Checklist: Windows Malware Analysis

 

Introduction

When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

How?

How it downloads, starts or executes?

  • Where it come from
  • How it has to be there
  • Which parent program that drop it?
  • How it executes? User run it? Someone remotely run it?

Anti thingy

Is there any anti techniques implemented?

  • Anti Debugging
  • Anti Disassembly
  • Anti VM
  • Antivirus/EDR evasion
  • Packer
  • Cryptor
  • Sandbox evasion

Relate the analysis

Is there any basic, automated, dynamic analysis result that can give us any hints?

  • Basic analysis
    • strings
    • MultiAV result
    • ssdeep (comparing with other variant)
    • PE analysis
  • Dynamic analysis
    • Process
    • File system
    • Network
    • Registry
  • Sandbox analysis result
    • Static analysis result
    • Dynamic analysis result

Important things

What are the things we looking for?

  • IOCs
  • Commands
  • Dropped files
  • Domains / IP
  • Registry modify/add/delete
  • Techniques, Tactics and procedures
  • Encryption/Decryption routines
  • Folder, file access
  • Malware features
  • Hardcoded values / strings
  • Common WinAPI used for malicious action
  • Shellcode
  • Encrypted things
  • Is the malware has privilege escalation ?

Malware features

What are some of the malware features?

  • Downloader
  • Launcher
  • Backdoor
    • Reverse Shell
    • RAT
    • Botnet
  • Credential stealer
    • Keylogger
    • Mimikatz thingy
  • Encrypt file
  • Command and control
  • Propagation
  • Exploit
  • Process Manipulating
    • Process injection etc.
  • Bypass UAC
  • Evade AV
  • Anti Forensic

Findings

What is the behavior meaning of the findings?

  • Is the domain really does the command and control?
  • Why is it encrypt a certain part?
  • Many more.. validate your theory

So ask these type of question when reversing the malware.

Persistent mechanism

Does it have persistent mechanism?

  • Registry key
  • Scheduled tasks
  • Startup folder
  • Winlogon Registry Entries
  • Image file execution options
  • Accessibility programs
  • WMIC Persitent
  • AppInit_DLLs
  • DLL Search Order Hijacking
  • Service

Public reseach

  • APT’s malware analysis
  • Google
  • vx-underground
  • Compilation of Malware source code
  • Ask the communities

Ransomware 101:

  • Collect PC information
  • Determine which file extension or directories need to be encrypt. Blacklist or whitelist extension.
  • Get or find directories and files (with specific extension). May include net share.
  • Generate cryptography key
  • Encrypt files (overwrite or create new one). If create new one, it will delete the original file.
  • Append the ransomware extension to the encrypted file
  • Drop readme text file
  • Optional
    • Delete shadow copy
    • Disable windows lock file to maximize ransom file
    • Change wallpaper
    • Connect to CnC
    • Enumerate network share
    • Exploit vulnerabilities
    • Create persistence
    • Stop services
    • Stop process

Google

Example, Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.

WinAPI process injection list

  • DLL Injection:
    • OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory and CreateRemoteThread, NtCreateThread( ), RtlCreateUserThread( )
  • PE Injection:
    • OpenThread( ), SuspendThread( ), VirtualAllocEx( ), WriteProcessMemory( ), SetThreatContext( ) and ResumeThread( ), NtResumeThread( )
  • Reflective Injection:
    • CreateFileMapping( ), Nt/MapViewOfFile( ), OpenProcess( ), memcpy( ) and Nt/MapViewOfSection( ), OpenProcess( ), CreateThread( ), NtQueueApcThread( ), CreateRemoteThread( ) or RtlCreateUserThread( )
  • APC Injection:
    • SleepEx( ), SignalObjectAndWait( ), MsgWaitForMultipleObjectsEx( ), WaitForMultipleObjectsEx( ), or WaitForSingleObjectEx( ), CreateToolhelp32Snapshot(), Process32First( ), Process32Next( ), Thread32First( ), Thread32Next( ), QueueUserAPC( ) and KeInitializeAPC( )
  • Hollowing or Process Replacement:
    • CreateProcess( ), NtQueryProcessInformation( ), GetModuleHandle( ), Zw/NtUnmapViewOfSection( ), VirtualAllocEx( ), WriteProcessMemory( ), GetThreadContext( ), SetThreadContext ( ) and ResumeThread( )
  • AtomBombing:
    • GlobalGetAtomName( ) and NtQueueApcThread( ), NtSetContextThread( ), OpenThread( ), GlobalAddAtom( ), GlobalGetAtomName( ) and QueueUserAPC( )
  • Process Doppelgänging:
    • CreateTransaction( ), CreateFileTransaction( ), NtCreateSection, NtCreateProcessEx( ), NtQueryInformationProcess( ), NtCreateThreadEx( ) and RollbackTransaction( )
  • Hooking Injection:
    • LoadLibraryW( ), GetProcAdress( ), SetWindowsHookEx( ) and PostThreadMessage( )
  • Extra Windows Memory Injection:
    • FindWindowsA( ), GetWindowThreadProcessId( ), OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory( ), SetWindowLongPtrA( ) and SendNotify( )
  • Propogate injection:
    • FindWindow( ), FindWindowEx( ), GetProp( ), GetWindowThreadProcessId( ), OpenProcess( ), ReadProcessMemory( ), VirtualAllocEx( ), WriteProcessMemory( ), SetProp( ) and PostMessage( )

WinAPI Anti-debug

  • IsDebuggerPresent()
  • CheckRemoteDebuggerPresent()
  • NtQueryInformationProcess()
  • OutputDebugString()
  • BeingDebuggeed in PEB
  • Check ProcessHeap flag
  • NtGlobalFlag()
  • LookupPrivilegeValue() with argument SeDebugPrivilege
  • BlockInput()

WinAPI used for unpacking

Interesting API breakpoint for unpacking stuff:

  • CreateProcessInternalW( )
  • VirtualAlloc( ) or VirtualAllocEx( )
  • VirtualProtect( ) or ZwProtectVirtualMemory( )
  • WriteProcessMemory( ) or NtWriteProcessMemory( )
  • ResumeThread( ) or NtResumeThread( )
  • CryptDecrypt( ) or RtlDecompressBuffer( )
  • NtCreateSection( ) + MapViewOfSection( ) or ZwMapViewOfSection( )
  • UnmapViewOfSection( ) or ZwUnmapViewOfSection( )
  • NtWriteVirtualMemory( )
  • NtReadVirtualMemory( )

Useful unpacking tool

Helpful references

Some references that can may help us in analysis a malware:

  • Anti techinques list
  • Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book.
  • Examples of commands used by Attackers
  • Common Windows API in Analyzing and Reversing Windows Malware. MalAPI.
  • File extensicons used by attacker. Filesec
  • Fileless and Script. LOLBAS
  • Anti technique Map. Unprotect Project

Tools

Personally, all tools in Flare-vm and Remnux is more than enough. Refer this awesome slide by @ochsenmeier that list all the important tools for malware analysis investigation.

My must-have tool:

  • IDA Pro
  • x64dbg
  • DIE
  • DnSpy
  • Wireshark
  • ProcMon
  • Ghidra
  • Cyberchef
  • Python
  • API monitor
  • HxD

Winitor files and tools for Malware Analysis: Link