Malware analysis

0ut3r Space 2019-08-15 2021-03-26

guides
flare vm, malware, malware analysis

Analysis of malware, viruses and other types of harmful programs and scripts is
quite complicated and requires a lot of knowledge. To properly understand how a
program works, what it connects to, and what damage it can cause, it is useful to
know programming and not only in one language but preferably several and good
knowledge of construction and operation of a computer network.

Malware

Reverse engineering is often used to analyze such a program. It is the process of

testing a product (device, computer program) to determine how exactly it works, as
well as how and at what cost it was made. Usually guided to obtain the information
necessary to construct a counterpart.

For example, we decompile the program by obtaining partial program code so that we
know exactly how it works. We can also analyze the program itself and its processes
and network connections using additional tools.

When analyzing a malicious program, we must be extremely careful not to

accidentally infect ourselves during the analysis. Everyone who wants to start the
adventure with the analysis of this type of programs should build their own virtual
environment separated from the network (or operating in a separate adapted network)
in an isolated environment built only for the purposes of analysis.

There are programs on the market called sandboxes, they enable the program to run
in the sandbox, i.e. an isolated environment, thus allowing for safe analysis by
simulating the real environment of the potential victim. Most of these programs are
paid and due to costs only available to large corporations.

Nowadays, malicious software has evolved to such an extent that it not only tries
to detect and bypass anti-virus software but also checks whether it runs on a
virtual machine or in a sandbox. Sometimes it launches its malicious functions with
a delay and sometimes it deactivates completely so as not to attract attention by
acting like an ordinary harmless application.

Although the analysis requires a lot of knowledge and skills, nothing prevents you
from starting your adventure with analysis with simple examples and free tools.

Below I will describe a few tools and pages that will help you take the first steps
in this difficult field.
Types of malware analysis

Static - also called static code analysis, is a process of software debugging

without executing the code or program. In other words, it examines the malware
without examining the code or executing the program. The techniques of static
malware analysis can be implemented on various representations of a program. The
techniques and tools instantaneously discover whether a file is of malicious intent
or not. Then the information on its functionality and other technical indicators
help create its simple signatures.

Dynamic - the dynamic analysis runs malware to examine its behavior, learn its
functionality and recognize technical indicators. When all these details are
obtained, they are used in the detection signatures. The technical indicators
exposed may comprise of IP addresses, domain names, file path locations, additional
files, registry keys, found on the network or computer.

These definitions are taken from Comodo Blog.

Test environment

The first question is where to start, because it is hard to say how properly
configure your own test environment. Therefore, it is worth starting with a ready-
made environment with a set of tools so that in the future you can build your own,
tailored to your needs. Ready solutions allow you to see how industry professionals
do it, what tools they use and how they approach the topic. Just as Kali Linux is a
ready environment for pentesters, flare-vm is a ready environment for malware
analyzers. Check this official article to get more information about it. Download
it, install and play with the tools that you will find there. There are tools like
Debuggers, Decompilers, Delphi, Developer Tools, Android Tools, Disassemblers,
Flash, Forensic, Hex Editors, Java, Networking, Office, PDF, PE, Pentest, Text
Editors, Visual Basic, .net, Python and modules, Web and other useful utilities.

Once you will work with that some time you can then create your own virtual machine
and install only tools you like.
Desktop sandboxes

Below are some paid and free sandboxes.

Sandboxie - runs your programs in an isolated space which prevents them from making
permanent changes to other programs and data in your computer.

Firejail - is a SUID security sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf.

SHADE Sandbox - s an alternative for antivirus and a tool for virtualization. It

locally virtualizes applications (i.e. internet browsers) and locks all incoming
internet files and possible viruses in its safe virtual environment.

PyREbox - is a Python scriptable Reverse Engineering sandbox. It is based on QEMU,

and its goal is to aid reverse engineering by providing dynamic analysis and
debugging capabilities from a different perspective.

