Introduction
When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?
This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.
Important findings
- IOCs (Hash, domain, IP)
- Commands
- Dropped files
- Network communication
- Registry modify/add/delete
- TTPs
- Encryption/Decryption routines
- Folder, file access
- Malware Anti-analysis
- Hardcoded values / strings
- Common WinAPI
- Shellcode
- Encrypted strings
Flow of analysis
- Retrieve samples
- OSINT samples and reports
- Automate analysis
- Maldoc or Fileless analysis
- Static analysis
- Behavior analysis
- Reverse engineering
Sample sources
- From client
- Internet
- VirusTotal
- MalwareBazaar
- Github
- Malshare
- Any.run
- Honeypot
- Internal DB
- DFIR activities
OSINT samples, reports, analysis
- Hash lookups
- VirusTotal
- Any.Run
- Tri.age
- s.threatbook.com
- HybridAnalysis
- JoeSandbox
- Metadefender
- ti.qianxin.com
- Take a look of analysis result
- IOC network analysis and C2 Hunting
- AbuseIPBD
- Censys
- Passive DNS via VT
- Shodan
- FOFA
- Validin
- URLhaus
- urlscan.io
- AlienVault
- threatbook.io
- Github search
- Google search
- Twitter search
Automate and AV Analysis
Online Sandboxes
- Any.Run
- VirusTotal
- Tri.age
- Threatbook
- AntiScan.me
- FileScan
- HybridAnalysis
- Intezer
- JoeSandbox
- Metadefender
Local Sandboxes and AV scanner
- CAPE
- Saferwall
- MultiAV
Note: Analyze all the findings and get the context of the malware before proceed reverse engineering.
Maldoc Analysis
Refer: Maldoc Cheatsheet
Fileless Analysis
- Read the code
- Beautify
- Deobfuscate
- CMDWatcher
- Refer Behavior analysis
Static Analysis
Tool activity |
Description |
file |
Determines the file type of a file. |
TRiD |
File identification tool using a database of file signatures. |
Exiftool |
Tool for reading, writing, and editing metadata in various file types. |
DIE (Detect It Easy) |
Detects and identifies packer, compiler, and other characteristics of executable files. |
EXEinfoPE |
Analyzes and detects various properties of PE (Portable Executable) files. |
PEStudio |
Analyzes PE files to identify anomalies, suspicious patterns, and potential malware indicators. |
PEBear |
Analyzes PE files and extracts information about their structure, sections, imports, and more. |
CAPA |
Analyzes malware behavior and identifies code patterns using static analysis techniques. |
Floss |
Extracts strings from malware samples and analyzes their behavior. |
strings -a |
Extracts printable strings from binary files, including malware samples. |
xorsearch |
Searches for XOR-encoded strings in binary files. |
base64dump |
Decodes and extracts base64-encoded strings from binary files. |
Resource Hacker |
Views, modifies, adds, and deletes resources in Windows executables. |
SSDeep |
can help in classifying and categorizing malware samples based on similarities in their content |
Behavior Analysis
Analysis consist of:
- Process monitoring include command executed
- Network monitoring
- File system monitoring
- Registry monitoring
- Logging and detection
- WinAPI monitoring
All-in-One |
Process Monitoring |
Network Monitoring |
File System Monitoring |
Registry Monitoring |
ProcMon |
Process Hacker |
ProcessHacker |
ProcMon |
Regshot |
SysAnalyzer |
Process Explorer |
TCPView |
ProcDot |
DiffView |
|
CMDWatcher |
FakeNet |
DirWatch |
|
|
ProcWatch |
Wireshark |
DiffView |
|
|
HollowsHunter |
Fiddler |
|
|
|
PECapture |
TCPDump |
|
|
|
WriteProcessMemory |
|
|
|
|
Moneta |
|
|
|
Logging and Detection |
API Monitoring |
Sysmon |
APIMonitor |
Powershell |
APILogger |
Aurora Nextron |
TinyTracer |
EDR |
|
Reverse Engineering
It’s really subjective while perform reverse engineering, and the approach might different with other people. This list is most of the activities I did when performing reverse engineering:
IDA pro
- Find
Main
function
- Strings reference
- Decompile
- Watch Graph View
- Relabel function name
- Insert comments
- Focus on WinAPIs
