Introduction

When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

Important findings

1. IOCs (Hash, domain, IP)
2. Commands
3. Dropped files
4. Network communication
5. Registry modify/add/delete
6. TTPs
7. Encryption/Decryption routines
8. Folder, file access
9. Malware Anti-analysis
10. Hardcoded values / strings
11. Common WinAPI
12. Shellcode
13. Encrypted strings

Flow of analysis

1. Retrieve samples
2. OSINT samples and reports
3. Automate analysis
4. Maldoc or Fileless analysis
5. Static analysis
6. Behavior analysis
7. Reverse engineering

Sample sources

1. From client
2. Internet
   • VirusTotal
   • MalwareBazaar
   • Github
   • Malshare
   • Any.run
3. Honeypot
4. Internal DB
5. DFIR activities

OSINT samples, reports, analysis

1. Hash lookup malwoverview
2. Hash lookup in VT
3. Analysis samples via VT
4. IOC network analysis and C2 Hunting
   • AbuseIPBD
   • Censys
   • Passive DNS via VT
   • Shodan
   • FOFA
   • Validin
   • URLhaus
   • urlscan.io
   • AlienVault
5. Github search
6. Google search
7. Twitter search

Automate and AV Analysis

Online Sandboxes

1. Any.Run
2. VirusTotal
3. Tri.age
4. Threatbook
5. AntiScan.me
6. FileScan
7. HybridAnalysis
8. Intezer
9. JoeSandbox
10. Metadefender

Local Sandboxes and AV scanner

1. CAPE
2. Saferwall
3. MultiAV

Note: Analyze all the findings and get the context of the malware before proceed reverse engineering.

Maldoc Analysis

Refer: Maldoc Cheatsheet

Fileless Analysis

1. Read the code
2. Beautify
3. Deobfuscate
   • PSUnveil
   • Manual
4. CMDWatcher
5. Refer Behavior analysis

Static Analysis

Behavior Analysis

Analysis consist of:

1. Process monitoring include command executed
2. Network monitoring
3. File system monitoring
4. Registry monitoring
5. Logging and detection
6. WinAPI monitoring

Behavior analysis Tools

Reverse Engineering

It’s really subjective while perform reverse engineering, and the approach might different with other people. This list is most of the activities I did when performing reverse engineering:

IDA pro

1. Find Main function
2. Strings reference
3. Decompile
4. Watch Graph View
5. Relabel function name
6. Insert comments
7. Focus on WinAPIs
8. Always research and refer API documentation
9. Research hardcoded strings
10. List function names
11. Pull Lumina
12. Ask ChatGPT if stuck
13. Run Flare CAPA Explorer plugin
14. Run IDAClu
15. Run IDA-names
16. Run FindCrypt
17. Run AntiVM
18. Run AntiDebugSeeker
19. Rebase segment based on debugger
20. Github/GitLab research on unique function
21. Search for unique hex value on the internet

x64Dbg

1. Debugging the malware with context
2. Breakpoint on interesting function
3. Breakpoint on unpack stuff, such as VirtualAlloc
4. Dump unpack stuff
5. Dump shellcode stuff
6. Watch return value of function
7. Enable ScyillaHide
8. Use graph view
9. Find strings reference
10. Use xAnalyzer
11. Setting the events to Break on what? The most important is “Entry Breakpoint”
12. Add Exception filters = 00000000-FFFFFFFF
13. Follow in dump, memory
14. Watch call stack
15. Watch Threads
16. Watch Handles
17. Use RunDLL32 command for DLL file instead of DLL loader by 32dbg
18. Supply parameter if the malware need param
19. Research WinAPI param and return value
20. Watch function input (param) and output (return value on EAX)
21. Disable ASLR
22. Self injection, use process hacker to dump the process instead of a memory region.

Using API hooking to analyze malware by breakpoint them blindly:

# Typically for unpacking
bp VirtualAlloc
bp VirtualProtect

# AntiDebug
bp IsDebuggerPresent

# Enum process
bp CreateToolhelp32Snapshot
bp Process32First
bp Process32Next

# Check file what file being written
bp CreateFileW
bp CreateFileA

# Execute unpacked code
bp CreateProcessInternalW
bp NtWriteVirtualMemory
bp NtResumeThread
bp CreateRemoteThread
bp CreateThread

# API Hashing
bp GetProcAddress
bp LoadLibraryA

# OR debug on any interesting API!

Assembly fastcall calling convention

# x86
push eax
push ebx
call function_name

# x64
mov rsp+value, eax
mov r9d, dword ptr [rsp+value]
mov r8d, dword ptr [rsp+value]
mov rdx, dword ptr [rsp+value]
mov rcx, dword ptr [rsp+value]
call function_name

