Basics Malware

Static and Dynamic

Analysis
 Intro

What is Malware?
- Malware is a malicious program or software that inserts into
a system, with the intention of compromising CIA(Confidentiality,
Integrity, Availability).

Types of Malware:
- Virus: Malicious software inserted into a program or data
file.
- Trojan: disguised as legitimate files but something else,
attacker embedded malicious software into legitimate file.
- Worm: self replicating program, spear over network.
- Backdoor: open backdoor to C&C instruction. Like
RAT(remote access tool)
- Ransomware: malicious program that encrypts victim files
and asks for money to decrypt.
- APT (Advanced persistent threat): state-sponsored
group-create malware to remain undetected for an extended
period.

EX:
Rootkits Bootkits
-Designed to hide the existence -Rootkit + Boot
of certain processes from normal -Are Rootkits in which the first
methods of detection, in order to point of control is during the
enable continued access to a boot process that allow the
computer. malicious program to be
EX: flame, stuxnet executed before OS boot.
 - PUPs(Potentially unwanted programs): they are programs
which don’t do anything good, usually bundled with other
useful software.
- PUPs are not malware because you agree to install it.
_________________________________________________

Steps for malware analysis:

analysis divided into two techniques Static and Dynamic, simply
Static analysis means how to know what is this malware without
running it. But Dynamic analysis means running malware and
observing behavior.

___________________________________________
Note: to do dynamic analysis you need to safe and isolated
environment to run malware, so that your device is not
infected with this malware.
So we need to setup a VM to run as a sandbox.
 Basic Static analysis

To do static analysis you need to follow this steps:

1. Anti-virus scanning
2. Hash scanning
3. Extract strings
4. Analyze PE header
5. Detect packers

_____________________

1.Anti-virus Scanning
- Antivirus detected based signature or heuristics or
behavior or ML
- Antivirus Action: Quarantine or delete
- Scan can be offline by installing any vendor AV or
online by searching any virustotal as example.

2.Hash Scanning

- Hash: is convert any length of data into fixed length value.

EX: MD5, SHA-56
- By hash can search for reputation
- To generate hash use hash tools like quickhash or use
PEstudio
3.Extract Strings

- Extract strings from file without opening it Searching for file

name, URLs, IP, command and embedded files.
- Strings have two types: ASCII and Unicode

- We can extract with many tools like string.exe, floss and

PEstudio
- On PEstudio drag and drop file.

- Click string tab to look for all strings

- You can use another tool to extract strings like HxD
4.Analyze PE header
- PE: (portable executed file format) is a data structure that
contains the information necessary for the windows OS
loader to manage the executable code.

- Most of malware file show as PE file

- Basic structure of PE file:

- DOS MZ header: 64 byte. Last byte refer to the first
point of execution
- DOS stub
- PE header: contain function that file should do
- Section

- PE header contain:
- Signature: PE -> 50 54
- File header: number of section, time stamp,
characteristics
- Optional header: address of entry point, image bass,
size of image
- We can analyze PE header by
PEstudio:
open PEstudio -> drop your file
look for DOS header to know end of header
Optional header contains Address of entry point
->(normal PE.txt)
look for section header and Directory
 - Data Directory:
contains two section: import table and export table
● Import table: contain function that malware
imports from windows libraries
● Common libraries:
● user32.dll ->contain all user interface
component
● Gd32.dll -> contain display and manipulate
graphic
● Wsock32.dll -> contain high and low level
networking function
● Export table: export from dll

________________
Note: Naming conventions:
.dll end with A -> ASCII string version
.dll // // W -> Wide char string
.dll // // EX -> updated function

_____________________
- PE section: contains the executable code.
- stores global data accessed throughout the program

- every section have a unique name:

- text: contain executable code
- data: stores global data accessed throughout the
program
- rsrc: stores resources needed or any thing else
5.Packed malware and obfuscated
malware:
● Malware packed into legal file
● Note: packed malware have a few strings
● Tools to identify packed file and packer:
■ PEID
■ Exeinfo PE
■ DIE
● Then, search for tools to unpack like RL!depacker or
AspackDie
______________________

Note: When using PEstudio look in the Indicators section to know

why PEstudio suppose this file is malware.
 Basic Dynamic analysis

Dynamic analysis have two technique:

I. Monitoring the malware interaction with

environment:
1. Process
2. File system
3. Registry
4. Network
II. Examining the system after the malware has
executed
__________________________________

To do dynamic analysis we need sandbox

We can use online sandbox like any.run or offline sandbox like
cuckoo sandbox
But sandboxes have disadvantage:
● Sandbox evasion technique like num of desktop icon,
system run time, mouse interaction
● Delaying execution: common technique used to delay
the execution

_____________________________

Note:
we can run malicious file by double-click if it’s .exe but how to
run non .exe file
First check its function by PEstudio or CFFexplorer
Then if .dll file open CMD write rundll (file name)
1.Process monitoring

➔ Simplest method to show process activity open task

manager
➔ But useful method is using process hacker / process
explorer
Useful option in process explorer is verify image signature
help us to detect any process malicious or not

_____________________________
 - Malware configured to run during system bootup or
login (persistence)
- To detect this malware we use autoruns tool
- Startup malware can be in startup folder, Registry
and other location
- Autoruns scan every thing for detect it

-Red: suspicious -Yellow: file not found -white: not suspicious

__________________________

- Windows API
Is a set of functions documented by windows, that allows
software to interact with the operating system
- Malware writers used windows API and we used process
monitor tool to detect them
 - When you run process monitor reduce background
noise like (search indexer - Explorer.exe - svchost.exe)
- We can add filters to detect each process
- Procmon get its event by monitor windows API class

______________________________
Note: to analyze (process/ file system/ registry/ network) we can
use the procdot tool.
- install procdot
- install dot.exe and call it in procdot
- Save all event from procmon as .csv without sequence
number and with threat ID
- Then choose launcher process
 2.File System activity

Why does malware access file system?

- Read:
- read from its config file
- read and steal user’s data and machine information

- Write:
- write to its config file
- Encryption (Ransomware)

- Delete:
- delete user’s file or delete itself
- delete file after encryption (Ransomware)

We can detect all this activity by using ProcMon

Or FileActivity watch
Or Folder Changes view

Note: Some of malware or ransomware close ProcMon after

launch but you can bypass this by change ProcMon name
 3.Registry Changes

Registry: is collection of database of configuration settings for

operating system

- Malware could be read about :

- OS
- user
- language
- PC uptime
- installed program
- enabled service
- enable/disable windows option

- The malware could be write:

- its configuration
- enable/disable some option
- enable/disable some service

To monitor registry changes we use:

- ProcMon
- Regshot2
- Registry changes view
 4.Monitor Network Traffic

Why does malware need network connection?

- Download:
- download second stage malware or update itself
- Ads
- Pay-To-Install
- DDOS

- Upload:
- exfiltrate data from the victim
- send encryption key to the server

- Lateral movement:
- to infect other machines in the same network

*We detect network traffic using Wireshark

Note:
- nslookup : windows command line to translate domain name
into IP
- FakeNet-NG: make fake connection and save all traffic in
pcap file

Run wireshark and fakenet, then run malware file

- In normal case we begin analysis from DNS query but some
cases malware used direct IP
- When we detect traffic maybe malware close wireshark or
ransomware encrypt pcap file
- So, we can redirect sandbox traffic to another VM like
REMNUX or another snake hole