- Always research and refer API documentation
- Research hardcoded strings
- List function names
- Pull Lumina
- Ask ChatGPT if stuck
- Run Flare CAPA Explorer plugin
- Run IDAClu
- Run IDA-names
- Run FindCrypt
- Run AntiVM
- Run AntiDebugSeeker
- Rebase segment based on debugger
- Github/GitLab research on unique function
- Search for unique hex value on the internet
x64Dbg
- Debugging the malware with context
- Breakpoint on interesting function
- Breakpoint on unpack stuff, such as VirtualAlloc
- Dump unpack stuff
- Dump shellcode stuff
- Watch return value of function
- Enable ScyillaHide
- Use graph view
- Find strings reference
- Use xAnalyzer
- Setting the events to Break on what? The most important is “Entry Breakpoint”
- Add Exception filters = 00000000-FFFFFFFF
- Follow in dump, memory
- Watch call stack
- Watch Threads
- Watch Handles
- Use RunDLL32 command for DLL file instead of DLL loader by 32dbg
- Supply parameter if the malware need param
- Research WinAPI param and return value
- Watch function input (param) and output (return value on EAX)
- Disable ASLR
- Self injection, use process hacker to dump the process instead of a memory region.
Using API hooking to analyze malware by breakpoint them blindly:
# Typically for unpacking
bp VirtualAlloc
bp VirtualProtect
# AntiDebug
bp IsDebuggerPresent
# Enum process
bp CreateToolhelp32Snapshot
bp Process32First
bp Process32Next
# Check file what file being written
bp CreateFileW
bp CreateFileA
# Execute unpacked code
bp CreateProcessInternalW
bp NtWriteVirtualMemory
bp NtResumeThread
bp CreateRemoteThread
bp CreateThread
# API Hashing
bp GetProcAddress
bp LoadLibraryA
# OR debug on any interesting API!
Assembly fastcall calling convention
# x86
push eax
push ebx
call function_name
# x64
mov rsp+value, eax
mov r9d, dword ptr [rsp+value]
mov r8d, dword ptr [rsp+value]
mov rdx, dword ptr [rsp+value]
mov rcx, dword ptr [rsp+value]
call function_name
Abnormal prologue
# Fake return
push 0xAddress
ret
push 0xAddressShellcode
ret
# Unexpected Jump
mov ecx, 0xAddressShellcode
jmp 0xAddress
push ecx
ret
# Suspicious jump
mov ecx, 0xAddress
jmp ecx
WinAPI in Malware
Usage of API is not necessarily a malware behavior. We need to analyze:
- Context of the usage
- Parameters supplied to the API
- Sets of API used in sequence
Common operations
File operations |
Registry operations |
Processes and Threads |
Windows Services |
Mutexes |
CreateFile |
RegCreateKey |
CreateProcess |
OpenSCManager |
CreateMutex |
WriteFile |
RegDeleteKey |
ExitProcess |
CreateService |
OpenMutex |
ReadFile |
RegSetValue |
CreateRemoteThread |
OpenService |
|
SetFilePointer |
RegOpenKey |
CreateThread |
ChangeServiceConfig2W |
|
DeleteFile |
RegGetValue |
GetThreadContext |
StartService |
|
CloseFile |
|
SetThreadContext |
|
|
MoveFile |
|
TerminateProcess |
|
|
GetTempPath |
|
CreateProcessInternalW |
|
|
|
|
ShellExecute |
|
|
|
|
WinExec |
|
|
|
|
ResumeThread |
|
|
Keylogging
WinAPI Function |
Description |
SetWindowsHookEx |
Installs a hook procedure that monitors key presses. |
GetAsyncKeyState |
Retrieves the current state of the specified virtual key. |
GetKeyState |
Retrieves the status of the specified virtual key. |
GetKeyboardState |
Retrieves the status of all virtual keys. |
GetForegroundWindow |
Retrieves a handle to the foreground window. |
GetWindowText |
Retrieves the text of the specified window’s title bar. |
GetKeyNameText |
Retrieves the text description of a key. |
GetKeyboardLayout |
Retrieves the active input locale identifier (formerly called the keyboard layout). |
Backdoor connection
WinAPI Function |
Description |
WSAStartup |
Initiates the use of the Winsock DLL by a process. |
socket |
Creates a socket that is bound to a specific transport service provider. |
bind |
Associates a local address with a socket. |
listen |
Places a socket in a state where it is listening for an incoming connection. |
accept |
Accepts a connection on a socket. |
