- Incident response
- Understand behaviours of variants of malware
This TryHackMe room covers information on Malware Analysis.
There are two types of malware campaigns:
- Targeted
- Mass Campaigns
An example of a famous targeted malware attack is the stuxnet attack on Iran.
An example of a famous mass campaign malware attack is the the WannaCry ransomware attack. It used the EternalBlue exploit.
Process of a malware attack
- Delivery
- Execution
- Persistence (not always)
- Propogation (not always)
Fingerprints in malware
- Host-based signatures
- i.e. Encryption
- i.e. Additionally installed/packaged software
- Network-based signatures
- i.e. Where has malware contacted for BTC payments?
Static analysis Analysis of code in the the state that the malware presents itself. Does not involve execution. Employs the uses techniques like checksum analysis.
Dynamic analysis Much more involved. This is where sample is abstracted. Sample is executed and observed. Dangerous process; ransomware could lock your files. Could be capable of propogating across a network.
_TryHackMe lists the following as they're tools on the virtual machine. in the next task.
__ /PE Tools __
- Dependency walker
- PeID
- PE Explorer
- PeView
- ResourceHacker
__ /Disassembly __
- IDA Freeware
- WinDbg
__ /DSysinternalsuite __
- ResourceHacker
__ /Dynamic __ ...
Deploy the TryHackMe machine. Connect as you please. I'm going to use the Browser-based VM. The nature of the room is unnerving.
Navgiate to the /Tasks folder on the VM desktop.
In /Task 7 there are 3 files.
- aws.exe
- NetLogo.exe
- vlc.exe
Each file has checksum values accessible by Right-Clicking -> Properties -> File Hashes.
Here we can see the Hash Values.
- aws.exe MD5: D2778164EF643BA8F44CC202EC7EF157
- NetLogo.exe MD5: 59CB421172A89E1E16C11A428326952C
- vlc.exe MD5: 5416BE1B8B04B1681CB39CF0E2CAAD9F
We can check these values with VirusTotal, to confirm if they're legitimate or not.
- aws.exe Undetected
- NetLogo.exe Undetected
- vlc.exe Undetected
File extension does not denote file type. Executable code could have a JPG extension, for example.
Header hex value for executable code is always 4D 5A.
We can identify the compiler/packer using PeID.
In folder /Task 8 we there're two files. One ending .dll One end .bin
Lets run them through PeID to determine their compilers and packers.
PEId is accessible from ~/Desktop/Tools/Static/PE Tools.
- .dll: Microsoft Visual C++ 6.0 DLL
- .bin: Microsoft Visual C++ 6.0 DLL
Packing is a form obfuscation. Prevents analysis. They're used both for good and bad. For example, can protect intellectual property. But, can also obfuscate malware.
On testing the /Task 10 file.
The packer appears to be FSG 1.0 -> dulek/xt.
PeID has a large database of known-packers. This makes it very useful.
When running the file in /Task 11, we get a similar output as in the previous section.
IDA freeware can disassemble software. Allows user to read functions, imports and more. It's an advanced, multi-fauceted tool not given justice here.
When analyzing an obfuscated file, strange behaviours can be observed. For example, a lack of imports.
When analyzing a non-obfuscated file, there tends to be a larger import count. And, a longer, more-defined graph/flowchart of function calls.
strings allows us to the read strings from a file.
It can give us a picture of the file.
A lot of text is created, but we can pick out the URL practicalmalwareanalysis.com.
To analyze the number of imports in the file we can use PE Explorer.
Loading in the file, then hitting the Import button in the top toolbar. This reveals 5 unique imports.
IDA is a file disassembler. It enables decompiling. Imports can also be pulled. Similar to PE Explorer in many ways.
On running /Task 13/install.exe through IDA, we se 9 imports from the msi library.
This pull together the previous sections.
Task 14/ComplexCalculator.exe is the target executable.
- What is the MD5 Checksum?
F5BD8E6DC6782ED4DFA62B8215BDC429 - Does Virustotal report this face malicious? Yes, CrowdStrike Falcon detects it.
- what is the last string outputted with
strings?d:h:is the last. - What is the output of PEID when trynig to detect what packed is used by the file?
Nothing found *