Hello folks, hope you are in good health in this lockdown. during my day to day work i invest time in reverse engineering, coding and some malware analysis. so thought to share these info which can help.
A malware analysis and research are very trivial process for an organization to track down threats, malicious actors whose main intention to turn down organization’s reputation and economy. Also, this applies to government organization where they conduct targeted attacks like APT (Advance Persistent Threat).
In general attacks can be combination of vulnerabilities, exploit and malwares. Security companies produces antivirus product, IDS, IPS, sandboxes and EDR products to track down those threats to protects organizations. An antivirus product contains both behavioral and signature-based even a combination of sandbox mechanism, which is given by security researcher to block these attack attempt
A Malware researcher generally use both static and dynamic analysis of malware sample for analyzing and later put into the security product. In this article we will discuss top malware analysis tools that are being used by researchers that they used to do day to day analysis.
Static Analysis Tools:
Static analysis tools give an overall idea about a malware sample which further can be used by researcher to conduct further deep and investigations. Malware can be both binary, document and another format as well.
Hashing is a method where a malware sample is identified uniquely which is a sort of fingerprints. The MD5 is commonly used as a hashing mechanism used by researcher to know the family of malware belongs to. One tool is Hashcalc like below
Hash helps can be shared with another analyst or even it can be used whether it has a known malware or already identified on the internet. Like below we can see same has is already been identified as malicious by antivirus engines.
There are other tools like Winmd5 and other command line tools for hashing. Another tools like Strings utility gives basic ideas like what actually malware is doing or trying to do by viewing readable strings on the binary. For example, a malware is trying to establish a botnet connection or sending multiple ping request to a domain etc...
As we can see using floss tool, we extracted the strings and highlighted strings are HTTP and SoapURI. It indicates that malware is trying to connect one url or may be domain.
Packing Detection Tools:
There are tools which identifies whether the files or malware sample is packed or not. Packed files are subset of obfuscated program which makes complicated while analyzing the malware.in general packed files doesn’t contain most readable strings.
Packed or obfuscated files often uses getprocaddress or loadlibray library to get it’s unpacked in the memory to run and execute the unpacked sample. There are tools which helps to detect the packed files like DIE, PEID and many other tools also.
As we can see the above program is not packed and compiled with .net. so a analyst can further use disassembler tools like dnspy to further investigate.
Similar tools like DIE can be used like below.
As an analyst’s point of view, a packed file contains less import section, high entropy value greater than 7 and it will unpack the actual malware in the memory which is a small wrapper. While analyzing binaries, analyst will see the instructions in .data sections instead of .text section. And all will be junked data or unreadable format.
As file packed, it is very necessary to unpack the malware so it will be easy for further investigation. Program like UPX utility can be used to unpack the file, again UPX utility is very popular program and now a days malware authors are using complex packing program for packing.
The Portable Executable (PE) file format is used by Windows executables, object code, and DLLs. The PE file format is a data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code. Nearly every file with executable code that is loaded by Windows is in the PE file format, though some legacy file formats do appear on rare occasion in malware.
The CFF explorer gives details like it is a .net file and it is having .net directory strings and resource directory.
It also states different characteristics of a file like PE32, types of machine it is using.
Different sections of files and how many sizes of sections of each header on disk as well as memory. Keep an eye of below highlighted message.
Using dependency walker, we will come to know the binary how much library it imports by ordinal or function name.
Executables can import functions by ordinal instead of name. When importing a function by ordinal, the name of the function never appears in the original executable, and it can be harder for an analyst to figure out which function is being used. When malware imports a function by ordinal, you can find out which function is being imported by looking up the ordinal value.