy, so let me stop here so we can learn about YARA RULES in the next blog,
That’s it for Today guys, See you in the next one.