FAME - is a recursive acronym meaning �FAME Automates Malware Evaluation�. It is

meant to facilitate analysis of malicious files, leveraging as much knowledge as
possible in order to speed up and automate end-to-end analysis.
Online sandboxes

You can find several free, online sandboxes. Remember, however, that if you want to
scan and analyze a private file, by uploading it to an online scanner you share it
to the owners of the service or even publicly. Hence, you should not upload
sensitive data there, especially company data.

CAPE Sandbox - malware configuration and payload extraction.

Hybrid Analysis - free malware analysis service for the community that detects and
analyzes unknown threats using a unique Hybrid Analysis technology.

AnyRun - Interactive online malware analysis service for dynamic and static
research of most types of threats using any environments. Replaces a set of tools
for research.

Sanbox Anlyz - online malware sandbox.

Opswat Metadefender - malware/IP/URL/hash/CVE/Domain analysis and sandbox.

JoeSandbox - detects and analyzes potential malicious files and URLs on Windows,
Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware
analysis and generates comprehensive and detailed analysis reports.
Self hosted sandbox

Personally, I know only one free solution that can be self hosted. This solution is
called Cuckoo Sandbox. Cuckoo Sandbox is the leading open source automated malware
analysis system and it is available on most popular platforms.
Online antivirus and malware analyzers

Antivirus-like tools are also useful for analyzing files, but they provide more
details and scan a given file using various anti-virus engines.

AVCaesar - is a malware analysis engine and repository. Your suspicious files can
be analyzed by a set of antivirus.

VirusTotal - analyze suspicious files and URLs to detect types of malware,

automatically share them with the security community.

NoDistribute - similar to VirusTotal but do not distribute scan results. For your
own privacy and the privacy of your files, you may not want to share the contents
of your files with the antivirus companies.

AntiScan - similar to VirusTotal but do not distribute scan results.

Malwares - is a malware analysis engine.

URL analyze

Nowadays not only files can be harmful, but also entire pages or scripts contained
in them. Therefore, it is also worth using sandboxes for URLs. Not only VirusTotal
mentioned earlier has such a function.

URLhaus - is a project from abuse.ch with the goal of sharing malicious URLs that
are being used for malware distribution.

URLscan - a sandbox for the web.

MetaDefender - trust no file, trust no device. Analyze IP, HASH, CVE, URL.

URLVoid - service helps you detect potentially malicious websites.

Zulu by Zscaler - Zulu is a dynamic risk scoring engine for web based content.

Cyren URL - Cyren URL Category Check.

Online Network and decoding tools

IPVoid - offer a vast range of IP address tools to discover details about IP

addresses. IP blacklist check, whois lookup, dns lookup, ping, and more.

MXToolbox - everything you need to analyze any IOC�s.

CyberChef - A simple, intuitive web app for analysing and decoding data without
having to deal with complex tools or programming languages. CyberChef encourages
both technical and non-technical people to explore data formats, encryption and
compression.
IP, domain and mail
Phishtank - phishing analysis.

Isitphishing - phishing analysis.

Domaintools Whois - WHOIS online.

Robtex IP Lookup - IP lookup.

AbuseIPDB - Check the report history of any IP address to see if anyone else has
reported malicious activities.

Cyren IP - Cyren IP Reputation Check

Message header analyzer - analyze message headers.

Threat intelligence

Pulsedive - sweet spot between enriched intelligence and technical information.

ThreatMiner - data mining for threat intelligence

Talos - Talos Threat Source is a regular intelligence update from Cisco Talos,
highlighting the biggest threats each week and other security news.

IBM X-Force Exchange - Research, Collaborate and Act on threat intelligence.

Desktop tools

These are just a few of thousands you can use. You have to start somewhere.
Automated malware analysis

Spybot File Analyzer - FileAlyzer shows basic file content, a standard hex viewer,
and a wide range of customized displays for interpreted complex file structures
that help you understand the purpose of a file.
Hexeditors

wxHexEditor - a free cross platform hex editor.

