book

Malware Analysis Techniques

by Dylan Barker

June 2021

Intermediate to advanced

282 pages

5h 18m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesDownload the color imagesConventions usedGet in touchReviews
Technical requirementsSetting up VirtualBox with Windows 10Downloading and verifying VirtualBoxInstalling Windows 10Installing the FLARE VM packageIsolating your environmentMaintenance and snapshottingSummary
Technical requirementsThe basics – hashingHashing algorithmsObtaining file hashesAvoiding rediscovery of the wheelLeveraging VirusTotalGetting fuzzyPicking up the piecesMalware serotypingCollecting stringsChallengesChallenge 1Challenge 2SummaryFurther reading
Technical requirementsDetonating your malwareMonitoring for processesNetwork IOC collectionDiscovering enumeration by the enemyDomain checksSystem enumerationNetwork enumerationCase study – DharmaDiscovering persistence mechanismsRun keysScheduled tasksMalicious shortcuts and start up foldersService installationUncovering common techniquesFinal word on persistenceUsing PowerShell for triagePersistence identificationRegistry keysService installationScheduled tasksLess common persistence mechanismsChecking user logonsLocating secondary stagesExamining NTFS (NT File System) alternate data streamsChallengeSummary
Technical requirementsUsing HybridAnalysisUsing Any.RunInstalling and using Cuckoo SandboxCuckoo installation – prerequisitesInstalling VirtualBoxCuckoo and VMCloakDefining our VMConfiguring CuckooNetwork configurationCuckoo web UIRunning your first analysis in CuckooShortcomings of automated analysis toolsChallengeSummary
Technical requirementsDissecting the PE file formatThe DOS headerPE file headerOptional headerSection tableThe Import Address TableExamining packed files and packersDetecting packersUnpacking samplesUtilizing NSA's Ghidra for static analysisSetting up a project in GhidraChallengeSummaryFurther reading
Technical requirementsMonitoring malicious processesRegshotProcess ExplorerProcess MonitorGetting away with itNetwork-based deceptionFakeNet-NGApateDNSHiding in plain sightTypes of process injectionDetecting process injectionCase study – TrickBotChallengeSummary

Technical requirementsLeveraging API calls to understand malicious capabilitiesx86 assembly primerIdentifying anti-analysis techniquesExamining binaries in Ghidra for anti-analysis techniquesOther analysis checksTackling packed samplesRecognizing packed malwareManually unpacking malwareChallengeSummary
Technical requirementsIdentifying obfuscation techniquesString encodingString concatenationString replacementOther methodologiesDeobfuscating malicious VBS scriptsUtilizing VbsEditUsing WScript.EchoDeobfuscating malicious PowerShell scriptsCompressionOther methods within PowerShellEmotet obfuscationA word on obfuscation and de-obfuscation toolsInvoke-Obfuscation and PSDecodeJavaScript obfuscation and JSDetoxOther languagesChallengesSummary
Technical requirementsHashing preventionBlocking hash execution with Group PolicyOther methodologiesBehavioral preventionBinary and shell-based blockingNetwork-based behaviorsNetwork IOCs – blocking at the perimeterCommon tooling for IOC-based blockingChallengeSummary
Technical requirementsUnderstanding MITRE's ATT&CK frameworkTactics – building a kill chainCase study: AndromedaInitial accessExecutionPersistenceDefense evasionCommand and ControlUtilizing MITRE ATT&CK for C-level reportingReporting considerationsChallengeSummaryFurther reading
Chapter 2 – Static Analysis – Techniques and ToolingChallenge 1Challenge 2Chapter 3 – Dynamic Analysis – Techniques and ToolingChapter 4 – A Word on Automated Sandboxing Chapter 5 – Advanced Static Analysis – Out of the White NoiseChapter 6 – Advanced Dynamic Analysis – Looking at ExplosionsChapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue PillChapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the TubeChapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for DefenseChapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CKSummary
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Malware Analysis Techniques

Chapter 11: Challenge Solutions

Chapter 2 – Static Analysis – Techniques and Tooling

The challenges in Chapter 2 cover the basic static analysis of binaries. The answers are as follows:

Challenge 1

The SHA256 sum of the sample is B6D7E579A24EFC09C2DBA13CA906227 90866E017A3311C1809C5041E91B7A930.
The ssdeep of the sample is 3072:C5OLkQW8JS0k0wcBalDIs3hlAp5+hQQE89X3Qo+PgaE3:CsWnGYlAp5+hR9sYaE.
Utilizing what we've learned from static cryptographic hashes, we can utilize OSINT sources such as VirusTotal to learn that this sample corresponds with the SolarMarker family of malware.

Challenge 2

For this challenge, you could locate the kill-switch domain for WannaCry just by utilizing the strings utility! The domain you should have uncovered was ...