Cheatsheet: Windows Malware Analysis and Reversing

Introduction

When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

How?

How it downloads, starts or executes?

• Where it come from
• How it has to be there
• Which parent program that drop it?
• How it executes? User run it? Someone remotely run it?

Anti thingy

Is there any anti techniques implemented?

• Anti Debugging
• Anti Disassembly
• Anti VM
• Antivirus/EDR evasion
• Packer
• Cryptor
• Sandbox evasion

Relate the analysis

Is there any basic, automated, dynamic analysis result that can give us any hints?

• Basic analysis
  • strings
  • MultiAV result
  • ssdeep (comparing with other variant)
  • PE analysis
• Dynamic analysis
  • Process
  • File system
  • Network
  • Registry
• Sandbox analysis result
  • Static analysis result
  • Dynamic analysis result

Important things

What are the things we looking for?

• IOCs
• Commands
• Dropped files
• Domains / IP
• Registry modify/add/delete
• Techniques, Tactics and procedures
• Encryption/Decryption routines
• Folder, file access
• Malware features
• Hardcoded values / strings
• Common WinAPI used for malicious action
• Shellcode
• Encrypted things
• Is the malware has privilege escalation ?

Malware features

What are some of the malware features?

• Downloader
• Launcher
• Backdoor
  • Reverse Shell
  • RAT
  • Botnet
• Credential stealer
  • Keylogger
  • Mimikatz thingy
• Encrypt file
• Command and control
• Propagation
• Exploit
• Process Manipulating
  • Process injection etc.
• Bypass UAC
• Evade AV
• Anti Forensic

Findings

What is the behavior meaning of the findings?

• Is the domain really does the command and control?
• Why is it encrypt a certain part?
• Many more.. validate your theory

So ask these type of question when reversing the malware.

Persistent mechanism

Does it have persistent mechanism?

• Registry key
• Scheduled tasks
• Startup folder
• Winlogon Registry Entries
• Image file execution options
• Accessibility programs
• WMIC Persitent
• AppInit_DLLs
• DLL Search Order Hijacking
• Service

Public reseach

• APT’s malware analysis
• Google
• vx-underground
• Compilation of Malware source code
• Ask the communities

Ransomware 101:

• Collect PC information
• Determine which file extension or directories need to be encrypt. Blacklist or whitelist extension.
• Get or find directories and files (with specific extension). May include net share.
• Generate cryptography key
• Encrypt files (overwrite or create new one). If create new one, it will delete the original file.
• Append the ransomware extension to the encrypted file
• Drop readme text file
• Optional
  • Delete shadow copy
  • Disable windows lock file to maximize ransom file
  • Change wallpaper
  • Connect to CnC
  • Enumerate network share
  • Exploit vulnerabilities
  • Create persistence
  • Stop services
  • Stop process

Microsoft CryptoAPI Encryption usage commonly in Ransomware

• CryptAcquireContext = Acquire a handle to a Cryptographic Service Provider (CSP)
• CryptImportKey = Imports embedded public key
• CryptGenRandom OR rand OR GetTickCount etc. = Generate random bytes for IV
• CryptGenKey = Generate a symmetric key
• CryptSetKeyParam = Alter aspects of a Key’s operation, including the encryption mode
• CryptExportKey = Export the public key generated by CryptGenKey
• CryptEncrypt = Encrypts with the Key from CryptImportKey and the algorithm specified by CryptAcquireContext

File encryption APIs

• CreateFile = Accessing a file
• SetFilePointer, SetFilePointerEx, WriteFile = Reading/writing to the beginning or end of a file
• ReadFile = Reading contents of the original file
• WriteFile = Writing encrypted contents and key information
• CloseFile = Close access to a file
• MoveFile = Update file extension

Google

• Example, Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.
• Search for malware development technique that used the certain API
  • https://0xpat.github.io/
  • https://cocomelonc.github.io/
  • https://www.ired.team/offensive-security/code-injection-process-injection
  • https://github.com/LordNoteworthy/al-khaser
  • https://github.com/topics/malware-development

