What is Malware Analysis?
Malware analysis is a process analyzing the samples of malware family such as Trojan, virus, rootkits, ransomware, spyware in an isolated environment to understanding the infection, type, purpose, functionality by applying the various methods based on its behavior to understanding the motivation and applying the appropriate mitigation by creating rules and signature to prevent the users.
Malware analysis plays an essential role in avoiding and understanding cyber attacks. When incident response teams are brought into an an incident involving malware, the team will typically gather and analyze one or more samples in order to better understand the attacker’s capabilities and to help guide their investigation.
Type of Malwares:
|
Type |
What It Does |
Real-World Example |
|
disables victim's access to data until ransom is paid |
||
|
makes changes to files that are native to the OS |
Astaroth |
|
|
collects user activity data without their knowledge |
DarkHotel |
|
|
serves unwanted advertisements |
Fireball |
|
|
disguises itself as desirable code |
||
|
Worms |
spreads through a network by replicating itself |
Stuxnet |
|
gives hackers remote control of a victim's device |
Zacinlo |
|
|
Keyloggers |
monitors users' keystrokes |
Olympic Vision |
|
launches a broad flood of attacks |
Echobot |
|
|
infects mobile devices |
Triada |
How to perform Malware Analysis
There are various types of analysis and related malware analysis tools that mainly used to break down the malware.
- Static Malware Analysis
- Dynamic Malware Analysis
- Memory Forensics
- Web Domain Analysis
- Network interactions Analysis etc
Static Malware Analysis?
This procedure includes extraction and examination of different binary components and static behavioral inductions of an executable, for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.
Any deviation from the normal outcomes are recorded in the static investigation comes about and the decision given likewise. Static analysis is done without executing the malware whereas dynamic analysis was carried by executing the malware in a controlled environment.
1.Disassembly – Programs can be ported to new computer platforms, by compiling the source code in a different environment.
2.File Fingerprinting – network data loss prevention solutions for identifying and tracking data across a network
3.Virus Scanning -Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal, Payload Security
4.Analyzing memory artifacts – During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
5.Packer Detection – Packer Detection used to Detect packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+.
Static Malware analysis Tools
Ghidra and IDA : IDA Pro has been the go to SRE (Software Reverse Engineering) Suite for many years until Ghidra’s release in 2019. Since then Ghidra’s popularity has grown exponentially due to it being a free open-source tool that was developed and is still maintained by the NSA
Websites like : Hybrid-analysis, Virustotal.com
Other tools : Md5deep, PEiD, Exeinfo PE, RDG Packer,D4dot,PEview, WinDbg,Hxd
What is Dynamic Malware Analysis?
The dynamic analysis should always be an analyst’s first approach to discovering malware functionality. in dynamic analysis, will be building a virtual machine that will be used as a place to do malware analysis.
In addition, malware will be analyzed using malware sandbox and monitoring process of malware and analysis packets data made by malware.
Dynamic analysis tools:
Some common Dynamic analysis are Wireshark, Netcat, Procmon, Process Explorer, Process Monitor,Regshot, ApateDNS Procmon, Procdot, Regshot, , Process Hacker, PeStudio, Fiddler, Wireshark, Cuckoo Sand box, Ghidra.
After you have gather some data its time for analysis:
- Upload hash data/or file to site such virus total /anyrun / hybrid analysis to get info
- If IP or domain name available, check DB of known Adversaries.
- Use packet capture and traffic analysis, if external connection suspected by malware
- Obtain the malicious file analyze in sandbox to identify indicators.
- Use 'log s from SIEM and EDR to identify other infected endpoint.
- Take the identified endpoint of the network, do not power off
- Use data gathered to setup blocks for future attacks.
0 comments:
Post a Comment