Home Malware Analysis: My Checklist
Post
Cancel

Malware Analysis: My Checklist

When doing an analysis or investigation on a malware, what is the important things to solve or to answer in analysing the malware?

This checklist may help us to determine what is the goal when we’re doing a malware analysis on a malware, so it can avoid us from reversing/analysing part of the malicious code that does not important to our investigation or maybe a rabbit hole.

  1. Initial access?
  2. How it downloads, starts or executes?
    • Where it come from
    • How it has to be there
    • Which parent program that drop it?
    • How it executes? User run it? Someone remotely run it?
  3. Is there any anti techniques implemented?
    • Anti Debugging
    • Anti Disassembly
    • Anti VM
    • Antivirus/EDR evasion
    • Packer
    • Cryptor
    • Sandbox evasion
  4. Is there any basic, automated, dynamic analysis result that can give us any hints?
    • Basic analysis
      • strings
      • MultiAV result
      • ssdeep (comparing with other variant)
      • PE analysis
    • Dynamic analysis
      • Process
      • File system
      • Network
      • Registry
    • Sandbox analysis result
      • Static analysis result
      • Dynamic analysis result
  5. What are the things we looking for?
    • IOCs
    • Commands
    • Dropped files
    • Domains / IP
    • Registry modify/add/delete
    • Techniques, Tactics and procedures
    • Encryption/Decryption routines
    • Folder, file access
    • Malware features
    • Hardcoded values / strings
    • Common WinAPI used for malicious action
    • Shellcode
    • Encrypted things
  6. What are some of the malware features?
    • Downloader
    • Launcher
    • Backdoor
      • Reverse Shell
      • RAT
      • Botnet
    • Credential stealer
      • Keylogger
      • Mimikatz thingy
    • Encrypt file
    • Command and control
    • Propagation
    • Exploit
    • Process Manipulating
      • Process injection etc.
    • Bypass UAC
    • Evade AV
    • Anti Forensic
  7. What is the behavior meaning of the findings?
    • Is the domain really does the command and control?
    • Why is it encrypt a certain part?
  8. Does it have persistant mechanism?
    • Registry key
    • Scheduled tasks
    • Startup folder
    • Winlogon Registry Entries
    • Image file execution options
    • Accessibility programs
    • WMIC Persitent
    • AppInit_DLLs
    • DLL Search Order Hijacking
    • Service
  9. Is the malware has privilege escalation ?
  10. Public reseach
  11. Ask the communities
  12. Windows API function, what its relation with malicious functionality?
    • Example, Google “GetAsyncKeyState + malware” will give numbers of results about keylogger malware.

Some references that can may help us in analysis a malware.

  1. Anti techinques list
  2. Important Windows Functions, Appendix A, page 453, Practical Malware Analysis book.
  3. Examples of commands used by Attackers
  4. Common Windows API in Analyzing and Reversing Windows Malware

Tools

Refer this awesome slide by @ochsenmeier that list all the important tools for malware analysis investigation.

A few page from the slide: image image image

References

  1. Guys from Malware Research Telegram Group
This post is licensed under CC BY 4.0 by the author.