Scribd
Upload
116 views

Practical Malware Analysis Essentials For Incident Responders

The document discusses techniques for analyzing malware through static and dynamic analysis. Static analysis looks at file properties like hashes and strings to initially assess malware. Dynamic analysis observes how malware interacts with the system by launching monitoring tools and infecting a virtual machine. This reveals processes, network activity, and other indicators of compromise. Interactive analysis allows redirecting network traffic to further observe command and control communications and experiment with malware responses. The goal is to understand malware capabilities and learn details to help detect and respond to threats.

Uploaded by

Sourav Debnath
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
116 views

Practical Malware Analysis Essentials For Incident Responders

The document discusses techniques for analyzing malware through static and dynamic analysis. Static analysis looks at file properties like hashes and strings to initially assess malware. Dynamic analysis observes how malware interacts with the system by launching monitoring tools and infecting a virtual machine. This reveals processes, network activity, and other indicators of compromise. Interactive analysis allows redirecting network traffic to further observe command and control communications and experiment with malware responses. The goal is to understand malware capabilities and learn details to help detect and respond to threats.

Uploaded by

Sourav Debnath
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 38

Practical Malware Analysis Essentials for Incident

Responders
Knowing how to examine malware helps you determine

→DOES THE FILE POSE A THREAT TO YOUR ORGANIZATION?

→WHAT ARE THE FILE’S CAPABILITIES?

→HOW TO DETECT THE MALWARE ON SYSTEMS ACROSS THE ENTERPRISE?

→WHAT DOES THE FILE REVEAL ABOUT YOUR ADVERSARY?


Static Properties Analysis
Look at static properties for an initial assessment.
 HASHES START DETERMINING AS PART OF TRIAGE:
 PACKER IDENTIFICATION  IS IT MALWARE?
 IMPORTS AND EXPORTS  HOW BAD IS IT?
 STRINGS, ETC.  HOW TO DETECT IT?
PeStudio extracts static properties and flags anomalies.
The lack of readable strings suggests a packer.
Another packer indicator: So few dependencies.
Static analysis helps with initial assessment and IOCs.

 THE FILE BEING PACKED IS UNUSUAL, BUT NOT IN ITSELF MALICIOUS.


 AN INDICATOR OF COMPROMISE IS A CONTEXT-SPECIFIC SIGNATURE.
 WE CAN USE THE FILE HASH VALUES TO LOOK UP THE FILE IN MALWARE DATA
REPOSITORIES SUCH AS VIRUSTOTAL AND HYBRID ANALYSIS.
This section covered these tools and concepts:

 PESTUDIO
 STRINGS
 HASH
 PACKER
 MALWARE DATA REPOSITORY
 TRIAGE
 IOC
 IMPORTS
 VIRTUALALLOC
Initial Behavior Analysis
Behavior analysis examines environment interactions.

 EXECUTE MALWARE IN AN ISOLATED WINDOWS LAB SYSTEM.