Disassembler and debugger

IDA Pro - The IDA Disassembler and Debugger is an interactive, programmable,

extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA
has become the de-facto standard for the analysis of hostile code, vulnerability
research and commercial-off-the-shelf validation.

Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA�s

Research Directorate in support of the Cybersecurity mission.

OllyDbg - is a 32-bit assembler level analysing debugger for Windows.

Memory dumper

Scylla - Imports Reconstruction.

OllyDumpEx - This plugin is process memory dumper for OllyDbg and Immunity
Debugger.
Process and registry

RegShot - is an open-source (LGPL) registry compare utility that allows you to

quickly take a snapshot of your registry and then compare it with a second one -
done after doing system changes or installing a new software product.

Process Explorer - advanced process explorer.

Process Monitor - advanced process monitor.

ProcDOT - way of visual malware analysis.

Process Hacker - powerful, multi-purpose tool that helps you monitor system
resources, debug software and detect malware.

Noriben - Noriben is a Python-based script that works in conjunction with

Sysinternals Procmon to automatically collect, analyze, and report on runtime
indicators of malware. In a nutshell, it allows you to run an applications, hit a
keypress, and get a simple text report of the sample�s activities.

Autoruns - This utility, which has the most comprehensive knowledge of auto-
starting locations of any startup monitor, shows you what programs are configured
to run during system bootup or login, and when you start various built-in Windows
applications like Internet Explorer, Explorer and media players.
Packer identifier

Detect It Easy(DiE) - is a packer identifier.

Exe info PE - Packer, compressor detector / unpack info / internal exe tools.

Peframe - peframe is a open source tool to perform static analysis on Portable

Executable malware and generic suspicious file. It can help malware researchers to
detect packer, xor, digital signature, mutex, anti debug, anti virtual machine,
suspicious sections and functions, macro and much more information about the
suspicious files.
Decode obfuscated strings

Flare-Floss - uses advanced static analysis techniques to automatically deobfuscate

strings from malware binaries.

XORSearch - XORSearch is a program to search for a given string in an XOR, ROL, ROT
or SHIFT encoded binary file.

Balbuzard - malware analysis tools to extract patterns of interest and crack

obfuscation such as XOR.
Virtual Machines

Flare VM - a fully customizable, Windows-based security distribution for malware

analysis, incident response, penetration testing, etc.

Remnux - is a Linux toolkit for reverse-engineering and analyzing malicious

software. REMnux provides a curated collection of free tools created by the
community. Analysts can use it to investigate malware without having to find,
install, and configure the tools.
Malware samples

Sooner or later you would like to practice your skills on real samples. Once you
know the tools you will have to test them. It�s best to use examples from everyday
life. There are two nice repositories of malware on Github. First one is Malware
Sample Library and the second Malware Samples. By searching Github you will surely
find more equally interesting examples that will give you the necessary experience.

More malware samples and virus signatures are also available on websites like:

Das Malwerk - Malware samples.

MalShare - a free Malware repository providing researchers access to samples,
malicous feeds, and Yara results.

PacketTotal Malware Archive - search for URL, IP, file hash.

ViruSign - virus signatures, to make antivirus more efficient, and of course to

benefit the users with a better detection rate.
Malware sources

Some examples of malware source code to analyze.

