We covered the second part of malware static analysis. We went through analyzing strings, hashes and signatures. This was part of TryHackMe Basic Static Analysis room.
Basic precautions for malware analysis:
Before analyzing malware, one must understand that malware is often destructive. This means that when malware is being analyzed, there is a high chance of damaging the environment in which it is being analyzed. This damage can be permanent, and it might take more effort to get rid of this damage than the effort made to analyze the malware. Therefore, creating a lab setup that can withstand the destructive nature of malware is necessary.
A lab setup for malware analysis requires the ability to save the state of a machine (snapshot) and revert to that state whenever required. The machine is thus prepared with all the required tools installed, and its state is saved. After analyzing the malware in that machine, it is restored to its clean state with all the tools installed. This activity ensures that each malware is analyzed in an otherwise clean environment, and after analysis, the machine can be reverted without any sustained damage.
Virtual Machines provide an ideal medium for malware analysis. Some famous software used for creating and using Virtual Machines includes Oracle VirtualBox and VMWare Workstation. These applications can create snapshots and revert to them whenever required, making them well-suited for our malware analysis pursuit. In short, the following steps portray the usage of Virtual Machines for malware analysis.
- Created a fresh Virtual Machine with a new OS install
- Set up the machine by installing all the required analysis tools in it
- Take a snapshot of the machine
- Copy/Download malware samples inside the VM and analyze it
- Revert the machine to the snapshot after the analysis completes
Following these steps ensures that your VM is not contaminated with remnants of previous malware samples when analyzing new malware. It also ensures that you don’t have to install your tools again and again for each analysis. Selecting the tools to install in your malware analysis VM can also be hectic. One can use one of the freely available malware analysis VMs with pre-installed tools to ease this task. Let’s review some common malware analysis VMs most popular among security researchers.
The FLARE VM is a Windows-based VM well-suited for malware analysis created by Mandiant (Previously FireEye). It contains some of the community’s favorite malware analysis tools. Furthermore, it is also customizable, i.e., you can install any of your own tools to the VM. FLARE VM is compatible with Windows 7 and Windows 10. For a list of tools already installed in the VM and installation steps, you can visit the GitHub page or the Mandiant blog for the VM. Since it is a Windows-based VM, it can perform dynamic analysis of Windows-based malware.
An instance of FLARE VM is attached to this room for performing practical tasks. Please click the Start Machine button on the top-right corner of this task to start the machine before proceeding to the next task. The attached VM has a directory named mal on the Desktop, which contains malware samples that we would be analyzing for this room.
REMnux stands for Reverse Engineering Malware Linux. It is a Linux-based malware analysis distribution created by Lenny Zeltser in 2010. Later on, more people joined the team to improve upon the distribution. Like the FLARE VM, it includes some of the most popular reverse engineering and malware analysis tools pre-installed. It helps the analysts save time that would otherwise be spent in identifying, searching for, and installing the required tools. Details like installation and documentation can be found on GitHub or the website for distribution. Being a Linux-based distribution, it cannot be used to perform dynamic analysis of Windows-based malware. REMnux was previously used in the Intro to Malware Analysis room and will also be used in the upcoming rooms.
Does the sample have to capability to suspend or resume a thread? Answer with Y for yes and N for no.
What MBC behavior is observed against the MBC Objective ‘Anti-Static Analysis’?
At what address is the function that has the capability ‘Check HTTP Status Code’?
What does this dll do?