book

Malware Analysis Techniques

by Dylan Barker

June 2021

Intermediate to advanced

282 pages

5h 18m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchReviews
Technical requirementsSetting up VirtualBox with Windows 10Downloading and verifying VirtualBoxInstalling Windows 10Installing the FLARE VM packageIsolating your environmentMaintenance and snapshottingSummary
Technical requirementsThe basics – hashingHashing algorithmsObtaining file hashesAvoiding rediscovery of the wheelLeveraging VirusTotalGetting fuzzyPicking up the piecesMalware serotypingCollecting stringsChallengesChallenge 1Challenge 2SummaryFurther reading
Technical requirementsDetonating your malwareMonitoring for processesNetwork IOC collectionDiscovering enumeration by the enemyDomain checksSystem enumerationNetwork enumerationCase study – DharmaDiscovering persistence mechanismsRun keysScheduled tasksMalicious shortcuts and start up foldersService installationUncovering common techniquesFinal word on persistenceUsing PowerShell for triagePersistence identificationRegistry keysService installationScheduled tasksLess common persistence mechanismsChecking user logonsLocating secondary stagesExamining NTFS (NT File System) alternate data streamsChallengeSummary
Technical requirementsUsing HybridAnalysisUsing Any.RunInstalling and using Cuckoo SandboxCuckoo installation – prerequisitesInstalling VirtualBoxCuckoo and VMCloakDefining our VMConfiguring CuckooNetwork configurationCuckoo web UIRunning your first analysis in CuckooShortcomings of automated analysis toolsChallengeSummary
Technical requirementsDissecting the PE file formatThe DOS headerPE file headerOptional headerSection tableThe Import Address TableExamining packed files and packersDetecting packersUnpacking samplesUtilizing NSA's Ghidra for static analysisSetting up a project in GhidraChallengeSummaryFurther reading
Technical requirementsMonitoring malicious processesRegshotProcess ExplorerProcess MonitorGetting away with itNetwork-based deceptionFakeNet-NGApateDNSHiding in plain sightTypes of process injectionDetecting process injectionCase study – TrickBotChallengeSummary

Technical requirementsLeveraging API calls to understand malicious capabilitiesx86 assembly primerIdentifying anti-analysis techniquesExamining binaries in Ghidra for anti-analysis techniquesOther analysis checksTackling packed samplesRecognizing packed malwareManually unpacking malwareChallengeSummary
Technical requirementsIdentifying obfuscation techniquesString encodingString concatenationString replacementOther methodologiesDeobfuscating malicious VBS scriptsUtilizing VbsEditUsing WScript.EchoDeobfuscating malicious PowerShell scriptsCompressionOther methods within PowerShellEmotet obfuscationA word on obfuscation and de-obfuscation toolsInvoke-Obfuscation and PSDecodeJavaScript obfuscation and JSDetoxOther languagesChallengesSummary
Technical requirementsHashing preventionBlocking hash execution with Group PolicyOther methodologiesBehavioral preventionBinary and shell-based blockingNetwork-based behaviorsNetwork IOCs – blocking at the perimeterCommon tooling for IOC-based blockingChallengeSummary
Technical requirementsUnderstanding MITRE's ATT&CK frameworkTactics – building a kill chainCase study: AndromedaInitial accessExecutionPersistenceDefense evasionCommand and ControlUtilizing MITRE ATT&CK for C-level reportingReporting considerationsChallengeSummaryFurther reading
Chapter 2 – Static Analysis – Techniques and ToolingChallenge 1Challenge 2Chapter 3 – Dynamic Analysis – Techniques and ToolingChapter 4 – A Word on Automated Sandboxing Chapter 5 – Advanced Static Analysis – Out of the White NoiseChapter 6 – Advanced Dynamic Analysis – Looking at ExplosionsChapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue PillChapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the TubeChapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for DefenseChapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CKSummary
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Malware Analysis Techniques

Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense

In every previous chapter of this book, we've looked at analyzing malware from both static and dynamic perspectives. The entire point of the analysis of adversarial software is to gather intelligence on an adversary's operations and find the fingerprints they may leave on a network, machine, or file.

However, simply gathering the information is not enough if we do not endeavor to make use of information our hard-fought analysis has uncovered. While, as analysts, we may not often be responsible for the implementation of these defenses, having the knowledge of how they may be implemented may assist us with knowing what will be of value to uncover during our analysis.

Let's take ...