Parat (Python based RAT) � https://github.com/micle-fm/Parat

Ammyy Admin v3 source code � https://github.com/Coldzer0/Ammyy-v3
EvilOSX (Python, post-exploitation macOSX Remote Administration Tool) �
https://github.com/Marten4n6/EvilOSX
Reptile (LKM Linux rootkit) � https://github.com/f0rb1dd3n/Reptile
iMessagesBackdoor (AppleScript handler that can be set to execute a shell
commands) � https://github.com/checkyfuntime/iMessagesBackdoor
Diamorphine (LKM rootkit for Linux Kernels 2.6.x/3.x/4.x) �
https://github.com/m0nad/Diamorphine
Ransomware � https://github.com/mauri870/ransomware
win.rokkaku (fileless Windows keylogger that exfils over the DNS protocol) �
https://github.com/0ren/win.rokkaku
Jellyfish (GPU rootkit) � https://github.com/x0r1/jellyfish
Jellucuda (Windows GPU Rat) � https://github.com/x0r1/WIN_JELLY
Demon (GPU keylogger) � https://github.com/x0r1/Demon
Cypher � https://github.com/NullArray/Cypher
vlany (Linux LD_PRELOAD rootkit) � https://github.com/mempodippy/vlany
cub3 � https://github.com/mempodippy/cub3
Linux.Mirai Source Code � https://github.com/jgamblin/Mirai-Source-Code
Win32.Stolich � https://github.com/empinel/Win32.Stolich
Capcom Rootkit � https://github.com/FuzzySecurity/Capcom-Rootkit
TinyNuke aka Nukebot aka Nuclear Bot � https://github.com/aainz/TinyNuke
Alina Spark (PoS Trojan) �
https://github.com/fdiskyou/malware/tree/master/Alina
Bleeding Life 2 (Exploit Pack) �
https://github.com/fdiskyou/malware/tree/master/BleedingLife2/Bleeding%20Life%20v2
Carberp Botnet � https://github.com/fdiskyou/malware/tree/master/Carberp
%20Botnet
Crimepack 3.1.3 (Exploit Pack) �
https://github.com/fdiskyou/malware/tree/master/Crimepack3.1.3
Dendroid (Android Trojan) �
https://github.com/fdiskyou/malware/tree/master/Dendroid
Dexter v2 (PoS Trojan) � https://github.com/fdiskyou/malware/tree/master/Dexter
Fancy Bear, APT28, Sofacy (Gmail C2C), Python Trojan �
https://github.com/fdiskyou/malware/tree/master/FancyBear
GMBot (Android Trojan) � https://github.com/fdiskyou/malware/tree/master/GMBot
Gozi-ISFB (Banking Trojan) �
https://github.com/fdiskyou/malware/tree/master/Gozi-ISFB
Grum (Spam Bot) � https://github.com/fdiskyou/malware/tree/master/Grum
Hidden Tear (Ransomware) �
https://github.com/fdiskyou/malware/tree/master/Hidden-tear
KINS (Banking Trojan) � https://github.com/fdiskyou/malware/tree/master/KINS
Pony 2.0 (Stealer) � https://github.com/fdiskyou/malware/tree/master/Pony
PowerLoader (Botnet) �
https://github.com/fdiskyou/malware/tree/master/PowerLoader
RIG Front-end (Exploit Kit) �
https://github.com/fdiskyou/malware/tree/master/RIG
Rovnix (Bootkit) � https://github.com/fdiskyou/malware/tree/master/Rovnix
 Tinba (Tiny ASM Banking Trojan) �
https://github.com/fdiskyou/malware/tree/master/Tinba
ZeroAccess (Toolkit for ZeroAccess/Sirefef v3) �
https://github.com/fdiskyou/malware/tree/master/ZeroAccess
Zeus (Banking Trojan) � https://github.com/fdiskyou/malware/tree/master/Zeus
Trochilus � https://github.com/5loyd/trochilus

Eicar test file

This article is also occasion to mentioning about the test, harmless sample that
may interest people who want to test the security and effectiveness of anti-virus
programs.

EICAR test file is a computer file that was developed by the European Institute
for Computer Antivirus Research (EICAR) and Computer Antivirus Research
Organization (CARO), to test the response of computer antivirus (AV) programs.
Instead of using real malware, which could cause real damage, this test file allows
people to test anti-virus software without having to use a real computer virus.

You can download Eicar and use it for free. On download page there is also a more
detailed description.