Sunday, July 21, 2024

Cheat Sheet for Analyzing Malicious Software

This cheat sheet presents tips for analyzing and reverse-engineering malware. It outlines the steps for performing behavioral and code-level analysis of malicious software.

Overview of the Malware Analysis Process

  1. Use automated analysis sandbox tools for an initial assessment of the suspicious file.
  2. Set up a controlled, isolated laboratory in which to examine the malware specimen.
  3. Examine static properties and meta-data of the specimen for triage and early theories.
  4. Perform behavioural analysis to examine the specimen’s interactions with its environment.
  5. Perform static code analysis to further understand the specimen’s inner-workings.
  6. Perform dynamic code analysis to understand the more difficult aspects of the code.
  7. If necessary, unpack the specimen.
  8. Perform memory forensics of the infected lab system to supplement the other findings.
  9. Repeat steps 4-8 above as necessary (the order may vary) until analysis objectives are met.
  10. Document findings, save analysis artifacts and clean-up the laboratory for future analysis.

Behavioral Analysis

Ghidra for Static Code Analysis

Go to specific testinationg
Show references to selected instructionCtrl+Shift+f
Insert a comment;
Follow jump or callEnter
Return to previous locationAlt+Left
Go to next viewAlt+Right
Define data typet
Add a bookmarkCtrl+d
Text searchCtrl+Shift+e
Add or edit a labell
Disassemble selected valuesd

x64dbg/x32dbg for Dynamic Code Analysis

Run the codeF9
Step into/over instructionF7 / F8
Execute until selected instructionF4
Execute untill next returnCtrl+F9
Show previous/next executed instruction– / +
Return to previous view*
Go to specific expressionCtrl+g
Insert comment/label; / :
Show current function as a graphg
Find specific patternCtrl+b
Set software breakpoint on specific instructionSelect instruction » F2
Set software breakpoint on APIGo to Command prompt » SetBPX API Name
Highlight all occurrences of the keyword in disassemblerh » Click on keyword
Assemble instruction in place of selected oneSelect instruction » Spacebar
Edit data in memory or instruction opcodeSelect data or instruction » Ctrl+e
Extract API call referencesRight-click in disassembler » Search for » Current module » Intermodular calls

Unpacking Malicious Code

  • Determine whether the specimen is packed by using Detect It EasyExeinfo PEBytehistpeframe, etc.
  • To try unpacking the specimen quickly, infect the lab system and dump from memory using Scylla.
  • For more precision, find the Original Entry Point (OEP) in a debugger and dump with OllyDumpEx.
  • To find the OEP, anticipate the condition close to the end of the unpacker and set the breakpoint.
  • Try setting a memory breakpoint on the stack in the unpacker’s beginning to catch it during cleanup.
  • To get closer to the OEP, set breakpoints on APIs such as LoadLibrary, VirtualAlloc, etc.
  • To intercept process injection set breakpoints on VirtualAllocEx, WriteProcessMemory, etc.
  • If cannot dump cleanly, examine the packed specimen via dynamic code analysis while it runs.
  • Rebuild imports and other aspects of the dumped file using Scylla, Imports FixerUIFpe_unmapper.
Recommended:  Open Source Intelligence What is it? and How Is it Used? (OSINT)

Bypassing Other Analysis Defenses

  • Decode obfuscated strings statically using FLARExorsearchBalbuzard, etc.
  • Decode data in a debugger by setting a breakpoint after the decoding function and examining results.
  • Conceal x64dbg/x32dbg via the ScyllaHide plugin.
  • To disable anti-analysis functionality, locate and patch the defensive code using a debugger.
  • Look out for tricky jumps via TLS, SEH, RET, CALL, etc. when stepping through the code in a debugger.
  • If analyzing shellcode, use scdbg and jmp2it.
  • Disable ASLR via setdllcharacteristicsCFF Explorer.

credits: L Zeltser

Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates