Home Malware Analysis: Checklist aka Cheatsheet? Maybe.
Post
Cancel

Malware Analysis: Checklist aka Cheatsheet? Maybe.

Introduction

When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

How it downloads, starts or executes?

  • Where it come from
  • How it has to be there
  • Which parent program that drop it?
  • How it executes? User run it? Someone remotely run it?

Is there any anti techniques implemented?

  • Anti Debugging
  • Anti Disassembly
  • Anti VM
  • Antivirus/EDR evasion
  • Packer
  • Cryptor
  • Sandbox evasion

Is there any basic, automated, dynamic analysis result that can give us any hints?

  • Basic analysis
    • strings
    • MultiAV result
    • ssdeep (comparing with other variant)
    • PE analysis
  • Dynamic analysis
    • Process
    • File system
    • Network
    • Registry
  • Sandbox analysis result
    • Static analysis result
    • Dynamic analysis result

What are the things we looking for?

  • IOCs
  • Commands
  • Dropped files
  • Domains / IP
  • Registry modify/add/delete
  • Techniques, Tactics and procedures
  • Encryption/Decryption routines
  • Folder, file access
  • Malware features
  • Hardcoded values / strings
  • Common WinAPI used for malicious action
  • Shellcode
  • Encrypted things
  • Is the malware has privilege escalation ?

What are some of the malware features?

  • Downloader
  • Launcher
  • Backdoor
    • Reverse Shell
    • RAT
    • Botnet
  • Credential stealer
    • Keylogger
    • Mimikatz thingy
  • Encrypt file
  • Command and control
  • Propagation
  • Exploit
  • Process Manipulating
    • Process injection etc.
  • Bypass UAC
  • Evade AV
  • Anti Forensic

What is the behavior meaning of the findings?

  • Is the domain really does the command and control?
  • Why is it encrypt a certain part?

Does it have persistant mechanism?

  • Registry key
  • Scheduled tasks
  • Startup folder
  • Winlogon Registry Entries
  • Image file execution options
  • Accessibility programs
  • WMIC Persitent
  • AppInit_DLLs
  • DLL Search Order Hijacking
  • Service

Public reseach

Ransomware 101:

  • Collect PC information
  • Determine which file extension or directories need to be encrypt. Blacklist or whitelist extension.
  • Get or find directories and files (with specific extension). May include net share.
  • Generate cryptography key
  • Encrypt files (overwrite or create new one). If create new one, it will delete the original file.
  • Append the ransomware extension to the encrypted file
  • Drop readme text file
  • Optional
    • Delete shadow copy
    • Disable windows lock file to maximize ransom file
    • Change wallpaper
    • Connect to CnC
    • Enumerate network share
    • Exploit vulnerabilities
    • Create persistence
    • Stop services
    • Stop process

Windows API function, what its relation with malicious functionality?

  • Example, Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.

Windows API process injection list:

  • DLL Injection: OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory and CreateRemoteThread | NtCreateThread( ) | RtlCreateUserThread( )
  • PE Injection: OpenThread( ), SuspendThread( ), VirtualAllocEx( ), WriteProcessMemory( ), SetThreatContext( ) and ResumeThread( ) | NtResumeThread( )
  • Reflective Injection: CreateFileMapping( ), Nt/MapViewOfFile( ), OpenProcess( ), memcpy( ) and Nt/MapViewOfSection( ), OpenProcess( ), CreateThread( ), NtQueueApcThread( ), CreateRemoteThread( ) or RtlCreateUserThread( )
  • APC Injection: SleepEx( ), SignalObjectAndWait( ), MsgWaitForMultipleObjectsEx( ), WaitForMultipleObjectsEx( ), or WaitForSingleObjectEx( ), CreateToolhelp32Snapshot(), Process32First( ), Process32Next( ), Thread32First( ), Thread32Next( ), QueueUserAPC( ) and KeInitializeAPC( )
  • Hollowing or Process Replacement: CreateProcess( ), NtQueryProcessInformation( ), GetModuleHandle( ), Zw/NtUnmapViewOfSection( ), VirtualAllocEx( ), WriteProcessMemory( ), GetThreadContext( ), SetThreadContext ( ) and ResumeThread( )
  • AtomBombing: GlobalGetAtomName( ) and NtQueueApcThread( ), NtSetContextThread( ), OpenThread( ), GlobalAddAtom( ), GlobalGetAtomName( ) and QueueUserAPC( )
  • Process Doppelgänging: CreateTransaction( ), CreateFileTransaction( ), NtCreateSection, NtCreateProcessEx( ), NtQueryInformationProcess( ), NtCreateThreadEx( ) and RollbackTransaction( )
  • Hooking Injection: LoadLibraryW( ), GetProcAdress( ), SetWindowsHookEx( ) and PostThreadMessage( )
  • Extra Windows Memory Injection: FindWindowsA( ), GetWindowThreadProcessId( ), OpenProcess( ), VirtualAllocEx( ), WriteProcessMemory( ), SetWindowLongPtrA( ) and SendNotify( )
  • Propogate injection: FindWindow( ), FindWindowEx( ), GetProp( ), GetWindowThreadProcessId( ), OpenProcess( ), ReadProcessMemory( ), VirtualAllocEx( ), WriteProcessMemory( ), SetProp( ) and PostMessage( )

Windows API Anti-debug

  • IsDebuggerPresent()
  • CheckRemoteDebuggerPresent()
  • NtQueryInformationProcess()
  • OutputDebugString()
  • BeingDebuggeed in PEB
  • Check ProcessHeap flag
  • NtGlobalFlag()
  • LookupPrivilegeValue() with argument SeDebugPrivilege
  • BlockInput()

Interesting API breakpoint for unpacking stuff

  • CreateProcessInternalW( )
  • VirtualAlloc( ) or VirtualAllocEx( )
  • VirtualProtect( ) or ZwProtectVirtualMemory( )
  • WriteProcessMemory( ) or NtWriteProcessMemory( )
  • ResumeThread( ) or NtResumeThread( )
  • CryptDecrypt( ) or RtlDecompressBuffer( )
  • NtCreateSection( ) + MapViewOfSection( ) or ZwMapViewOfSection( )
  • UnmapViewOfSection( ) or ZwUnmapViewOfSection( )
  • NtWriteVirtualMemory( )
  • NtReadVirtualMemory( )

Useful unpacking tool

  • You fav debugger
  • https://github.com/hasherezade/libpeconv/tree/master/pe_unmapper
  • https://github.com/hasherezade/pe-sieve
  • https://github.com/hasherezade/hollows_hunter
  • https://github.com/hasherezade/mal_unpack
  • scylla plugin x32dbg
  • ollydump plugin in x32dbg
  • Process hacker > memory tab > interesting regions/base addresses (RWX) > save memory
  • https://www.unpac.me/#/

Helpful references

Some references that can may help us in analysis a malware:

  1. Anti techinques list
  2. Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book.
  3. Examples of commands used by Attackers
  4. Common Windows API in Analyzing and Reversing Windows Malware

Tools

Personally, all tools in Flare-vm and Remnux is more than enough.

Refer this awesome slide by @ochsenmeier that list all the important tools for malware analysis investigation.

A few page from the slide: image image image

References

  1. Guys from Malware Research Telegram Group
  2. https://exploitreversing.com/author/exploitreversing/
This post is licensed under CC BY 4.0 by the author.