# Malware Analysis Fundamentals * Malware: code that is used to perform malicious actions. #### Malware Analysis Goals * Assess the nature of malware threats * Determine the scope of the indicdent * Eradicate malicious artifacts * Strengthen your ability to handle malware incidents * Stages of malware analysis techniques increase in complexity * Most Complex: * Manual Code Reversing * Interactive Behavior analysis * Static Properties analysis * Fully automated analysis ### Static Properties Analysis * **Static properties** are also called metadata * Entails examining the strings embedded into the file * Overall file structure * Header data * Does not include running the actual file * Automated and static analysis allow an analyst to justify allocating additional time to taking a closer look at the specimen ### Interaction with other Infosec Professions **Input to REM staff** * Verbal reports * Suspicious files * File system image * Memory image * Network Logs * Anomaly observations * **Output from REM staff** * What malware does * How to identify it * Attackers profile * IR recommendations * Reports and IOCs * Malware trends #### What to include in a malware analysis report * Determine how detailed and formal the output of your malware analysis needs to be * If a formal report is needed: * **Summary of the analysis:** Key takeaways the reader should get from the report regarding the specimens nature, origin, capabilities, and other relevant characteristics * **Identification:** The type of file, its name, size, and hashes, malware name, and current antivirus detection capabilities * **Characteristics:** The specimens capabilities for infecting files, self-preservation, spreading, leaking data, interacting with the attacker * **Dependencies:** Files and network resources related to the specimens functionality such as supported OS version and required initialization files, custom DLLs, executables, URLs, and scripts * **Behavioral and code analysis findings:** Overview of the analysts behavioral, as well as static and dynamic code analysis observations * **Supporting Figures:** Logs, screenshots, string excerpts, function listings, and other exhibits that support the investigators findings * **Incident recommendations:** Indicators for detecting the specimen on other systems and networks, and possible for eradication steps **Templates** * * [Malware\_Analysis\_Template.docx](https://github.com/jtaubs1/Reverse-Engineering-Malware/files/8701238/Malware_Analysis_Template.docx) ### Open Source Malware Research * **Malware data repositories:** VT, #totalhash * **Multi-engine antivirus scanners:** VT, MetaDefender, VirSCAN, AVCaesar * **File Reputation:** Malware Hash Registry, Hashsets, Windindex * **Automated sandboxes:** Any.run, CAPE, Intezer Analye, Hybrid Analysis * **Website investigation:** vURL, Quttera, urlscan.io * **Other threat intelligence:** Shodan, Open Threat Exchange, RiskIQ Community Edition #### Dont use your normal internet connection when interacting with sites outside your lab during the investigation * Tor is a reasonable option, but adversaries can track exit nodes * Commercial VPN services can work * Set up your own VPN in the cloud * Remember to check for DNS leakage in the case the adversary is checking authoritative DNS server logs for malicious domains * You could also deploy a transient lab in a public cloud * **Note:** Check for DNS leakage #### Self Defending Malware * Malware might include self defending capabilities * Detect virtualization, monitoring, analysis tools * Detect or confuse code analysis tools such as debuggers or disassemblers * **If it detects its being analyzed it might** * Terminate itself * Put itself to sleep * Interfere with analysis tools * Exhibit different characteristics * **There are ways to deal with malware that detects analysis tools** * Could use physical system * Clone a clean parition with Clonezilla, FOG, and dd * Store the clean copy away from the system you are infecting * At the end of the analysis restore the infected partition with the clean copy * Can also restore the clean image over the network with PXE booting * **Instructions** * **The Lab should include tools that can examine the sample statically and dynamically** * **Static Properties Analysis** - PeStudio, strings, CFF Explorer, peframe, Detect It Easy, etc * **Behavioral Analysis** - Process Hacker, Process Monitor, RegShot, Wireshark, fakedns, etc * **Code Analysis** - Ghidra, x64db/x32db, OllyDumpEx, runsc, Scylla, etc ### Static Properties Analysis * See [brbbot-analysis.md](https://github.com/jtaubs1/Reverse-Engineering-Malware/blob/main/malware/day1/brbbot-analysis.md) * **EXE Info Download** - * **Remnux Static Properties Tools** - ### Behavioral Analysis * See [brbbot-analysis.md](https://github.com/jtaubs1/Reverse-Engineering-Malware/blob/main/malware/day1/brbbot-analysis.md) * **Process Hacker** - Replaces built-in Task Manager similar to Microsofts Process Explorer * **Process Monitor** - Records interactions of processes with the registry, file system, and other processes. * **RegShot** - Highlights changes to the file system and the registry * **ProcDOT** - Visulaizes Process Monitor logs for easier analysis [https://procdot.com](https://procdot.com/) * **Wireshark** - Sniffs the network and captures packets * **TCPLogView** - "monitors" the open TCP connections on your system #### fakedns * It can redirect the traffic from the infected host to an additional vm you control * Resolves all hostname queries to the IP address of your REMnux VM * Use `nslookup example.com` to test that it is working --> should point to REMnux ### Code Analysis Essentials * **IDA** - A popular disassembler * **Windbg** - a powerful free windows debugger from MSFT * **Cutter** - an open source toolkit code analysis installed on REMnux [https://cutter.re](https://cutter.re/) * **Binary Ninja** - a commercial disassembler that is especially strong for automated analysis tasks [https://binary.ninja](https://binary.ninja/) * **Hopper** - A commercial disassembler and decompiler that runs on OS X and Linux [https://hopperapp.com](https://hopperapp.com/) * **Analysts employ several code analysis approaches when reverse engineering malicious software** * **Dissassembling** - Involves translating binary machine level instructions to human readable assembly language code * **Decompiling** - Involves going a step further to generate an approximation of the original programs source code * Dynamic code level analysis sometimes called **debugging** involves examining the code while running the program * Static code level analysis involves using a **disassembler** or **decompiler** to examine the code without actually executing it * **Emulating** the execution of the code uses specialized tools to preview the key actions the specimen will take when it runs * **Emulate the execution of a program to preview its capabilities** * Emulators don't replace disassemblers and debuggers but they can * Provide and overview of the capabilities * Suggest code areas worth analyzing more e.g. functions * Emulators are especially useful for examining API-level activity * Emulators are confused by unfamiliar instructions of API calls * Examples of emulators are `speakeasy` and `capa` ### speakeasy ``` run_speakeasy.py -t brbbot.exe -o speakeasy.json 2> speakeasy.txt ``` * Parse .json output with `jq` ``` jq ".entry_points[].apis[].api_name" speakeasy.json | more ``` * * `-o` directs `speakeasy` to save its output using the json format * The script sends the rest of its output to stderr * Load the output into vscode ``` code speakeasy.txt ``` * Look into interesting API calls as that can feed `ghidra` or `x64/32db` analysis later ### Capa * * Capa is not good for packed samples * Capa automatically identifies the specimens capabilities that malware analysts typically want to see * Maps observed capabilities to ATT\&CK and MBC frameworks for additional insight * * ``` capa brbbot.exe | more ``` * use `-vv` with capa for additional insights * will display the name of the corresponding API call and the location in the code that invoked that function * example will see `InternetReadFile` at `0x140001840` --> will be a great place to set a breakpoint as malware often uses that for C2 ### x64/32db * First pay attention to the handle when a sample is loaded into the debugger * ```
``` * Here the current module that is being analyzed is `ntdll.dll`, which is a Windows DLL that has been imported by the malware * This is not code written by the malware author. * We are only interested in analyzing code that has been written by the malware author * Select `Debug --> Run` to get to the `Main()` function of the sample. * Confirm it is the the `Entrypoint` of the malware by examining the thread which should have changed * ```
``` **Step Over/Into** \-
* Understanding `Step Over and Step Into`. * If you reach a `call` instruction you now have to decide if you want to `step over` or `step into` * If you step into you will move to the new function, see the instructions executed and then return back to where you left off * If you step over the function will still execute, you however will not see the instructions executed by that function #### Shortcuts: ``` Run - F9 Run until selection - F4 Pause - F12 Restart - Ctrl+F2 Step Into - F7 Step Over F8 Run to user code - Alt+F9 Go to your current position - Shift + 8 ``` **Commands:** ``` SetBPX ReadFile --> Sets a breakpoint on API Call Readfile bp ReadFile --> Shortcut for above command ``` * Note API calls are case sensitive * `RIP` on x64 is register that contains the address for the current instruction * `EIP` on x86 is the register that contains the address for the current instruction * **Registers** are special locations in the CPU that are very efficient at storing small amounts as data #### Note About Breakpoints in x64/32db * When you set a BP on an API call and execute until selection / Run it will drop you down to the API call * We want to see the code implemented by the developer called `user code` * To accomplish this we want to allow the API call to finish executing and pause once it reaches `user code` * To do this, once you hit your BP click on the `DeBug menu --> run to user code` or `Alt+F9` #### Process Injection * Always look for `VirtualAlloc` as this is where the malware is allocating space for the new process. * When you `Run` and hit the breakpoint ensure you check the `Thread` that is running at the top bar * If the malware is not going to take a `jmp` hit the enter key to force it to `jmp` * Example: you would want it to take the bottom `jmp` * ```
``` * When dealing with `VirtualAlloc` you want to set a `bp` on the ret (end of the function) * When you hit the `bp` on the `ret` value `step into or over` will work * The goal is to get the `EIP` to point to `VirtualAlloc` * By checking the parameters that are being passed after the space in memory has been allocated we can see if the unpacked malware is being stored in these parameters which are highlighted below. * ```
``` * `Right-clicking on [esp+28]` and then selecting `Follow in Dump` will display the contents of this parameter. Using the option `Selected Address` or `Address: ESP+28` will provide the same outcome. * ```
``` * What we are now looking for is the header of an executable file. * Windows is always `4D 5A` in hexadecimal, this is `MZ` in ASCII. ### API Monitor * Allows you to execute a program and "spy" on the API calls made * Can also attach to a running process, but there is a chance you will miss the relevant API calls * * Will display what parameters were passed to the external function and what data was returned by the function ### Cyberchef * Free open source tool to help decode, de-obfuscate, and even decrypt the data you might encounter during an investigation * ### InetSim * InetSim can emulate many protocols from the server side of the connection * Can emulate HTTP, HTTPS, SMTP, FTP, POP3, TFTP, IRC and more * Can tweak the config by editing `/etc/inetsim/inetsim.conf` * InetSim files used by its emulators in `/var/lib/inetsim` * Saved detailed log files in `/var/log/inetsim` * Use it in conjunction with fakedns or enable its built-in DNS emulator by editing `inetsim.conf` * Free copy [https://inetsim.org](https://inetsim.org/) * Post infection look at `/var/log/inetsim/service.log` ### Fidder * Can also observe the client side connection with Fiddler * Proxy-like debugging capabilities are also useful when assessing web applications * If you do not have web services active you can use the autoresponder to generate HTTP HTTPs responses * Fiddlers HTTPS settings must be configured to `Capture HTTPS Connects, Decrypt HTTPS traffic Ignore Server certificate errors` * Access those options from `Tools --> Options` * * Can auto generate responses to HTTP HTTPs requests, to enable you need to go to the `Autoresponder` tab and ebale the checkbox called `Enable rules`