eCMAP – Introduction to Malware Analysis – Part 1

• Hoxed
• 25 February 2024
• No Comments

My notes and summary regarding eCMAP certification – part1.

• Edmond Locard’s Exchange Principle “the perpetrator of a crime will bring something to the crime scene and will leave with something from it”

 

Malware: stands for Malicious Software, and it is any software used for malicious intents. the term is just an umbrella for malicious code or software.

 

Malware have one thing in common which is malicious activities, but each malware has a different goal: such as:

• Disrupting host system operations

• Stealing critical info

Getting unauthorized access

Espionage

Sending Spam

DDOS using the host system

paying ransom to attacker

 

Malware Analysis: it is the art of dissecting malware with objective of answering 3 main questions:

• How does it work
• How can we detect it
• How can we defeat it and eliminate the threat it creates.

 

Malware Analysis is an art because each analyst dissects malware differently.

 

Malware analysis is important because of many reasons:

• It allows us to know the nature of the malware and its goals
• What behavior and damage it causes
• How to detect such malware in system or in network communications
• what vulns it exploits
• who is the threat actor
• how to eliminate the threat

 

In this course, we will examine only unmanaged code mostly Windows EXE written in C or C++

 

Difference between Malware Analysis and Reverse Engineering?

Malware Analysis can include Reverse Engineering, but it does not mean that we cannot analyze malware without it. On the other hand, reverse engineering is the art of dissecting a product to discover how it is made (blueprint).

 

Basic Tools Can we use in malware analysis: (tools change, concept stay)

• File Format Analyzer
• System and Network Monitoring Tools
• Debugger and Disassembler
• Small gadgets: data converters, decrypters, editors, registry tools
• Virtualization environment to create contained env
• Good IDE in case of writing code

 

After finishing analyzing the malware, we can write a signature to detect same or similar malware samples running on different systems – those signatures we called Indicators of Compromise (IOC)

 

Types of Malware:

• Virus: Malware infects its target with help of use to copy and spread to other computers.
• Worm: similar to virus, but it spreads without user’s help
• Scareware: malware that uses social engineering skills to trick user downloading unwanted software or rogue security software which pretends to be Anti-virus
• Ransomware: Lock the system or encrypting user’s sensitive information and asks for money to decrypt/unlock
• Botnets: Group of systems infected with the same malware and those systems controlled by Command & Control server (C&C), usually used for DDOS, sending spam emails, etc.
• Trojan Horse: software acts as normal one, but it has malicious code with it. the user is tricked into installing it into the system.
• Spyware: spying malware used to eavesdrop and gathering info or damaging the host.
• Rootkit: malware hides its existence. Usually paired other malware to peroform malicious activities while evading detection
• Keyloggers: malware record everything you type on keyboard then send it to the attacker
• Logic Bomb: a code that stays dormant until it is triggered by some conditions that are met
• Backdoor/RAT: opens a port and establish a remote connection with the attacker to give access to attacker whenever he wants. Modularity in this type of malware where attackers adds more functionality to malware as needed
• Information Stealer: stealing information from the target to use in other attacks.
• Downloader: Type of malware that is paired with another malware to download and install the rest of malware or another component of it.
• Dropper: malware that has another malware executable embedded inside it
• Adware: malware gives unwanted ads to users

 

Malware Analysis Techniques:

Difference between Static and Dynamic Analysis:

• Static Analysis: dissecting the malware without running it. It can be divided into:

• • Basic: understanding file, file structure, functions being used, etc.

• • Advanced: understanding the malware based on low-level instructions being used – malware usually disassembled here.

• Dynamic Analysis: dissecting the malware by running it and monitoring its behavior. can be divided into:

• • Basic: running malware in contained env that has tools and monitor the behavior based on tools’ outputs

• • Advanced: if basic is not giving much, analyst has to run the malware using debugger so analyst has more control in its execution.

 

The final goal of MA is to provide answers to the three core questions mentioned above, we are not required to do any further steps that will not help answering those questions and wasting time, money, and effort.

 

Malware Samples:

Some links to get malware sample:

Free Resources:

• Thezoo resources: https://github.com/ytisf/theZoo, https://thezoo.morirt.com/
• https://www.malware-traffic-analysis.net/
• https://github.com/fabrimagic72/malware-samples
• http://www.tekdefense.com/downloads/malware-samples/
• https://awesomeopensource.com/project/InQuest/malware-samples
• https://contagiodump.blogspot.com/

Free, but needs registration or sample made available for public:

• https://virusshare.com/
• https://bazaar.abuse.ch/
• https://malshare.com/
• https://app.any.run/

• https://www.hybrid-analysis.com/

Commercial resources:

• https://app.any.run/
• https://www.hybrid-analysis.com/
• https://www.virustotal.com/gui/

 

Researchers who share their MA work online, usually put a link for the sample they analyzed. That is extra resource.

 

Acquisition Tools:

Tools could be categorized into:

Disk Imaging tools

Belkasoft Acquisition Tool: acquiring hard drives, mobiles, memory, cloud

Magnet Acquire: acquiring iOS, Android, and hard drives.

FTK Imager: acquiring hard drives and memory

Memory Acquisition tools

Dumpit: – for Windows

Memdump:

Belkasoft Ram Capturer, creates a memory dump with low footprint, it can work even if memory is protected by anti-debugging or anti-dumping tool, it includes 32 and 64 bit kernel drives, so it can run in privileged kernel mode

Magnet RAM Capture

Other tools:

KAPE (Kroll Artifact Parser and Extractor): high configurable triage program. It can collect files and process them with one or more programs. It also can show volume shadow copies. KAPE can read config files on the fly and based on their content, it collects and processes relevant files.

Rawcopy: cli tool used to copy files off NTFS volume by using low level disk reading method.

https://github.com/jschicht/RawCopy

EDR tools (have capability of extractions too)

GRR: framework for incident response focuses on remote live analysis

Osquery: Used to record network connections and process execution. it represents OS as a relational DB, where SQL tables define abstract concepts such as open network connections, running processes, etc.

Osquery is a cross-platoform

Osqueryd: is a daemon for distributed host monitoring with low footprint

Osqueryi: is an interactive console for SQL query

Velociraptor: unique open-source endpoint monitoring and digital forensics platform

used in IR and threat hunting of different OS in enterprise level.

can be used in real time threat hunting. It was generated from GRR.

It can collect data from known Windows artifacts such as event logs, prefetch, and registry.