Search

MALWARE ANALYSIS – PART 1

Hey Guys Good Afternoon, back again with another blog we will be doing Malware analysis in the upcoming blogs may be 4 blogs total.

Today we are going to take a look at how Malware analysis is going with the flow,

Today’s blog will be fully theoretical, I hope you will find it interesting, please don’t try to sleep in the middle, I will try to make this as short as possible without leaving much behind.

Malware:

Malfunctioning Software is named Malware analysis due to its malicious intent behavior over the computer networks and systems.

There are a lot of Malware pieces in circulation around the networking world and eagerly waiting for someone as prey might be to the one waiting with a listening portal.

Examples: – Viruses, Worms, Trojans, ransomware, Bot, Adware, Rootkit, Backdoors, Crypter.

I don’t want to explain all these here and make you get bored of these, if you really wanted to know then you can visit my previous blog post here

Ok let’s see how we are going to proceed when it comes to Malware analysis

There are 4 types of Malware analysis methods to be carried out while doing it:

They are,

  1. Static Analysis
  2. Dynamic Analysis
  3. Code Analysis
  4. Behavioral Analysis

STATIC ANALYSIS: – In this method, we will be analyzing the sample malwarebytes free without executing or running it, we will be analyzing the file in a static condition,

Objective: Extract as much of the Data like strings, PE headers, etc.

DYNAMIC ANALYSIS: – With this method, we will analyze the malware by executing and analyzing using a debugger like in  reverse engineering

Objective: To get to know how it does work, and how it proceeds with the files.

CODE ANALYSIS: – It is a process of Analysing or reverse-engineering the assembly code, it combines both the static and dynamic analysis types, and we can get a lot of information from this analysis.

BEHAVIOURAL ANALYSIS: In this, the process of analyzing and monitoring the malware bytes after execution, monitoring the process, registry entries of the malware, and network monitoring is also can be done to determine the workings of the malware.

Main Objectives:

  1. To exfiltrate useful indicators (Eg. Registry keys, file names)
  2. To Understand type
  3. To know How it communicates with the Attacker
  4. To know how it behaves

Today we will be learning how Static Analysis Flow works.

It is of total of 5 steps.

  1. Identifying File type
  2. Generating Hash
  3. Strings
  4. Packing & obfuscation
  5. PEHeaders

Why?

Identification of File type: To find which OS has been targeted( Windows, Linux, Mac), Architecture(32bit, 64bit), and format(.exe, .dll, etc).

Generating Hash:  Why do we need to generate a Hash, Hashing will give you a Unique ID for the Malware, so we can identify easily when it is obfuscated or not, we can use this to check if anyone has analyzed the malware before, and we can use VirusTotal.com to check for earlier analyzed ones

Strings: It will give the Idea of what the Malware is, What it can do, what its purpose etc.

Packing & Obfuscation: This technique is being used by the attackers to prevent Detection from the Anti-malware and analysing situations, So unpacking and deobfuscating can reveal a lot of additional info.

PEHeader: It will reveal a lot of information on the malware functionality from the Portable Executable Header Section.

What do we do?

 

STEP 1: FILE IDENTIFICATION

We will be looking for Target OS and architecture for which the malware is designed to Attack.

We will look for the Portable Executable (PE) whether it is .exe, .dll, etc.

We need to analyze the file signature to avoid false positives caused by using Double extensions like test.txt.exe, File signature exists on the file header.

File signatures for PE files are represented by hexadecimal values of 4D, 5A, or MZ in the first two bytes(0-1)

PE will be having a notice “This cannot be run in DOS mode”

TOOLS: HxD – Hex editor

               Exeinfo PE – Retrieves the Windows PE header info and packing info.

               PeStudio 

               CFF Explorer. – Architecture.

4D 5A indicates that it is a portable executable.

Remember: Malware should be always in a Zip file with password protection.

STEP 2: GENERATING HASH

It is the process of hashing the entire content of malware using different types of hashes like MD5, SHA1, and SHA-256, it will give a unique fingerprint for malware samples.