connect |
Attempts to make a connection to another socket. |
send |
Sends data on a connected socket. |
recv |
Receives data from a connected socket. |
read |
Reads data from a file descriptor. |
write |
Writes data to a file descriptor. |
shutdown |
Disables sends or receives on a socket. |
closesocket |
Closes an existing socket. |
WSACleanup |
Terminates use of the Winsock DLL. |
InternetOpen |
Initializes an application’s use of the WinINet functions. |
InternetConnect |
Initiates a connection to the specified URL. |
InternetOpenUrl |
Opens a URL on the internet. |
InternetReadFile |
Reads data from a handle opened by the InternetOpenUrl or InternetConnect function. |
InternetCloseHandle |
Closes a single Internet handle. |
WinHttpOpen |
Initializes the use of WinHTTP functions. |
WinHttpConnect |
Connects to an HTTP server. |
WinHttpOpenRequest |
Initializes an HTTP request handle. |
WinHttpSendRequest |
Sends the specified request to the HTTP server. |
WinHttpReceiveResponse |
Waits to receive the response to the HTTP request. |
WinHttpQueryDataAvailable |
Retrieves the amount of data available to be read by a specified request. |
WinHttpReadData |
Reads data from a specified request. |
WinHttpCloseHandle |
Closes an open handle. |
Process Injection APIs
DLL Injection |
PE Injection |
Reflective Injection |
OpenProcess |
OpenThread |
CreateFileMapping |
VirtualAllocEx |
SuspendThread |
Nt/MapViewOfFile |
WriteProcessMemory |
VirtualAllocEx |
memcpy |
CreateRemoteThread |
WriteProcessMemory |
Nt/MapViewOfSection |
NtCreateThread |
SetThreatContext |
CreateThread |
RtlCreateUserThread |
ResumeThread |
NtQueueApcThread |
|
NtResumeThread |
CreateRemoteThread |
|
|
RtlCreateUserThread |
APC Injection |
Hollowing/Process Replacement |
AtomBombing |
SleepEx |
CreateProcess |
GlobalGetAtomName |
SignalObjectAndWait |
NtQueryProcessInformation |
NtQueueApcThread |
MsgWaitForMultipleObjectsEx |
Zw/NtUnmapViewOfSection |
GlobalAddAtom |
WaitForMultipleObjectsEx |
VirtualAllocEx |
GlobalGetAtomName |
WaitForSingleObjectEx |
WriteProcessMemory |
QueueUserAPC |
Process32First |
GetModuleHandle |
|
Process32Next |
WriteProcessMemory |
|
Thread32First |
GetThreadContext |
|
Thread32Next |
ResumeThread |
|
QueueUserAPC |
|
|
Process Doppelgänging |
Hooking Injection |
Propagate Injection |
Extra Windows Memory Injection |
CreateTransaction |
LoadLibraryW |
FindWindow |
FindWindowsA |
CreateFileTransaction |
GetProcAdress |
FindWindowEx |
GetWindowThreadProcessId |
NtCreateSection |
SetWindowsHookEx |
GetProp |
OpenProcess |
NtCreateProcessEx |
PostThreadMessage |
OpenProcess |
VirtualAllocEx |
NtQueryInformationProcess |
|
GetProp |
WriteProcessMemory |
NtCreateThreadEx |
|
SendNotify |
SetWindowLongPtrA |
RollbackTransaction |
|
VirtualAllocEx |
ReadProcessMemory |
|
|
WriteProcessMemory |
|
|
|
SetProp |
|
|
|
PostMessage |
|
Process Hooking
WinAPI Function |
Description |
SetWindowsHookEx |
Installs an application-defined hook procedure into a hook chain. |
UnhookWindowsHookEx |
Removes a hook procedure installed in a hook chain by the SetWindowsHookEx function. |
GetWindowLongPtr |
Retrieves information about the specified window. |
SetWindowLongPtr |
Changes an attribute of the specified window. |
SetWindowsHookEx |
Installs an application-defined hook procedure into a hook chain. |
CallNextHookEx |
Passes the hook information to the next hook procedure in the current hook chain. |
WinAPI Function |
Description |
LoadResource |
Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory. |
FindResource |
Determines the location of a resource with the specified type and name in the specified module. |
SizeofResource |
Retrieves the size, in bytes, of the specified resource. |
LockResource |
Retrieves a pointer to the specified resource in memory. |
EnumResourceTypes |
Enumerates all resource types within a binary module. |
EnumResourceNames |