WinAPI process injection list

• DLL Injection:
  • OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory and CreateRemoteThread, NtCreateThread( ), RtlCreateUserThread( )
• PE Injection:
  • OpenThread( ), SuspendThread( ), VirtualAllocEx( ), WriteProcessMemory( ), SetThreatContext( ) and ResumeThread( ), NtResumeThread( )
• Reflective Injection:
  • CreateFileMapping( ), Nt/MapViewOfFile( ), OpenProcess( ), memcpy( ) and Nt/MapViewOfSection( ), OpenProcess( ), CreateThread( ), NtQueueApcThread( ), CreateRemoteThread( ) or RtlCreateUserThread( )
• APC Injection:
  • SleepEx( ), SignalObjectAndWait( ), MsgWaitForMultipleObjectsEx( ), WaitForMultipleObjectsEx( ), or WaitForSingleObjectEx( ), CreateToolhelp32Snapshot(), Process32First( ), Process32Next( ), Thread32First( ), Thread32Next( ), QueueUserAPC( ) and KeInitializeAPC( )
• Hollowing or Process Replacement:
  • CreateProcess( ), NtQueryProcessInformation( ), GetModuleHandle( ), Zw/NtUnmapViewOfSection( ), VirtualAllocEx( ), WriteProcessMemory( ), GetThreadContext( ), SetThreadContext ( ) and ResumeThread( )
• AtomBombing:
  • GlobalGetAtomName( ) and NtQueueApcThread( ), NtSetContextThread( ), OpenThread( ), GlobalAddAtom( ), GlobalGetAtomName( ) and QueueUserAPC( )
• Process Doppelgänging:
  • CreateTransaction( ), CreateFileTransaction( ), NtCreateSection, NtCreateProcessEx( ), NtQueryInformationProcess( ), NtCreateThreadEx( ) and RollbackTransaction( )
• Hooking Injection:
  • LoadLibraryW( ), GetProcAdress( ), SetWindowsHookEx( ) and PostThreadMessage( )
• Extra Windows Memory Injection:
  • FindWindowsA( ), GetWindowThreadProcessId( ), OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory( ), SetWindowLongPtrA( ) and SendNotify( )
• Propogate injection:
  • FindWindow( ), FindWindowEx( ), GetProp( ), GetWindowThreadProcessId( ), OpenProcess( ), ReadProcessMemory( ), VirtualAllocEx( ), WriteProcessMemory( ), SetProp( ) and PostMessage( )

WinAPI Anti-debug

• IsDebuggerPresent()
• CheckRemoteDebuggerPresent()
• NtQueryInformationProcess()
• OutputDebugString()
• BeingDebuggeed in PEB
• Check ProcessHeap flag
• NtGlobalFlag()
• LookupPrivilegeValue() with argument SeDebugPrivilege
• BlockInput()

WinAPI used for unpacking

Interesting API breakpoint for unpacking stuff:

• CreateProcessInternalW( )
• VirtualAlloc( ) or VirtualAllocEx( )
• VirtualProtect( ) or ZwProtectVirtualMemory( )
• WriteProcessMemory( ) or NtWriteProcessMemory( )
• ResumeThread( ) or NtResumeThread( )
• CryptDecrypt( ) or RtlDecompressBuffer( )
• NtCreateSection( ) + MapViewOfSection( ) or ZwMapViewOfSection( )
• UnmapViewOfSection( ) or ZwUnmapViewOfSection( )
• NtWriteVirtualMemory( )
• NtReadVirtualMemory( )

Useful unpacking tool

• You fav debugger
• pe_unmapper
• pe-sieve
• hollows_hunter
• mal_unpack
• scylla plugin x32dbg
• ollydump plugin in x32dbg
• Process hacker > memory tab > interesting regions/base addresses (RWX) > save memory
• unpac
• pe-trimmer

Before loader prepare the execution of unpacked binary (ref: FOR710)

• Confirm the file is a Windows executable
• Resolve critical APIs
• Map the executable into memory
• Load imported DLLs
• Resolve imported functions
• Apply relocations, if necessary
• Update section permissions, if necessary
• Identify the entry point (EP) for execution
• Execute code beginning at the EP

Shellcode common opcodes (ref: FOR710)

• FC: This translates to the instruction CLD (clear direction flag)
• EB: This is the opcode for a relative jump instruction.
• E8: This is the opcode for a CALL instruction.
• 55 8B EC: This translates to the instructions push ebp and mov ebp,esp, commonly seen at the beginning of a function (i.e., the function prologue) in x86.

Building an effective YARA

• Static file characteristics (pestats.py).
• Embedded strings (PeStudio, strings64.exe, pecompare.py).
• Code analysis results (Ghidra).
• Binary comparison results (Ghidra, BinDiff).
• Use https://github.com/Neo23x0/yarGen and review/improve the rule.

Golang resources

• https://pkg.go.dev/ -> goroutine functions refer here

JS

1. Extract JS
2. Create HTML ```