We covered an overview of malware analysis, starting with basic static analysis and moving through to advanced static analysis techniques such as reverse engineering and finishing with dynamic analysis. The focus of this tutorial was on the methodology an analyst should follow when reverse engineering a binary sample. Things to look for during this phase are strings, Windows API calls, exports and DLLs, function calls and execution flow. We covered few samples and analyzed them using the popular dissassembler “Ghidra” and also solved a practical scenario from TryHackMe Advanced static analysis which is part of SOC level 2 track.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Computer Forensics Study Notes
Creating an environment for malware analysis
A lab setup for malware analysis requires the ability to save the state of a machine (snapshot) and revert to that state whenever required. The machine is thus prepared with all the required tools installed, and its state is saved. After analyzing the malware in that machine, it is restored to its clean state with all the tools installed. This activity ensures that each malware is analyzed in an otherwise clean environment, and after analysis, the machine can be reverted without any sustained damage.
Following these steps ensures that your VM is not contaminated with remnants of previous malware samples when analyzing new malware. It also ensures that you don’t have to install your tools again and again for each analysis.
Static Malware Analysis
Static analysis is marked by analyzing the file without opening it. In static analysis we aim to extract the below details
1- File extension
2- Hash
3- IOCs (IPs, domains, hostnames, hashes)
4- Useful strings
5- Imports and Exports (API Calls)
6- sections (.text, .rsrc, .data)
Advanced Static Analysis & Reverse Engineering
The advanced static analysis aims to uncover hidden or obfuscated code and functionality within the malware. This involves using more advanced techniques to analyze the malware’s code, such as de-obfuscation and code emulation. To perform advanced static analysis, disassemblers such as IDA Pro, Binary Ninja, and radare2 are commonly used.
- Identify the entry point of the malware and the system calls it makes.
- Identify the malware’s code sections and analyze them using available tools such as debuggers and hex editors.
- Analyze the malware’s control flow graph to identify its execution path.
- Trace the malware’s dynamic behavior by analyzing the system calls it makes during execution.
- Use the above information to understand the malware’s evasion techniques and the potential damage it can cause.
Ghidra for malware analysis
Ghidra is a software reverse engineering tool that allows users to analyze compiled code to understand its functionality. It is designed to help analysts and developers understand how the software works by providing a platform to decompile, disassemble, and debug binaries.
Installation
Making sure Java is installed
sudo apt update
sudo apt install default-jre
sudo apt install default-jdk
Then download Ghidra from below link
https://www.github.com/NationalSecurityAgency/ghidra/releases
Uncompress the zipped file and give the required permisions
chmod +x ghidrarun
Run Ghidra
./ghidrarun
Room Answers | TryHackMe Advanced Static Analysis
Does advanced static analysis require executing the malware in a controlled environment? (yay/nay)
nay
How many function calls are present in the Exports section?
1
What is the only API call found in the User32.dll under the Imports section?
MessageBoxA
How many times can the “Hello World” string be found with the Search for Strings utility?
1
What is the virtual address of the CALL function that displays “Hello World” in a messagebox?
004073d7
What value gets printed by the while loop in the while-loop.exe program?
ITs_Fun_to_Learn_at_THM
How many times, the while loop will run until the condition is met?
4
Examine the while-loop.exe in Ghidra. What is the virtual address of the instruction, that CALLS to print out the sentence “That’s the end of while loop ..”?
00401543
In the if-else.exe program, examine the strings and complete the sentence “This program demonstrates………..”
This program demonstrates if-else statement
What is the virtual address of the CALL to the main function in the if-else.exe program?
00401509
When a process is created in suspended state, which hexadecimal value is assigned to the dwCreationFlags parameter?
0x00000004
Which API is used to to write malicious code to the allocated memory during process hollowing?
WriteProcessMemory()
What is the MD5 hash of the benign.exe sample?
e60a461b80467a4b1187ae2081f8ca24
How many API calls are returned if we search for the term ‘Create’ in the Symbol Tree section?
2
What is the first virtual address where the CreateProcessA function is called?
0040108f
Which process is being created in suspended state by using the CreateProcessA API call?
iexplore.exe
What is the first virtual address where the CreateFileA function is called?
004010f0
What is the suspicious process being injected into the victim process?
evil.exe
Based on the Function Graph, what is the virtual address of the code block that will be executed if the program doesn’t find the suspicious process?
00401101
Which API call is found in the import functions used to unmap the process’s memory?
NtUnmapViewOfSection
How many calls to the WriteProcessMemory function are found in the code? (.text section)
2
What is the full path of the suspicious process shown in the strings?
C:\Users\THM-Attacker\Desktop\Injectors\evil.exe
Video Walkthrough | TryHackMe Advanced static analysis