Abnormal prologue

# Fake return
push 0xAddress
ret

push 0xAddressShellcode
ret

# Unexpected Jump
mov ecx, 0xAddressShellcode
jmp 0xAddress

push ecx
ret

# Suspicious jump
mov ecx, 0xAddress
jmp ecx

WinAPI in Malware

Usage of API is not necessarily a malware behavior. We need to analyze:

1. Context of the usage
2. Parameters supplied to the API
3. Sets of API used in sequence

Common operations

Keylogging

Backdoor connection

Process Injection APIs

Process Hooking

Resource related

Enumeration

Unpacking API

Anti-debug

WinAPI research

• Refer this web, common Windows API in analyzing and reversing Windows malware. MalAPI.
• Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.
• Refer undocumented and documented WinAPIs
  • undocumented.ntinternals.net
  • learn.microsoft.com
• Search for malware development technique that used the certain API
  • 0xpat.github.io
  • cocomelonc.github.io
  • www.ired.team
  • github.com
  • malware-development

Anti Analysis

Unpacking stuff

Unpacking tools

• Your favourite debugger
• pe_unmapper
• pe-sieve
• hollows_hunter
• mal_unpack
• unpac
• pe-trimmer
• scylla plugin x32dbg
• ollydump plugin in x32dbg
• Process hacker > memory tab > interesting regions/base addresses (RWX) > save memory

Fixing dumped PE from memory

1. Section alignment
   • Using hex editor to adjust the file by checking the sections header and repair it
2. Unmapping
   • All the current address is based on memory
   • Make Raw Address same as Virtual Address
   • Fix Raw Size (Raw Addr section above - Raw Addr section below)
   • Fix Virtual Size by copy the fixed Raw size
3. Rebase address
   • Edit Image Base based on the base address when dumping the PE

Before unpacked executable execute (ref: FOR710)

Numerous initialization activities must take place to prepare an executable for actual execution. This is the key activities to load an executable after unpacking:

• Confirm the file is a Windows executable
• Resolve critical APIs
• Map the executable into memory
• Load imported DLLs
• Resolve imported functions
• Apply relocations, if necessary
• Update section permissions, if necessary
• Identify the entry point (EP) for execution
• Execute code beginning at the EP

PEB Walk

The Process Environment Block (PEB) is a data structure in memory that contains information about the running process, including:

• Loaded modules
• If the process is being debugged
• Process parameters (e.g., current directory or command line)

Shellcode accesses the PEB to:

1. Enumerate DLLs loaded in memory
2. Access each DLL’s exported functions
3. Resolve Windows API addresses

In disassembler, you’ll see the code will perform this instrucitons to retrieve the PEB address:

MOV EAX, DWORD PTR FS:[30h]

or

PUSH 30h
POP EBX
MOV EAX, FS:[EBX]

API Hashing

• Shellcode often passes a precalculated hash to a function to resolve APIs.
• This function:
  1. Iterates over all modules loaded by the process.
  2. For each module, the module name (e.g., kernel32.dll) is hashed.
  3. For each exported function in the module, the function name is hashed.
  4. The combined hash (i.e., the addition of the module name hash and function name hash) is compared against the hash passed to the function.
  5. If there is a match, the code resolves the address of the function so it can be called; if there is no match, it moves to the next loaded module and repeats the process.

Ransomware

Ransomware flow 101:

1. Collect PC information
2. Determine which file extension or directories need to be encrypted. Blacklist or whitelist extension.
3. Get or find directories and files (with specific extension). May include net share.
4. Generate cryptography key
5. Encrypt files (overwrite or create new one). If creating a new one, it will delete the original file.
6. Append the ransomware extension to the encrypted file
7. Drop readme text file
8. Optional
   • Delete shadow copy
   • Disable Windows lock file to maximize ransom file
   • Change wallpaper
   • Connect to CnC (Command and Control server)
   • Enumerate network share
   • Exploit vulnerabilities
   • Create persistence
   • Stop services
   • Stop process

Common CryptoAPI encryption

File encryption APIs

Common algorithm of data

Despite reading the API, knowing the pattern of the algoritm and little bit of Google search may contribute the findings. Or we can use tool such as CAPA scanner or KANAL.

Encryption

Common symmetric algorithms

1. AES
2. RC4
3. Serphent
4. Blowfish

Common Asymmetric algorithms

1. RSA

Hashing

1. MD5 hashing
2. SHA hashing
3. CRC hashing

Compression

1. APLib Compression
2. LZNT Compression
3. LZMA Compression

Shellcode

• Shellcode is a sequence of bytes that represents assembly instructions.
• Often allocates by VirtualAlloc
• Hunt for the NOP (0x90) sled which designates its likely beginning, and the 00 byte values designate its likely end.
• To load DLLs and resolve API function names, shellcode often seeks kernel32.dll for LoadLibrary and GetProcAddress.
• Shellcode looks for the Process Environment Block (PEB) to locate kernel32.dll in memory of the exploited application.

