- Learn the fundamentals of analysing malware samples without relying on automated sandbox scanners.
- Learn and understand typical malware behaviour and its importance in the incident investigation pipeline.
Key Malware Behaviours
Before touching the malware sample for this task, we need to briefly introduce common malware behaviours to have a good perspective on what to expect in handling malware samples.
A prominent word in cybersecurity, malware is software created to harm a computer or an entire network. Threat actors develop malware to achieve specific goals, such as infiltrating networks, breaching sensitive data, or disrupting operational services.
If you were to inspect several malware samples in the wild, a typical pattern arises, making analysing other samples easier with experience. Knowing these common behaviours gives us an idea of what to look for on the defensive side, such as:
- Network connections — Malware tends to establish either external network connections or internal connections. External connections allow remote access or for downloading staged payloads from a threat actors’ infrastructure. Meanwhile, internal connections allow for lateral movement, a technique used to extend access to other hosts or applications within the network.
- Registry key modifications — Malware typically uses registry keys to establish persistence, a technique used by threat actors to discreetly maintain long-term access to a system despite disruptions. A good example is Registry Run Keys, which allows binaries to be automatically executed when a user logs in or the machine boots up.
- File manipulations — Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.
Given this knowledge, we can expect the possible behaviour of malware during an investigation.
Dangers of Analysing Malware Samples
WARNING: Handling a malware sample is dangerous. Always consider precautions while analysing it.
With this, here are some helpful tips when handling live malware:
- Always assume that malware samples will infect your device; hence executing it is not always the first and only step in analysing it.
- Only run the malware sample in a controlled environment that prevents potential compromise of unwanted assets.
- It is always recommended to have your sandbox, which allows you have a worry-free execution of malware samples.
A sandbox is a controlled test environment that mimics a legitimate end-user working environment. It gives analysts a safe environment to execute malware samples and learn their behaviour. Lastly, having a ready sandbox prevents analysts from running malware samples in their workstations, which is highly dangerous and impractical for the possibility of unwanted impact.
In a typical setup, sandboxes also provide automated analysis at the disposal of Security Analysts to determine if a binary from a set of malware samples requires further manual investigation.
For this task, you may start the attached FlareVM instance by clicking on the Start Machine button. This VM will serve as your sandbox. However, do not expect this machine to provide an automated analysis since we will assist Forensic McBlue in conducting manual analysis.
Note: If the VM is not visible, use the blue Show Split View button at the top-right of the page.
You may use the following credentials for alternative access via Remote Desktop (RDP):
Static and Dynamic Analysis
We have understood the prerequisites needed to handle the malware safely from the previous section. Now, let’s have a quick refresher on the two methods of malware analysis.
Static Analysis is a way of analysing a malware sample without executing the code. This method mainly focuses on profiling the binary with its readable information, such as its properties, program flow and strings. Given the limitation of not executing it, sometimes this method gives insufficient information, which is why we resort to Dynamic Analysis.
Meanwhile, Dynamic Analysis mainly focuses on understanding the malware by executing it in a safe environment, such as a Sandbox. By doing this, you will see the malware live in action, its exact behaviour, and how it infects the environment.
- What is the architecture of the malware sample? (32-bit/64-bit) -Answer:- 64-bit
- What is the packer used in the malware sample? (format: lowercase) :- Answer:- upx.
- What is the compiler used to build the malware sample? (format: lowercase) :- Answer:- nim
- How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic? Answer:- :- 2
- What is the registry key abused by the malware? :- Answer:-HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- What is the value written on the registry key based on the previous question? :-
Answer:- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
7. What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order) Answer:- test.jpg,wishes.bat
8. What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order).
9. Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
Follow me on Medium and stay tuned for more write-ups.