Malware Analysis

Summary

In this project, I delved into the foundational aspects of malware analysis, with a focus on the processes adopted by incident response teams.

I further embarked on reverse engineering of multiple file types, analyzing native executables such as EXE and DLL, alongside prevalent files like PowerShell, JavaScript web shells, and office documents. Though primarily rooted in Windows, the principles can seamlessly transition to other OS platforms.

It's worth noting that the samples used for this analysis replicated authentic malware behavior. However, they remained non-destructive and were purely for instructional aims, necessitating their examination in a secure setting.

NOTE: blog page is still under construction

Key features

  1. Static properties analysis: performed malware inspection without executing its code, gathering information like file hashes, file types, and interesting code strings – features that offer insight into the malware behaviour.
  2. Dynamic analysis: run the malware in a controlled environment to confirm specilated behaviours observed in static analysis.
  3. Manual code reversing: used disassembling and decompiling tools in order to inspect the sample's structure, functions, and logic.

Technologies used

For the most part, this hands-on lab relied on a range of tools provided by Flare-VM.

For static analysis:
  • HashCalc
  • Detect It Easy
  • Strings
  • PE-Bear
For dynamic analysis:
  • RegShot
  • Process Monitor
  • Wireshark
  • Fiddler
  • Autoruns
For manual code reversing:
  • x64 debug
  • IDA Pro
  • Ghidra

Preparation steps

Intro...

1) Configuring VM resources

  • Setting up a Windows VM
  • Setting up a REMnux VM

2) Installing necessary tools

  • Flare-VM
  • Guest tools
  • Microsoft Office
  • Adobe Acrobad Reader
  • Java Runtime Environment

Demo

Here are the steps taken in a series of exercises in which I explore different malware analysis techniques.

Static Analysis

Dynamic Analysis

Manual code Reversing

PowerShell scripts

JavaScripts

Macro-enabled documents

ELF file format

ASPX Webshell

JAR file

Conclusion

These series of tasks show that malware analysis is a time-consuming and skill-intensive task. It requires a deep understanding of programming, assembly languages, operating systems, and software architecture. However, it offers the most in-depth insights into a malware sample, making it an invaluable technique in the analyst's toolkit.