Instead of using names using of Hash to identify and to use in analyzing the sites to search for previous analysis.

TOOLS: HashMyFiles, HashCalc

STEP 3: STRINGS

In this step, we will be extracting strings from the sample malware we are analyzing, and extracting readable characters and words from the malware.

Strings can give us valuable information in ASCII and UNICODE formats.

We can get File Names, URLs, IP Addresses, and Registry keys.

It will give a glimpse of what malware can do. Strings can give us valuable information.

Strings come in both CLI tools and also in GUI interface tools.

STEP 4: PACKAGING AND OBFUSCATION

Compressing and archiving is done to avoid detection and used to compress the content of the malware, Attackers will be using packers to obfuscate the content of the malware, so it will be difficult to analyze the strings.

TOOLS: UPx, EXEinfoPE

Packed and unpacked files differ only in size and hashes.

STEP 5: PE HEADER

 It contains the information that OS requires to run the executable, It gives more info about the functionality of malware and how the Malwarebytes free interacts with OS, It contains libraries that the executable requires to be loaded (dll). It contains information that specifies when the execution begins.

If we need to know about the PEHeader then we need to look for the PE Header structure and Sections

PE HEADER STRUCTURE

MZ Header/DOS Header Executable Binary
DOS stub Prints a message (Program cannot run in DOS mode)
PE File Heder(Signature) Define exe as PE
Image optional Header Important info like subsystem and entry point
Section Table How to load the executable into memory
Sections Executable sections of code and data

PE SECTIONS

.code/.text Executable code
.data Stores data(R/W)
.rdata Stores data (Read only)
.idata Stores import data
.edata Stores export data
.rsc Stores resources(strings and icons)

What info?

We will be looking for some crucial information here in the PE header, i.e Compiler stamp     –    When and where the malware was compiled

Sub System  –  What subsystem is being used by Malware like GUI or CLI

Sections     –  Is the executable packed, Are any inconsistent permissions

Libraries and Imports – what libraries and imports are being used, and what information do they give us about the functionality of malware?

Import file will be having Socket information

TOOLS: PeSTUDIO

Resources Section  – The attacker can utilize the resource section to store malicious files and payloads, droppers and configuration files, etc. Some Malwarebytes has a resources section, some don’t.

Strings    –   Strings block will list all the strings available in the Sample.

The above-said tools are preinstalled with FlareVM which we will see how to merge with the sandboxing environment in the upcoming blog, if you see this after some days obviously you can do that blog by clicking here.

Finally!

TWIST with Malware classification and Identification;

We were using  Hashing technique to identify Samples earlier but a small change in content and code will change the whole hash of the file, Attackers add Random Strings(Garbage text) with the code so it will be no use of it to identify it for further investigation,  So there comes YARA to play in it.

I know it’s getting lengthy, so let me stop here so we can learn about YARA RULES in the next blog,

That’s it for Today guys, See you at the next one.

Bye Bye!

Greeting Everyone!

Hope Everything Is going Well Today in this Blog we will discuss 10 Common Burpsuite Extensions that You Need Before Start Your Testing   We will Explore How these Common Extension Help You In Your Testing phase If You Doing Web Penetration Testing Or Bugbounty.

What is Burpsuite Extensions?

Burp Extension Automate Our Testing phase easily with Some Known Script . burp Extension which customize Burp’s  Functionality in different ways, such as modifying HTTP requests and responses, customizing the UI, adding custom Scanner checks, and accessing key runtime information, including the Proxy history, Target site map, and Scanner issues.

Top 10 Common Burpsuite Extensions That Open Source –

  • Active scanner ++
  • Param-miner
  • Collaborator Everywhere
  • Logger ++
  • Authorize
  • Retire.js
  • JSON Beautifier
  • XSS Validator
  •   backslash-powered-scanner

Active Scanner ++ :

Active scanner ++ is a Commonly Used Burp Extension Which Helps Us with Different Security Issue Against Our Targeted Website Such As SSTI, Host header Injection,  cache poisoning, DNS rebinding, XML input handling ETC.