Shellcode common opcodes

Rebase shellcode address

Formula: Base Address of image - Entry point of Shellcode

Tools

Execution

• shellcode2exe.py. Then, perform reversing in debugger/disassembler or behavior analysis.
• jmp2it
• shellcode_launcer

Disassemble

• IDA Pro. Press C to convert undefined data to code
• Ghidra. Choose the right compiler for the language option
• x64Dbg. Go through the code in debugger

Emulate

• scdbg
• speakeasy

Helpful tools

• xorsearch with param -W -d 3 = To spot shellcode patterns in binary files.

Other languages

.NET

• Use DnSpy
  • Go to Entry Point
  • Find Reference
  • Use Module Breakpoint
  • Watch Local variables
  • Show in memory, dump in memory
• De4dot for decode encoded strings
• NETReactorSlayer for deobfuscate

Golang resources

• pkg.go.dev
• SentineLabs/AlphaGolang
• strazzere/golang_loader_assist
• goretk/gore

Rust

• Rust docs

JS

Deobfuscation using browser

1. Extract JS
2. Create HTML

<html>
<script>
var x = eval(Susp JS code);
alert(x);
<script>
</html>

1. Open JS in Browser
2. Open dev tools > Sources
3. BP “alert(x)” line
4. Reload page and observe the output

Manual deobfucation

1. Beautify the code
2. Remove variables that is only used once
3. Replace complicated values with readble values
4. Rename variables names
5. Manual deobfuscation using above steps and add some codes to debug the JS, such as document.write(interesting_var) or add new line of code to call the interesting function interesting_function()

VB

• Use VBDecompiler

AutoIT

• Use Exe2Aut

Powershell fileless

• Use psunveil. Refer: https://www.kahusecurity.com/posts/introducing_psunveil.html
• Enable logging. Refer: https://fareedfauzi.github.io/2021/02/06/LemonDuck-Powershell.html#bonus-tips

Building an effective YARA

• Static file characteristics (pestats.py).
• Embedded strings (PeStudio, strings64.exe, pecompare.py).
• Code analysis results (Ghidra).
• Binary comparison results (Ghidra, BinDiff).
• Use https://github.com/Neo23x0/yarGen and review/improve the rule.

Reversing APK

Checklist

1. Run in the Emulator (Android studio / Memu / etc.) to evaluate behavior
2. Extract url using apkurlgrep or apkleaks
3. Use burpsuite to intercept http(s) communication
4. Decompile and analysis using JADX / Bytecode viewer / GDA
   • Check BaseInfo in GDA
   • Read AndroidManifest. Focus on Activity, Permission, Services and Receiver
   • Read Malscan in GDA to verify malicious function
   • Check AllUris to extract suspicious url
   • Perform analysis on the entry and main function
5. Dynamic analysis using Frida
6. Utilized framework such as RMS or MobFS

Dangerous permission

READ_CALENDAR
WRITE_CALENDAR
READ_CALL_LOG
WRITE_CALL_LOG
PROCESS_OUTGOING_CALLS
CAMERA
READ_CONTACTS
WRITE_CONTACTS
GET_ACCOUNTS
ACCESS_FINE_LOCATION
ACCESS_COARSE_LOCATION
RECORD_AUDIO
READ_PHONE_STATE
READ_PHONE_NUMBERS
CALL_PHONE
ANSWER_PHONE_CALLS
ADD_VOICEMAIL
USE_SIP
BODY_SENSORS
SEND_SMS
RECEIVE_SMS
READ_SMS
RECEIVE_WAP_PUSH
RECEIVE_MMS
READ_EXTERNAL_STORAGE
WRITE_EXTERNAL_STORAGE

Tools

Personally, all tools in Flare-vm and Remnux is more than enough.

• Winitor files and tools for Malware Analysis
• Remnux tools list
• Flare vm tools list

Helpful references

Some references that can help in analyzing malware:

1. Anti technique Map: Provides a map of anti-analysis techniques used by malware.
2. MalAPI: Resource detailing common Windows APIs used in analyzing and reversing Windows malware.
3. Filesec: Resource listing file extensions commonly used by attackers.
4. LOLBAS: Information on fileless and script-based techniques used by malware, known as Living Off the Land Binaries and Scripts.
5. APT’s malware analysis reports: Reports and analyses of malware associated with Advanced Persistent Threat (APT) groups.
6. Google: Using search engines for additional information and research.
7. vx-underground: Underground forum and resource for malware research and analysis.
8. Compilation of malware source code: Collection of malware source code for study and analysis.
9. Ask the communities: Engaging with online communities and forums dedicated to malware analysis for assistance and collaboration.
10. “Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book”