book

Malware Analysis Techniques

by Dylan Barker

June 2021

Intermediate to advanced

282 pages

5h 18m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchReviews
Technical requirementsSetting up VirtualBox with Windows 10Downloading and verifying VirtualBoxInstalling Windows 10Installing the FLARE VM packageIsolating your environmentMaintenance and snapshottingSummary
Technical requirementsThe basics – hashingHashing algorithmsObtaining file hashesAvoiding rediscovery of the wheelLeveraging VirusTotalGetting fuzzyPicking up the piecesMalware serotypingCollecting stringsChallengesChallenge 1Challenge 2SummaryFurther reading
Technical requirementsDetonating your malwareMonitoring for processesNetwork IOC collectionDiscovering enumeration by the enemyDomain checksSystem enumerationNetwork enumerationCase study – DharmaDiscovering persistence mechanismsRun keysScheduled tasksMalicious shortcuts and start up foldersService installationUncovering common techniquesFinal word on persistenceUsing PowerShell for triagePersistence identificationRegistry keysService installationScheduled tasksLess common persistence mechanismsChecking user logonsLocating secondary stagesExamining NTFS (NT File System) alternate data streamsChallengeSummary
Technical requirementsUsing HybridAnalysisUsing Any.RunInstalling and using Cuckoo SandboxCuckoo installation – prerequisitesInstalling VirtualBoxCuckoo and VMCloakDefining our VMConfiguring CuckooNetwork configurationCuckoo web UIRunning your first analysis in CuckooShortcomings of automated analysis toolsChallengeSummary
Technical requirementsDissecting the PE file formatThe DOS headerPE file headerOptional headerSection tableThe Import Address TableExamining packed files and packersDetecting packersUnpacking samplesUtilizing NSA's Ghidra for static analysisSetting up a project in GhidraChallengeSummaryFurther reading
Technical requirementsMonitoring malicious processesRegshotProcess ExplorerProcess MonitorGetting away with itNetwork-based deceptionFakeNet-NGApateDNSHiding in plain sightTypes of process injectionDetecting process injectionCase study – TrickBotChallengeSummary

Technical requirementsLeveraging API calls to understand malicious capabilitiesx86 assembly primerIdentifying anti-analysis techniquesExamining binaries in Ghidra for anti-analysis techniquesOther analysis checksTackling packed samplesRecognizing packed malwareManually unpacking malwareChallengeSummary
Technical requirementsIdentifying obfuscation techniquesString encodingString concatenationString replacementOther methodologiesDeobfuscating malicious VBS scriptsUtilizing VbsEditUsing WScript.EchoDeobfuscating malicious PowerShell scriptsCompressionOther methods within PowerShellEmotet obfuscationA word on obfuscation and de-obfuscation toolsInvoke-Obfuscation and PSDecodeJavaScript obfuscation and JSDetoxOther languagesChallengesSummary
Technical requirementsHashing preventionBlocking hash execution with Group PolicyOther methodologiesBehavioral preventionBinary and shell-based blockingNetwork-based behaviorsNetwork IOCs – blocking at the perimeterCommon tooling for IOC-based blockingChallengeSummary
Technical requirementsUnderstanding MITRE's ATT&CK frameworkTactics – building a kill chainCase study: AndromedaInitial accessExecutionPersistenceDefense evasionCommand and ControlUtilizing MITRE ATT&CK for C-level reportingReporting considerationsChallengeSummaryFurther reading
Chapter 2 – Static Analysis – Techniques and ToolingChallenge 1Challenge 2Chapter 3 – Dynamic Analysis – Techniques and ToolingChapter 4 – A Word on Automated Sandboxing Chapter 5 – Advanced Static Analysis – Out of the White NoiseChapter 6 – Advanced Dynamic Analysis – Looking at ExplosionsChapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue PillChapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the TubeChapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for DefenseChapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CKSummary
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Malware Analysis Techniques

Chapter 6: Advanced Dynamic Analysis – Looking at Explosions

In action movies, it's often the case that when the hero walks away from an exploding object, they don't even bother to look back to see the destruction it is causing. Unfortunately for malware analysts, we don't tend to be quite as cool as action heroes, and our job requires that we closely observe the destruction being caused.

To this point, we've mostly worked with the static gathering of metadata on files from an advanced perspective. In this chapter, we'll begin executing our malware and observing the behaviors. This will allow an analyst to validate the data they have recovered from static analysis, as well as uncover Tools, Techniques, and Procedures (TTPs) that may not be apparent ...