Enumerates all resource names of a specified type within a binary module. |
EnumResourceLanguages |
Enumerates all the language identifiers for the resources of a specified type within a binary module. |
Enumeration
WinAPI Function |
Description |
EnumProcesses |
Enumerates all processes currently running on the system. |
EnumProcessModules |
Enumerates all modules (DLLs) loaded into a specified process. |
CreateToolhelp32Snapshot |
Creates a snapshot of the system, including all processes, threads, and modules. |
Process32First |
Retrieves information about the first process encountered in a system snapshot taken with CreateToolhelp32Snapshot . |
Process32Next |
Retrieves information about the next process encountered in a system snapshot taken with CreateToolhelp32Snapshot . |
Module32First |
Retrieves information about the first module associated with a process in a system snapshot taken with CreateToolhelp32Snapshot . |
Module32Next |
Retrieves information about the next module associated with a process in a system snapshot taken with CreateToolhelp32Snapshot . |
EnumWindows |
Enumerates all top-level windows on the screen by passing the handle to each window, in turn, to an application-defined callback function. |
FindWindow |
Retrieves the handle to the top-level window whose class name and window name match the specified strings. |
FindWindowEx |
Retrieves the handle to a window whose class name and window name match the specified strings. The function searches child windows, beginning with the one following the specified child window. |
EnumDesktopWindows |
Enumerates all top-level windows associated with the specified desktop. |
RegEnumKey |
Enumerates the subkeys of the specified open registry key. |
RegEnumValue |
Enumerates the values for the specified open registry key. |
NetShareEnum |
Retrieves information about all shared resources on a server. |
NetServerEnum |
Retrieves information about all servers of the specified type that are visible in a domain or workgroup. |
Unpacking API
Unpacking API |
Description |
CreateProcessInternalW |
Creates a new process for unpacking the packed executable. |
VirtualAlloc or VirtualAllocEx |
Allocates memory for the unpacked code and data. |
VirtualProtect or ZwProtectVirtualMemory |
Changes the protection of a region of memory, often used for code injection. |
WriteProcessMemory or NtWriteProcessMemory |
Writes data to the memory of another process. |
ResumeThread or NtResumeThread |
Resumes the execution of a suspended thread. |
CryptDecrypt or RtlDecompressBuffer |
Decrypts or decompresses packed data. |
NtCreateSection + MapViewOfSection or ZwMapViewOfSection |
Creates a section object and maps a view of a section into the address space of a process. |
UnmapViewOfSection or ZwUnmapViewOfSection |
Unmaps a mapped view of a section from the address space of a process. |
NtWriteVirtualMemory |
Writes data to the memory of a specified process. |
NtReadVirtualMemory |
Reads data from the memory of a specified process. |
NtMapViewOfSection |
Maps a view of a section of a file into the address space of a process. |
Anti-debug
Anti-debug |
Description |
IsDebuggerPresent |
Checks if the current process is being debugged. |
CheckRemoteDebuggerPresent |
Checks if a remote process is being debugged. |
NtQueryInformationProcess |
Retrieves information about a process, including debug flags. |
OutputDebugString |
Sends a string to the debugger for display. |
BeingDebuggeed in PEB |
Checks if the process is being debugged by inspecting the Process Environment Block (PEB). |
Check ProcessHeap flag |
Checks the Process Heap flags for signs of a debugger. |
NtGlobalFlag |
Retrieves the global debug flag for the current process. |
LookupPrivilegeValue |
Retrieves the locally unique identifier (LUID) for a privilege. |
BlockInput |
Blocks keyboard and mouse input to the system. |
WinAPI research
- Refer this web, common Windows API in analyzing and reversing Windows malware. MalAPI.
- Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.
- Refer undocumented and documented WinAPIs
- Search for malware development technique that used the certain API
Anti Analysis
Unpacking stuff
Detecting packed malware
- Signatures: Using tools such as PEID
- Strings: Lack of strings in the malware
- Imports: Lack of imports functions
- Sections: Weird section names such as UPX
- Entropy: Higher entropy indicates data in the malware is encrypted
- Raw/Virtual sizes: Difference between raw and virtual size indicate packed
Methods to unpack
- Statically: Reverse engineering entire unpacking routine. Useless.
- Dynamically: Using debugger and put breakpoint on common unpacking functions such as VirtualAlloc, VirtualProtect and etc.
- Automated: Unpac.me, pe-sieve, mal_unpack, sandboxes.
Fixing dumped PE from memory
- Section alignment
- Using hex editor to adjust the file by checking the sections header and repair it
- Unmapping
- All the current address is based on memory
- Make Raw Address same as Virtual Address
- Fix Raw Size (Raw Addr section above - Raw Addr section below)
- Fix Virtual Size by copy the fixed Raw size
- Rebase address
- Edit Image Base based on the base address when dumping the PE
Before unpacked executable execute (ref: FOR710)
Numerous initialization activities must take place to prepare an executable for actual execution. This is the key activities to load an executable after unpacking:
- Confirm the file is a Windows executable
- Resolve critical APIs
- Map the executable into memory
- Load imported DLLs
- Resolve imported functions
- Apply relocations, if necessary
- Update section permissions, if necessary
- Identify the entry point (EP) for execution
- Execute code beginning at the EP
PEB Walk
The Process Environment Block (PEB) is a data structure in memory that contains information about the running process, including:
- Loaded modules
- If the process is being debugged
- Process parameters (e.g., current directory or command line)
Shellcode accesses the PEB to:
- Enumerate DLLs loaded in memory
- Access each DLL’s exported functions
- Resolve Windows API addresses
In disassembler, you’ll see the code will perform this instrucitons to retrieve the PEB address:
MOV EAX, DWORD PTR FS:[30h]
or
PUSH 30h
POP EBX
MOV EAX, FS:[EBX]
PEB Walking |
Description |
ZwQueryInformationProcess |
Retrieves information about a specified process, such as its Process Environment Block (PEB). |
NtQueryInformationProcess |
Retrieves information about a specified process, such as its Process Environment Block (PEB). |
NtReadVirtualMemory |
Reads data from the memory of a specified process, often used to access the PEB. |
NtQuerySystemInformation |
Retrieves information about the system, such as the list of loaded modules and their base addresses. |
API Hashing
- Shellcode often passes a precalculated hash to a function to resolve APIs.
- This function:
- Iterates over all modules loaded by the process.
- For each module, the module name (e.g., kernel32.dll) is hashed.
- For each exported function in the module, the function name is hashed.
- The combined hash (i.e., the addition of the module name hash and function name hash) is compared against the hash passed to the function.