Extension On Github: https://github.com/PortSwigger/active-scan-plus-plus

Param-miner :

Param-miner is an Awesome extension That Helps A Tester To Validate issues with hidden parameters, and unlinked parameters. It’s particularly useful for finding web cache-poisoning vulnerabilities.

Tutorials Found: https://github.com/PortSwigger/param-miner

Collaborator Everywhere :

Collaborator Everywhere This I recommend To Use if You’re Looking For Blind SSRF Types Of Security Issue By adding Unique Headers On request designed to reveal backend systems by causing pingbacks to Burp Collaborator. This We can Defile as Out of band Response From Server. This Extension Also helps to find Blind SQLI, Command Injection, etc.

For Tutorial And More info Found Here: https://portswigger.net/burp/documentation/collaborator

Logger ++ :

Logger++ is a multithreaded logging extension for Burp Suite which help a tester to filter highlight interesting entries or filter logs to only those that match the filter.  A built-in grep tool allows the logs to be searched to locate entries that match a specified pattern and extract the values of the capture groups.

For More Information Found Here: https://github.com/PortSwigger/logger-plus-plus

Authorize:

Autorize Is an Extension Based On finding Authorization Issue Against Our Targeted Website  This is one of the time-consuming tasks we can make it automate in a web application penetration test phase as it helps us to Find out Authorization Related Issue, IDOR Insecure Direct access control. This Help Us to validate issues based On the extension of the cookies of a low-privileged user and navigate the website with a high-privileged user.  

More Information Found here: https://portswigger.net/bappstore/f9bbac8c4acf4aefa4d7dc92a991af2f

Retire.js :

Retire.js  this tool We  Have a Browser Extension Based Or Burp Extension Also

Retire.js  It helps us to extract all JS Files from Our Targeted Website  This helps us to validate all js libraries based On vulnerable Versions We can easily Verify Which JS Library They Are using and we can easily validate security issues According to Library Version.

Information Or Extension Details Found here: https://github.com/retirejs/retire.js/

JSON Beautifier:

This extension helps Us to read Json and js files In a good manner  It is difficult for a web application security tester to analyze the JS files which are compressed to increase the loading speed. This extension helps us to verify Resources based On JSON or JS

More Information Found Here: https://github.com/PortSwigger/json-js-beautifier

XSS  validator :

XSS Validator Is Burp Extension That help us to validate XSS cross Site Scripting Related Security loopholes Against Our targeted Website using different regex value  This extension sends a Response  to the server based on Phantom.js and/or Slimer.js

backslash-powered-scanner

This extension Is based On a Burp Active Scanner which commonly validates Known and unknown classes of Server Side Injection  Security issue.

It Test For Issues Such As:

  • Detect JSON Injection and escalate into RCE where possible
  • Detect Server-Side HTTP Parameter Pollution
  • Support brute-forcing backend parameter names
  • Improve evidence clarity and reduce false positives
  • Find vulnerabilities with subtler evidence
  • Detect escape sequence injection
  • Improve LFI detection

For More Information Can be Found:  https://github.com/PortSwigger/backslash-powered-scanner

For Installation Extension: https://portswigger.net/support/how-to-install-an-extension-in-burp-suite

You must Need Jython Before Installation Extensions: https://www.jython.org/download

Conclusion:

In today’s blog We discussed How to implement Your  Web Application Penetration Testing Phase Using Different Common extensions Which Help us to Validate Different Security loopholes Against Our Targeted Website. We Discuss Common Extensions Which You Easily Configured On Your Domain.

Thanks For Reading……. See You In Another Blog!

Stick With Our Blog: https://securiumsolutions.com/blog/

Author: Pallab Jyoti Borah | VAPT Analyst

Table of Contents

Social Media
Facebook
Twitter
WhatsApp
LinkedIn