book

Malware Analysis Techniques

by Dylan Barker

June 2021

Intermediate to advanced

282 pages

5h 18m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchReviews
Technical requirementsSetting up VirtualBox with Windows 10Downloading and verifying VirtualBoxInstalling Windows 10Installing the FLARE VM packageIsolating your environmentMaintenance and snapshottingSummary
Technical requirementsThe basics – hashingHashing algorithmsObtaining file hashesAvoiding rediscovery of the wheelLeveraging VirusTotalGetting fuzzyPicking up the piecesMalware serotypingCollecting stringsChallengesChallenge 1Challenge 2SummaryFurther reading
Technical requirementsDetonating your malwareMonitoring for processesNetwork IOC collectionDiscovering enumeration by the enemyDomain checksSystem enumerationNetwork enumerationCase study – DharmaDiscovering persistence mechanismsRun keysScheduled tasksMalicious shortcuts and start up foldersService installationUncovering common techniquesFinal word on persistenceUsing PowerShell for triagePersistence identificationRegistry keysService installationScheduled tasksLess common persistence mechanismsChecking user logonsLocating secondary stagesExamining NTFS (NT File System) alternate data streamsChallengeSummary
Technical requirementsUsing HybridAnalysisUsing Any.RunInstalling and using Cuckoo SandboxCuckoo installation – prerequisitesInstalling VirtualBoxCuckoo and VMCloakDefining our VMConfiguring CuckooNetwork configurationCuckoo web UIRunning your first analysis in CuckooShortcomings of automated analysis toolsChallengeSummary
Technical requirementsDissecting the PE file formatThe DOS headerPE file headerOptional headerSection tableThe Import Address TableExamining packed files and packersDetecting packersUnpacking samplesUtilizing NSA's Ghidra for static analysisSetting up a project in GhidraChallengeSummaryFurther reading
Technical requirementsMonitoring malicious processesRegshotProcess ExplorerProcess MonitorGetting away with itNetwork-based deceptionFakeNet-NGApateDNSHiding in plain sightTypes of process injectionDetecting process injectionCase study – TrickBotChallengeSummary

Technical requirementsLeveraging API calls to understand malicious capabilitiesx86 assembly primerIdentifying anti-analysis techniquesExamining binaries in Ghidra for anti-analysis techniquesOther analysis checksTackling packed samplesRecognizing packed malwareManually unpacking malwareChallengeSummary
Technical requirementsIdentifying obfuscation techniquesString encodingString concatenationString replacementOther methodologiesDeobfuscating malicious VBS scriptsUtilizing VbsEditUsing WScript.EchoDeobfuscating malicious PowerShell scriptsCompressionOther methods within PowerShellEmotet obfuscationA word on obfuscation and de-obfuscation toolsInvoke-Obfuscation and PSDecodeJavaScript obfuscation and JSDetoxOther languagesChallengesSummary
Technical requirementsHashing preventionBlocking hash execution with Group PolicyOther methodologiesBehavioral preventionBinary and shell-based blockingNetwork-based behaviorsNetwork IOCs – blocking at the perimeterCommon tooling for IOC-based blockingChallengeSummary
Technical requirementsUnderstanding MITRE's ATT&CK frameworkTactics – building a kill chainCase study: AndromedaInitial accessExecutionPersistenceDefense evasionCommand and ControlUtilizing MITRE ATT&CK for C-level reportingReporting considerationsChallengeSummaryFurther reading
Chapter 2 – Static Analysis – Techniques and ToolingChallenge 1Challenge 2Chapter 3 – Dynamic Analysis – Techniques and ToolingChapter 4 – A Word on Automated Sandboxing Chapter 5 – Advanced Static Analysis – Out of the White NoiseChapter 6 – Advanced Dynamic Analysis – Looking at ExplosionsChapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue PillChapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the TubeChapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for DefenseChapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CKSummary
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Malware Analysis Techniques

Chapter 3: Dynamic Analysis – Techniques and Tooling

Now that we have covered static analysis – the art of obtaining intelligence from a piece of malware without execution – it's time to study the antithesis of this approach.

We will utilize the most powerful tool in our arsenal as malware analysts; executing the malware and watching for the behaviors that the software exhibits, as well as what techniques the adversary is utilizing to achieve their goals. Knowing and understanding this may allow our counterparts in security operations to build better defense mechanisms to prevent further incidents, making this an incredibly important technique.

Additionally, we'll take a look at how we may automate some of these tasks in order to make the most ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781839212277Supplemental Content

Malware Analysis Techniques

by Dylan Barker

Chapter 3: Dynamic Analysis – Techniques and Tooling

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Practical Malware Analysis

Learning Malware Analysis

Advanced Malware Analysis

Advanced Malware Analysis

Publisher Resources

Chapter 3: Dynamic Analysis – Techniques and Tooling

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Practical Malware Analysis

Learning Malware Analysis

Advanced Malware Analysis

Advanced Malware Analysis

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.