 OBSERVE HOW IT INTERACTS WITH THE FILE SYSTEM, REGISTRY, NETWORK.
 INTERACT WITH MALWARE TO LEARN MORE ABOUT IT.
It helps to have a Linux box in your lab,
 REMNUX IS A FREE LINUX DISTRO WITH LOTS OF PREINSTALLED MALWARE ANALYSIS
TOOLS: REMNUX.ORG
Mitigate the risks of malware escaping from your lab.
 AVOID PRODUCTION NETWORK CONNECTIVITY.
 DEDICATE A PHYSICAL HOST TO THE LAB.
 RESTORE THE HOST IF ANYTHING SUSPICIOUS OCCURS.
 KEEP UP WITH PATCHES TO VIRTUALIZATION SOFTWARE.
Launch monitoring tools in the lab, then infect the Windows
system.
 PROCESS HACKER: OBSERVES RUNNING PROCESSES.
 PROCESS MONITOR: RECORDS LOCAL SYSTEM INTERACTIONS.
 WIRESHARK: RECORDS NETWORK ACTIVITIES.
The monitoring tools will start capturing the activities.
Infect the Windows box while the monitoring tools are active
 INTERACT WITH THE INFECTED SYSTEM A BIT BY LAUNCHING PROGRAMS AND TYPING.
 LET THE SPECIMEN RUN FOR AT LEAST 3-5 MINUTES, TO GIVE IT A CHANCE TO ACT. KILL
THE MALICIOUS PROCESS.
 PAUSE MONITORING TOOLS WHEN YOU’RE READY TO BEGIN EXAMINING THE ACTIVITIES.
Process Hacker shows how the suspicious process runs.
Process Hacker can extract strings from memory of the
suspicious process.
Process Hacker also shows handles, including mutex names,
which can be IOCs and an infection markers.
Wireshark shows an attempt to connect to an external IP
address on TCP port 80.
 THE LAB IS ISOLATED AND HAS NO ACTIVE SERVICES YET, SO THE CONNECTION IS NOT
ESTABLISHED.
Your analysis so far provides several IOCs.
 HOSTNAME: TOTAL-UPDATES.COM
 IP ADDRESS: 81.4.111.176
 MUTEX: NUNDSA8301NSKAL
 URI: /SCANDISK/DISKPART.PHP
 FILE: C:\USERS\REM\APPDATA\ROAMING\ORACLEJAVA\JAVAW.EXE
You can pivot around these data points to gather OSINT.
The attributes you discover can lead you to other people’s
analysis.
ProcDOT cleans up and visualizes Process Monitor data.
ProcDOT explains how the javaw.exe process appeared.
ProcDOT also shows that javaw.exe created and read an
unusual file and defined an autostart registry key
 FURTHER ANALYSIS WOULD INDICATE THAT THE SSKRNL FILE IS ENCODED OR
ENCRYPTED.
What have you learned about the specimen so far?
 COPIES ITSELF TO %APPDATA%\ORACLEJAVA\JAVAW.EXE AND RUNS FROM THAT LOCATION.
 CREATES REGISTRY KEYS FOR PERSISTENCE.
 CONNECTS TO 81.4.111.176.
 CREATES AN ENCODED “SSKRNL” FILE.
 OTHER IOCS AND THEORIES.
What have you learned about the specimen so far?
 COPIES ITSELF TO %APPDATA%\ORACLEJAVA\JAVAW.EXE AND RUNS FROM THAT LOCATION.
 CREATES REGISTRY KEYS FOR PERSISTENCE.
 CONNECTS TO 81.4.111.176.
 CREATES AN ENCODED “SSKRNL” FILE.
 OTHER IOCS AND THEORIES.
Interactive Network Analysis
Give the specimen what it wants by redirecting the port 80
connection to a web server in your lab
 WHAT WILL HAPPEN IF THE SPECIMEN CAN CONNECT TO ITS WEB SERVER?
 YOU CAN USE IPTABLES ON LINUX TO INTERCEPT AND REDIRECT ALL INTERNAL TRAFFIC
IN YOUR LAB.
 THE WEB SERVER ON THAT SYSTEM WILL THEN ACCEPT THE CONNECTION.
Launch the web server and run accept-all-ips on REMnux, start
sniffing in Wireshark, then re-infect.
The specimen initiates the HTTP connection about a minute
after launching.
 THE SPECIMEN EXFILTRATES SOME DATA AND REVEALS ADDITIONAL IOCS.
Now, Wireshark also displays an attempt to resolve the
hostname total-updates.com.
Use fakedns on REMnux to redirect the query, reinfect, and
observe the total-updates.com details in Wireshark.
You could experiment with sending C2 commands to the
specimen.
 THE ATTACKER PROBABLY SPECIFIES THE COMMAND IN THE HTTP RESPONSE.
 THE STRING DOWNLOAD AND RUN, WHICH YOU SAW IN MEMORY OF THE SPECIMEN’S
PROCESS, LOOKS LIKE A POSSIBLE COMMAND.
 THE ATTACKER WOULD LIKELY SPECIFY THE URL TOGETHER WITH THIS COMMAND TO
SPECIFY WHAT THE MALWARE SHOULD DOWNLOAD AND RUN.
You can use INetSim to supply the specimen with a runnable
Windows executable to test your theory.
 INCLUDE THE C2 INSTRUCTION IN THE FILE INETSIM WILL SUPPLY FOR DEFAULT HTTP
REQUESTS, DIRECTING THE SPECIMEN TO GET AN INETSIM EXECUTABLE.
What have you discovered about the specimen using interactive
network analysis?
 CONFIRMED THAT PORT 80 CONNECTIONS ARE HTTP.
 CONFIRMED THE USE OF TOTAL-UPDATES.COM AND /SCANDISK/DISKPART.PHP.
 SPOTTED DATA EXFILTRATION (USERNAME, COMPUTER NAME, OTHER).
 EXPERIMENTED WITH THE C2 MECHANISM AND PARTIALLY VALIDATED A HYPOTHESIS
REGARDING THE DOWNLOAD AND RUN COMMAND.
Malware analysis skills contributes to incident response.
 ASSESS THE THREAT LEVEL ASSOCIATED WITH ADVERSARIES’ TOOLS.
 GATHER VALUABLE DATA FOR THREAT HUNTING ACTIVITIES.
 OBTAIN DETAILS SPECIFIC TO YOUR ORGANIZATION WITHOUT RELYING ON SOMEONE
ELSE’S FINDINGS.

You might also like