Checklist: Windows Malware Analysis

Introduction

When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

How?

How it downloads, starts or executes?

• Where it come from
• How it has to be there
• Which parent program that drop it?
• How it executes? User run it? Someone remotely run it?

Anti thingy

Is there any anti techniques implemented?

• Anti Debugging
• Anti Disassembly
• Anti VM
• Antivirus/EDR evasion
• Packer
• Cryptor
• Sandbox evasion

Relate the analysis

Is there any basic, automated, dynamic analysis result that can give us any hints?

• Basic analysis
  • strings
  • MultiAV result
  • ssdeep (comparing with other variant)
  • PE analysis
• Dynamic analysis
  • Process
  • File system
  • Network
  • Registry
• Sandbox analysis result
  • Static analysis result
  • Dynamic analysis result

Important things

What are the things we looking for?

• IOCs
• Commands
• Dropped files
• Domains / IP
• Registry modify/add/delete
• Techniques, Tactics and procedures
• Encryption/Decryption routines
• Folder, file access
• Malware features
• Hardcoded values / strings
• Common WinAPI used for malicious action
• Shellcode
• Encrypted things
• Is the malware has privilege escalation ?

Malware features

What are some of the malware features?

• Downloader
• Launcher
• Backdoor
  • Reverse Shell
  • RAT
  • Botnet
• Credential stealer
  • Keylogger
  • Mimikatz thingy
• Encrypt file
• Command and control
• Propagation
• Exploit
• Process Manipulating
  • Process injection etc.
• Bypass UAC
• Evade AV
• Anti Forensic

Findings

What is the behavior meaning of the findings?

• Is the domain really does the command and control?
• Why is it encrypt a certain part?
• Many more.. validate your theory

So ask these type of question when reversing the malware.

Persistent mechanism

Does it have persistent mechanism?

• Registry key
• Scheduled tasks
• Startup folder
• Winlogon Registry Entries
• Image file execution options
• Accessibility programs
• WMIC Persitent
• AppInit_DLLs
• DLL Search Order Hijacking
• Service

Public reseach

• APT’s malware analysis
• Google
• vx-underground
• Compilation of Malware source code
• Ask the communities

Ransomware 101:

• Collect PC information
• Determine which file extension or directories need to be encrypt. Blacklist or whitelist extension.
• Get or find directories and files (with specific extension). May include net share.
• Generate cryptography key
• Encrypt files (overwrite or create new one). If create new one, it will delete the original file.
• Append the ransomware extension to the encrypted file
• Drop readme text file
• Optional
  • Delete shadow copy
  • Disable windows lock file to maximize ransom file
  • Change wallpaper
  • Connect to CnC
  • Enumerate network share
  • Exploit vulnerabilities
  • Create persistence
  • Stop services
  • Stop process

Google

• Example, Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.
• Search for malware development technique that used the certain API
  • https://0xpat.github.io/
  • https://cocomelonc.github.io/
  • https://www.ired.team/offensive-security/code-injection-process-injection
  • https://github.com/LordNoteworthy/al-khaser
  • https://github.com/topics/malware-development

WinAPI process injection list

• DLL Injection:
  • OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory and CreateRemoteThread, NtCreateThread( ), RtlCreateUserThread( )
• PE Injection:
  • OpenThread( ), SuspendThread( ), VirtualAllocEx( ), WriteProcessMemory( ), SetThreatContext( ) and ResumeThread( ), NtResumeThread( )
• Reflective Injection:
  • CreateFileMapping( ), Nt/MapViewOfFile( ), OpenProcess( ), memcpy( ) and Nt/MapViewOfSection( ), OpenProcess( ), CreateThread( ), NtQueueApcThread( ), CreateRemoteThread( ) or RtlCreateUserThread( )
• APC Injection:
  • SleepEx( ), SignalObjectAndWait( ), MsgWaitForMultipleObjectsEx( ), WaitForMultipleObjectsEx( ), or WaitForSingleObjectEx( ), CreateToolhelp32Snapshot(), Process32First( ), Process32Next( ), Thread32First( ), Thread32Next( ), QueueUserAPC( ) and KeInitializeAPC( )
• Hollowing or Process Replacement:
  • CreateProcess( ), NtQueryProcessInformation( ), GetModuleHandle( ), Zw/NtUnmapViewOfSection( ), VirtualAllocEx( ), WriteProcessMemory( ), GetThreadContext( ), SetThreadContext ( ) and ResumeThread( )
• AtomBombing:
  • GlobalGetAtomName( ) and NtQueueApcThread( ), NtSetContextThread( ), OpenThread( ), GlobalAddAtom( ), GlobalGetAtomName( ) and QueueUserAPC( )
• Process Doppelgänging:
  • CreateTransaction( ), CreateFileTransaction( ), NtCreateSection, NtCreateProcessEx( ), NtQueryInformationProcess( ), NtCreateThreadEx( ) and RollbackTransaction( )
• Hooking Injection:
  • LoadLibraryW( ), GetProcAdress( ), SetWindowsHookEx( ) and PostThreadMessage( )
• Extra Windows Memory Injection:
  • FindWindowsA( ), GetWindowThreadProcessId( ), OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory( ), SetWindowLongPtrA( ) and SendNotify( )
• Propogate injection:
  • FindWindow( ), FindWindowEx( ), GetProp( ), GetWindowThreadProcessId( ), OpenProcess( ), ReadProcessMemory( ), VirtualAllocEx( ), WriteProcessMemory( ), SetProp( ) and PostMessage( )

WinAPI Anti-debug

• IsDebuggerPresent()
• CheckRemoteDebuggerPresent()
• NtQueryInformationProcess()
• OutputDebugString()
• BeingDebuggeed in PEB
• Check ProcessHeap flag
• NtGlobalFlag()
• LookupPrivilegeValue() with argument SeDebugPrivilege
• BlockInput()

WinAPI used for unpacking

Interesting API breakpoint for unpacking stuff:

• CreateProcessInternalW( )
• VirtualAlloc( ) or VirtualAllocEx( )
• VirtualProtect( ) or ZwProtectVirtualMemory( )
• WriteProcessMemory( ) or NtWriteProcessMemory( )
• ResumeThread( ) or NtResumeThread( )
• CryptDecrypt( ) or RtlDecompressBuffer( )
• NtCreateSection( ) + MapViewOfSection( ) or ZwMapViewOfSection( )
• UnmapViewOfSection( ) or ZwUnmapViewOfSection( )
• NtWriteVirtualMemory( )
• NtReadVirtualMemory( )

Useful unpacking tool

• You fav debugger
• pe_unmapper
• pe-sieve
• hollows_hunter
• mal_unpack
• scylla plugin x32dbg
• ollydump plugin in x32dbg
• Process hacker > memory tab > interesting regions/base addresses (RWX) > save memory
• unpac

Helpful references

Some references that can may help us in analysis a malware:

• Anti techinques list
• Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book.
• Examples of commands used by Attackers
• Common Windows API in Analyzing and Reversing Windows Malware. MalAPI.
• File extensicons used by attacker. Filesec
• Fileless and Script. LOLBAS
• Anti technique Map. Unprotect Project

Tools

Personally, all tools in Flare-vm and Remnux is more than enough. Refer this awesome slide by @ochsenmeier that list all the important tools for malware analysis investigation.

My must-have tool:

• IDA Pro
• x64dbg
• DIE
• DnSpy
• Wireshark
• ProcMon
• Ghidra
• Cyberchef
• Python
• API monitor
• HxD

Winitor files and tools for Malware Analysis: Link

Remnux tools list: Link