- If there is a match, the code resolves the address of the function so it can be called; if there is no match, it moves to the next loaded module and repeats the process.
API Hashing |
Description |
LoadLibraryA |
Loads a dynamic-link library (DLL) into the address space of the calling process. |
GetProcAddress |
Retrieves the address of an exported function or variable from a specified DLL. |
LdrGetProcedureAddress |
Retrieves the address of an exported function or variable using the LDT. |
GetModuleHandleA |
Retrieves a handle to the specified module (DLL or executable file). |
Ransomware
Ransomware flow 101:
- Collect PC information
- Determine which file extension or directories need to be encrypted. Blacklist or whitelist extension.
- Get or find directories and files (with specific extension). May include net share.
- Generate cryptography key
- Encrypt files (overwrite or create new one). If creating a new one, it will delete the original file.
- Append the ransomware extension to the encrypted file
- Drop readme text file
- Optional
- Delete shadow copy
- Disable Windows lock file to maximize ransom file
- Change wallpaper
- Connect to CnC (Command and Control server)
- Enumerate network share
- Exploit vulnerabilities
- Create persistence
- Stop services
- Stop process
Common CryptoAPI encryption
CryptoAPI Function |
Description |
CryptAcquireContext |
Acquires a handle to a Cryptographic Service Provider (CSP) for cryptographic operations. |
CryptImportKey |
Imports an embedded public key into the cryptographic context for use in encryption. |
CryptGenRandom |
Generates random bytes suitable for cryptographic purposes, typically used for initialization vectors (IVs). |
rand |
Generates pseudo-random bytes, often used for generating IVs as an alternative to CryptGenRandom. |
GetTickCount |
Retrieves the number of milliseconds that have elapsed since the system was started, sometimes used for generating IVs. |
CryptGenKey |
Generates a symmetric key for use in cryptographic operations such as encryption and decryption. |
CryptSetKeyParam |
Modifies various aspects of a cryptographic key, such as the key’s operation mode or parameters. |
CryptExportKey |
Exports a cryptographic key, often used for sharing public keys generated by CryptGenKey. |
CryptEncrypt |
Encrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext. |
CryptDestroyKey |
Destroys the cryptographic key by freeing its resources. |
CryptDeriveKey |
Derives a key from a specified hash value or password. |
CryptDecrypt |
Decrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext. |
CryptReleaseContext |
Releases the handle to a cryptographic service provider (CSP) obtained from CryptAcquireContext. |
File encryption APIs
File Encryption APIs |
Description |
CreateFile |
Opens or creates a file for reading, writing, or both. |
SetFilePointer |
Moves the file pointer within a file to a specified location. |
SetFilePointerEx |
Extended version of SetFilePointer with support for large files. |
WriteFile |
Writes data to a file, typically used for writing encrypted content and key information. |
ReadFile |
Reads data from a file, usually used for reading the original file contents. |
CloseFile |
Closes the file handle, releasing system resources. |
MoveFile |
Renames or moves a file, often used to update file extensions after encryption. |
Common algorithm of data
Despite reading the API, knowing the pattern of the algoritm and little bit of Google search may contribute the findings. Or we can use tool such as CAPA scanner or KANAL.
Encryption
Common symmetric algorithms
- AES
- RC4
- Serphent
- Blowfish
Common Asymmetric algorithms
- RSA
CryptoAPI Function |
Description |
CryptAcquireContext |
Acquires a handle to a Cryptographic Service Provider (CSP) for cryptographic operations. Required to use CryptoAPI |
CryptEncrypt |
Encrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext. |
CryptDeriveKey |
Derives a key from a specified hash value or password. Parameter Algid is crucial. |
CryptDecrypt |
Decrypts data using the specified cryptographic key and algorithm obtained from CryptImportKey and CryptAcquireContext. |
Hashing
- MD5 hashing
- SHA hashing
- CRC hashing
API Function |
Description |
CryptAcquireContext |
Acquires a handle to a Cryptographic Service Provider (CSP) for cryptographic operations. Required to use CryptoAPI |
CryptCreateHash |
Initiates the hashing of a stream of data. Parameter Algid is crucial. |
Compression
- APLib Compression
- LZNT Compression
- LZMA Compression
API Function |
Description |
RtlCompressBuffer |
Compresses a given buffer of data |
RtlDecompressBuffer |
Decompresses a given buffer of compressed data |
Shellcode
- Shellcode is a sequence of bytes that represents assembly instructions.
