Basic malware analysis
- 2. Monnappa
Member of SecurityXploded
Info Security Investigator @ Cisco
Focus on Threat Intelligence
Reverse Engineering, Malware Analysis, Memory Forensics
Email: monnappa22@gmail.com
Twitter: @monnappa22
Blog: http://malware-unplugged.blogspot.in
Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
- 3. Why Malware Analysis?
Types of Malware Analysis
Static Analysis
Dynamic Analysis
Memory Analysis
Demo
www.SecurityXploded.com
- 4. To determine:
the nature and purpose of the malware
Interaction with the file system
Interaction with the registry
Interaction with the network
Identifiable patterns
www.SecurityXploded.com
- 5. Static Analysis
- Analyzing without executing the malware
Dynamic Analysis
- Analyzing by executing the malware
Memory Analysis
- Analyzing the RAM for artifacts
www.SecurityXploded.com
- 6. www.SecurityXploded.com
Static Analysis
Steps:
Determine the file type
tools: file utility on unix and windows (need to install)
Determine the cryptographic hash
tools: md5sum utility on unix and windows (part of unix utils for windows)
Strings search
tools: strings utility on unix and windows , Bintext
File obfuscation (packers, cryptors and binders) detection
tools: PEiD, RDG packer detector
Submission to online antivirus scanners (virustotal, jotti, cymru)
tools: browser and public api of Virustotal
Determine the Imports
tools: PEview, Dependency Walker
Disassembly
tools: IDA Pro, Ollydbg
- 7. Involves executing the malware in a controlled environment to determine its behaviour
Steps:
Determine the File system activity
tools: process monitor, capturebat
Determine the Process activity
tools: process explorer, process monitor, capturebat
Determine the Network activity
tools: wireshark
Detemine the Registry activity
tools: regmon, process monitor, capturebat
www.SecurityXploded.com
- 8. Finding and extracting artifacts from computer’s RAM
Determine the process activity
Determine the network connections
Determine hidden artifacts
Detemine the Registry activity
Tools:
Volatility (Advanced Memory Forensic Framework)
Advantages:
helps in rootkit detection
helps in unpacking
www.SecurityXploded.com
- 19. www.SecurityXploded.com
The below results show the process, registry and fileystem activity after executing the malware (edd94.exe), also
explorer.exe performs lot of activity indicating code injection into explorer.exe