Malware Analysis

Build a Sandbox

Before analyzing malware, it’s recommended to build a sandbox for malware analysis. Below are useful tools for building such an environment.

• FLARE VM

  It is a collection of software installations scripts for Windows systems to maintain a reverse engineering environment on a virtual machine.

• REMnux

  A Linux toolkit for malware analysis.

• ANY.RUN

  An interactive online malware sandbox.

• Hybrid Analysis

  A free online malware analysis.

Get Information About Malware

First off, we get the hash of the malware.

# Linux
md5sum example
sha256sum example

# PowerShell
Get-FileHash -Algorithm MD5 example.exe
Get-FileHash -Algorithm SHA256 example.exe

We can use the hash for finding details of malware, so copy the output hash.

Google Search

We can search the information about malware by searching the hash.

In search form, input the hash value as below.

"47BA62CE119F28A55F90243A4DD8D324"

Now access to websites listed the search result.

VirusTotal

VirusTotal analyses suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community. To search the information about suspicious files, first get the hash in our terminal.

MalwareBazaar in Abuse.ch

MalwareBazaar also analyses suspicious files.

We can input the hash in Browse Database as below.

md5:47BA62CE119F28A55F90243A4DD8D324

Resource Hacker

Resource Hacker is a resource extraction utility and resource compiler for Windows.

By opening a malware file, we can retrieve detail information about the file in “Version Info”.

CAPA

capa detects capabilities in executable files.

capa example.exe
# -vv: All feature match details
capa -vv example.exe

Strings

We can find specific text contained in the malware.

# Linux
strings example | grep "text_here"

# PowerShell
strings example.exe | findstr "text_here"

Reverse Engineering

Ghidra

Ghidra is a reverse engineering software.

PE-bear

PE-bear is a multi-platform reversing tool for PE files.

Analysis Tools

• Pithus

  An open-source mobile threat Intelligence platform.

Softwares

• Process Hacker

  It monitors system resources, debug software and detect malware.

• ProcDOT

  ProcDOT is a visual malware analysis tool. To investigate logs, in Monitoring Logs, open a log file (.csv) in Procmon and open a dump file in WinDump. Then click “Refresh”. Executable files and PID listed.

Programs

• Yara

  The pattern matching swiss knife for malware researchers.

  • Automation Tools

    • Loki

      # Update first, then will add `signature-base` directory
      python ~/Loki/loki.py --update
      
      # Run
      python ~/Loki/loki.py -p ./suspicious_files_dir
      
      # Run & output a log file
      python loki.py -p ./suspicious_files_dir -l log.txt

    • yarGen

      # Update first
      python ~/yarGen/yarGen.py --update
      
      # Generate Yara ruls for specific file
      python ~/yarGen/yarGen.py -m ./suspicious_files_dir --excludegood -o ./suspicious_files_dir/rule.yar
      
      # Check if the file flagged
      yara ./suspicious_files_dir/rule.yar ./suspicious_files_dir/somefile.php
      
      # If flagged, copy this ruls to Loki's signature yara directory
      cp ./suspicious_files_dir/rule.yar ~/Loki/signature-base/yara
      
      # Then run Loki
      # ...

  • Manual

    • Find Files Matches Rules

      yara rule.yar ./somedir
      # Print only number of matches
      yara -c rule.yar ./somedir
      # Print only not satisfied rules 
      yara -n rule.yar ./somedir
      # Print metadata
      yara -m rule.yar ./somedir

    • Create Rules

      Create "rule.yar".

      rule rule_name {
          meta:
              author = "pentester"
              description = "test rule"
              created = "6/20/2022 00:00"
          strings:
              $hello = "Hello"
              $text_file = ".txt"
          condition:
              $hello and $text_file
      }

Attack with Malware

Programs

• Reptile

  LKM Linux rootkit.