book

Malware Analysis Techniques

by Dylan Barker

June 2021

Intermediate to advanced

282 pages

5h 18m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchReviews
Technical requirementsSetting up VirtualBox with Windows 10Downloading and verifying VirtualBoxInstalling Windows 10Installing the FLARE VM packageIsolating your environmentMaintenance and snapshottingSummary
Technical requirementsThe basics – hashingHashing algorithmsObtaining file hashesAvoiding rediscovery of the wheelLeveraging VirusTotalGetting fuzzyPicking up the piecesMalware serotypingCollecting stringsChallengesChallenge 1Challenge 2SummaryFurther reading
Technical requirementsDetonating your malwareMonitoring for processesNetwork IOC collectionDiscovering enumeration by the enemyDomain checksSystem enumerationNetwork enumerationCase study – DharmaDiscovering persistence mechanismsRun keysScheduled tasksMalicious shortcuts and start up foldersService installationUncovering common techniquesFinal word on persistenceUsing PowerShell for triagePersistence identificationRegistry keysService installationScheduled tasksLess common persistence mechanismsChecking user logonsLocating secondary stagesExamining NTFS (NT File System) alternate data streamsChallengeSummary
Technical requirementsUsing HybridAnalysisUsing Any.RunInstalling and using Cuckoo SandboxCuckoo installation – prerequisitesInstalling VirtualBoxCuckoo and VMCloakDefining our VMConfiguring CuckooNetwork configurationCuckoo web UIRunning your first analysis in CuckooShortcomings of automated analysis toolsChallengeSummary
Technical requirementsDissecting the PE file formatThe DOS headerPE file headerOptional headerSection tableThe Import Address TableExamining packed files and packersDetecting packersUnpacking samplesUtilizing NSA's Ghidra for static analysisSetting up a project in GhidraChallengeSummaryFurther reading
Technical requirementsMonitoring malicious processesRegshotProcess ExplorerProcess MonitorGetting away with itNetwork-based deceptionFakeNet-NGApateDNSHiding in plain sightTypes of process injectionDetecting process injectionCase study – TrickBotChallengeSummary

Technical requirementsLeveraging API calls to understand malicious capabilitiesx86 assembly primerIdentifying anti-analysis techniquesExamining binaries in Ghidra for anti-analysis techniquesOther analysis checksTackling packed samplesRecognizing packed malwareManually unpacking malwareChallengeSummary
Technical requirementsIdentifying obfuscation techniquesString encodingString concatenationString replacementOther methodologiesDeobfuscating malicious VBS scriptsUtilizing VbsEditUsing WScript.EchoDeobfuscating malicious PowerShell scriptsCompressionOther methods within PowerShellEmotet obfuscationA word on obfuscation and de-obfuscation toolsInvoke-Obfuscation and PSDecodeJavaScript obfuscation and JSDetoxOther languagesChallengesSummary
Technical requirementsHashing preventionBlocking hash execution with Group PolicyOther methodologiesBehavioral preventionBinary and shell-based blockingNetwork-based behaviorsNetwork IOCs – blocking at the perimeterCommon tooling for IOC-based blockingChallengeSummary
Technical requirementsUnderstanding MITRE's ATT&CK frameworkTactics – building a kill chainCase study: AndromedaInitial accessExecutionPersistenceDefense evasionCommand and ControlUtilizing MITRE ATT&CK for C-level reportingReporting considerationsChallengeSummaryFurther reading
Chapter 2 – Static Analysis – Techniques and ToolingChallenge 1Challenge 2Chapter 3 – Dynamic Analysis – Techniques and ToolingChapter 4 – A Word on Automated Sandboxing Chapter 5 – Advanced Static Analysis – Out of the White NoiseChapter 6 – Advanced Dynamic Analysis – Looking at ExplosionsChapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue PillChapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the TubeChapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for DefenseChapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CKSummary
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Malware Analysis Techniques

Chapter 1: Creating and Maintaining your Detonation Environment

Malware can be slippery, difficult to dissect, and prone to escapism. As malware analysts, however, we frequently find ourselves in a position where it's necessary to be able to both examine the binaries and samples we come across, as well as actively run the samples and observe their behavior in a semi-live environment. Observing how the malware behaves within a real-world OS informs us as analysts how to better defend and remediate infections of the same kind we come across.

Such needs present several challenges:

How do we execute and study malicious code while ensuring our real environments remain safe and we do not assist the malware authors in propagating their code?
What ...