My notes and summary regarding eCMAP certification – part1.
Malware: stands for Malicious Software, and it is any software used for malicious intents. the term is just an umbrella for malicious code or software.
Malware have one thing in common which is malicious activities, but each malware has a different goal: such as:
Malware Analysis: it is the art of dissecting malware with objective of answering 3 main questions:
Malware Analysis is an art because each analyst dissects malware differently.
Malware analysis is important because of many reasons:
In this course, we will examine only unmanaged code mostly Windows EXE written in C or C++
Difference between Malware Analysis and Reverse Engineering?
Malware Analysis can include Reverse Engineering, but it does not mean that we cannot analyze malware without it. On the other hand, reverse engineering is the art of dissecting a product to discover how it is made (blueprint).
Basic Tools Can we use in malware analysis: (tools change, concept stay)
After finishing analyzing the malware, we can write a signature to detect same or similar malware samples running on different systems – those signatures we called Indicators of Compromise (IOC)
Types of Malware:
Malware Analysis Techniques:
Difference between Static and Dynamic Analysis:
The final goal of MA is to provide answers to the three core questions mentioned above, we are not required to do any further steps that will not help answering those questions and wasting time, money, and effort.
Malware Samples:
Some links to get malware sample:
Free Resources:
Free, but needs registration or sample made available for public:
Commercial resources:
Researchers who share their MA work online, usually put a link for the sample they analyzed. That is extra resource.
Acquisition Tools:
Tools could be categorized into:
Disk Imaging tools
Belkasoft Acquisition Tool: acquiring hard drives, mobiles, memory, cloud
Magnet Acquire: acquiring iOS, Android, and hard drives.
FTK Imager: acquiring hard drives and memory
Memory Acquisition tools
Dumpit: – for Windows
Memdump:
Belkasoft Ram Capturer, creates a memory dump with low footprint, it can work even if memory is protected by anti-debugging or anti-dumping tool, it includes 32 and 64 bit kernel drives, so it can run in privileged kernel mode
Magnet RAM Capture
Other tools:
KAPE (Kroll Artifact Parser and Extractor): high configurable triage program. It can collect files and process them with one or more programs. It also can show volume shadow copies. KAPE can read config files on the fly and based on their content, it collects and processes relevant files.
Rawcopy: cli tool used to copy files off NTFS volume by using low level disk reading method.
https://github.com/jschicht/RawCopy
EDR tools (have capability of extractions too)
GRR: framework for incident response focuses on remote live analysis
Osquery: Used to record network connections and process execution. it represents OS as a relational DB, where SQL tables define abstract concepts such as open network connections, running processes, etc.
Osquery is a cross-platoform
Osqueryd: is a daemon for distributed host monitoring with low footprint
Osqueryi: is an interactive console for SQL query
Velociraptor: unique open-source endpoint monitoring and digital forensics platform
used in IR and threat hunting of different OS in enterprise level.
can be used in real time threat hunting. It was generated from GRR.
It can collect data from known Windows artifacts such as event logs, prefetch, and registry.
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 |