- Often allocates by
VirtualAlloc
- Hunt for the NOP (0x90) sled which designates its likely beginning, and the 00 byte values designate its likely end.
- To load DLLs and resolve API function names, shellcode often seeks
kernel32.dll
for LoadLibrary
and GetProcAddress
.
- Shellcode looks for the Process Environment Block (PEB) to locate
kernel32.dll
in memory of the exploited application.
Shellcode common opcodes
Opcode |
Description |
FC |
This translates to the instruction CLD (clear direction flag). |
EB |
This is the opcode for a relative jump instruction. |
E8 |
This is the opcode for a CALL instruction. |
55 8B EC |
This translates to the instructions push ebp and mov ebp,esp, commonly seen at the beginning of a function (i.e., the function prologue) in x86. |
Rebase shellcode address
Formula:
Base Address of image - Entry point of Shellcode
Execution
shellcode2exe.py
. Then, perform reversing in debugger/disassembler or behavior analysis.
jmp2it
shellcode_launcer
Disassemble
- IDA Pro. Press
C
to convert undefined data to code
- Ghidra. Choose the right compiler for the language option
- x64Dbg. Go through the code in debugger
Emulate
xorsearch
with param -W -d 3
= To spot shellcode patterns in binary files.
Other languages
.NET
- Use DnSpy
- Go to Entry Point
- Find Reference
- Use Module Breakpoint
- Watch Local variables
- Show in memory, dump in memory
- De4dot for decode encoded strings
- NETReactorSlayer for deobfuscate
Golang resources
Rust
JS
Deobfuscation using browser
- Extract JS
- Create HTML
<html>
<script>
var x = eval(Susp JS code);
alert(x);
<script>
</html>
- Open JS in Browser
- Open dev tools > Sources
- BP “alert(x)” line
- Reload page and observe the output
Manual deobfucation
- Beautify the code
- Remove variables that is only used once
- Replace complicated values with readble values
- Rename variables names
- Manual deobfuscation using above steps and add some codes to debug the JS, such as
document.write(interesting_var)
or add new line of code to call the interesting function interesting_function()
VB
AutoIT
Powershell fileless
- Use psunveil. Refer: https://www.kahusecurity.com/posts/introducing_psunveil.html
- Enable logging. Refer: https://fareedfauzi.github.io/2021/02/06/LemonDuck-Powershell.html#bonus-tips
Building an effective YARA
- Static file characteristics (pestats.py).
- Embedded strings (PeStudio, strings64.exe, pecompare.py).
- Code analysis results (Ghidra).
- Binary comparison results (Ghidra, BinDiff).
- Use https://github.com/Neo23x0/yarGen and review/improve the rule.
Personally, all tools in Flare-vm and Remnux is more than enough.
Helpful references
Some references that can help in analyzing malware:
- Anti technique Map: Provides a map of anti-analysis techniques used by malware.
- MalAPI: Resource detailing common Windows APIs used in analyzing and reversing Windows malware.
- Filesec: Resource listing file extensions commonly used by attackers.
- LOLBAS: Information on fileless and script-based techniques used by malware, known as Living Off the Land Binaries and Scripts.
- APT’s malware analysis reports: Reports and analyses of malware associated with Advanced Persistent Threat (APT) groups.
- Google: Using search engines for additional information and research.
- vx-underground: Underground forum and resource for malware research and analysis.
- Compilation of malware source code: Collection of malware source code for study and analysis.
- Ask the communities: Engaging with online communities and forums dedicated to malware analysis for assistance and collaboration.
- “Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book”