We covered an introduction to Malware analysis by covering various asepcts such as the definition of a malware, malware campaigns, types of malware analysis methods including dynamic and static analysis, and lastly covered a practical example by solving TryHackMe MAL: Malware Introductory room.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Intro to Malware Analysis
Malware is such a prevalent topic within Cybersecurity, and often an unfortunately recurring theme among global news today.
Not only is malware analysis a form of incidence response, but it is also useful in understanding how the behaviours of variants of malware result in their respective categorisation.
When analysing malware, it is important to consider the following:
- Point of Entry (PoE) I.e. Was it through spam that our e-mail filtering missed and the user opened the attachment? Let’s review our spam filters and train our users better for future prevention!
- What are the indicators that malware has even been executed on a machine? Are there any files, processes, or perhaps any attempt of “un-ordinary” communication?
- How does the malware perform? Does it attempt to infect other devices? Does it encrypt files or install anything like a backdoor / Remote Access Tool (RAT)?
- Most importantly – can we ultimately prevent and/or detect further infection?!
Malware Attack Steps
- Delivery
- Execution
- Maintaining persistence (not always the case!)
- Propagation
These steps will generate lots of data. Namely: network traffic such as communicating with hosts, file system interaction like read/writes and modification.
Static vs Dynamic Malware Analysis
Static Analysis.
At its brief, “Static Analysis” is used to gain a high-level abstraction of the sample – it can be fairly simple to decide if a piece of code is “malicious” or not with this method alone (but not always, this will be discussed later…). At its core, this method is of the analysis of the sample at the state it presents itself as, without executing the code.
Employing the use of techniques such as signature analysis via checksums means quick, efficient (albeit extremely brief) and safe analysis of malware.
Dynamic Analysis
This step is a lot more involved, and is where the abstraction of the sample is largely built upon. “Dynamic Analysis” essentially involves executing the sample and observing what happens. This of course is not safe. If the sample turns out to be “Ransomware” – you’ve now lost your files. If it is capable of propagating via traversing a network, nice…You’ve now just infected your Local Area Network (LAN).
Malware Packing
Packing is one form of obfuscation that malware Authors employ to prevent the analysis of programmes. There are both legitimate and malicious reasons as to why the Author of a program will want to prevent the decompiling of their program.
For example, a legitimate reason is the protection of intellectual property! Whilst I’m one for open-source as much as the next person here – alas not every organisation has the same mindset…but let’s leave that aside.
In the same token, just because you write a program…Why should everyone have the right to “copy” your project? This is one of the justifiable reasons for obfuscation – it is yours at the end of the day!
However, malware Authors employ obfuscation techniques such as packing – whilst for the same reasons, they do so with the intent to prevent people like us reversing it to understand its behaviours and ultimately with the aims of achieving infection.
How packing works is out of scope for this room, but I hope to be able to delve into topics like these later on within THM, so that you can understand the theory behind the practical skills you’ll be using.
Room Answers | TryHackMe MAL: Malware Introductory
What is the famous example of a targeted attack-esque Malware that targeted Iran?
Stuxnet
What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?
Wannacry
Name the first essential step of a Malware Attack?
Delivery
Now name the second essential step of a Malware Attack?
Execution
What type of signature is used to classify remnants of infection on a host?
Host-Based Signatures
What is the name of the other classification of signature used after a Malware attack?
Network-Based Signatures
The MD5 Checksum of aws.exe
D2778164EF643BA8F44CC202EC7EF157
The MD5 Checksum of Netlogo.exe
59CB421172A89E1E16C11A428326952C
The MD5 Checksum of vlc.exe
5416BE1B8B04B1681CB39CF0E2CAAD9F
Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay)
Nay
Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay)
Nay
Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay)
Nay
What does PeID propose 1DE9176AD682FF.dll being packed with?
Microsoft Visual C++ 6.0 DLL
What does PeID propose AD29AA1B.bin being packed with?
Microsoft Visual C++ 6.0
What packer does PeID report file “6F431F46547DB2628” to be packed with?
FSG 1.0 -> dulek/xt
What is the URL that is outputted after using “strings”
practicalmalwareanalysis.com
How many unique “Imports” are there?
5
WhatHow many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe“
9
What is the MD5 Checksum of the file?
f5bd8e6dc6782ed4dfa62b8215bdc429
Does Virustotal report this file as malicious? (Yay/Nay)
Yay
Output the strings using Sysinternals “strings” tool.
What is the last string outputted?
d:h:
What is the output of PeID when trying to detect what packer is used by the file?
Nothing Found
Video Walkthrough | TryHackMe MAL: Malware Introductory
