Malware Analysis Techniques

Malware Analysis Techniques

by Dylan Barker
Released June 2021
Publisher(s): Packt Publishing
ISBN: 9781839212277

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Analyze malicious samples, write reports, and use industry-standard methodologies to confidently triage and analyze adversarial software and malware

Key Features

  • Investigate, detect, and respond to various types of malware threat
  • Understand how to use what you've learned as an analyst to produce actionable IOCs and reporting
  • Explore complete solutions, detailed walkthroughs, and case studies of real-world malware samples

Book Description

Malicious software poses a threat to every enterprise globally. Its growth is costing businesses millions of dollars due to currency theft as a result of ransomware and lost productivity. With this book, you'll learn how to quickly triage, identify, attribute, and remediate threats using proven analysis techniques.

Malware Analysis Techniques begins with an overview of the nature of malware, the current threat landscape, and its impact on businesses. Once you've covered the basics of malware, you'll move on to discover more about the technical nature of malicious software, including static characteristics and dynamic attack methods within the MITRE ATT&CK framework. You'll also find out how to perform practical malware analysis by applying all that you've learned to attribute the malware to a specific threat and weaponize the adversary's indicators of compromise (IOCs) and methodology against them to prevent them from attacking. Finally, you'll get to grips with common tooling utilized by professional malware analysts and understand the basics of reverse engineering with the NSA's Ghidra platform.

By the end of this malware analysis book, you'll be able to perform in-depth static and dynamic analysis and automate key tasks for improved defense against attacks.

What you will learn

  • Discover how to maintain a safe analysis environment for malware samples
  • Get to grips with static and dynamic analysis techniques for collecting IOCs
  • Reverse-engineer and debug malware to understand its purpose
  • Develop a well-polished workflow for malware analysis
  • Understand when and where to implement automation to react quickly to threats
  • Perform malware analysis tasks such as code analysis and API inspection

Who this book is for

This book is for incident response professionals, malware analysts, and researchers who want to sharpen their skillset or are looking for a reference for common static and dynamic analysis techniques. Beginners will also find this book useful to get started with learning about malware analysis. Basic knowledge of command-line interfaces, familiarity with Windows and Unix-like filesystems and registries, and experience in scripting languages such as PowerShell, Python, or Ruby will assist with understanding the concepts covered.

Table of contents

  1. Malware Analysis Techniques
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Reviews
  6. Section 1: Basic Techniques
  7. Chapter 1: Creating and Maintaining your Detonation Environment
    1. Technical requirements
    2. Setting up VirtualBox with Windows 10
      1. Downloading and verifying VirtualBox
      2. Installing Windows 10
    3. Installing the FLARE VM package
    4. Isolating your environment
    5. Maintenance and snapshotting
    6. Summary
  8. Chapter 2: Static Analysis – Techniques and Tooling
    1. Technical requirements
    2. The basics – hashing
      1. Hashing algorithms
      2. Obtaining file hashes
    3. Avoiding rediscovery of the wheel
      1. Leveraging VirusTotal
    4. Getting fuzzy
    5. Picking up the pieces
      1. Malware serotyping
      2. Collecting strings
    6. Challenges
      1. Challenge 1
      2. Challenge 2
    7. Summary
    8. Further reading
  9. Chapter 3: Dynamic Analysis – Techniques and Tooling
    1. Technical requirements
    2. Detonating your malware
      1. Monitoring for processes
      2. Network IOC collection
    3. Discovering enumeration by the enemy
      1. Domain checks
      2. System enumeration
      3. Network enumeration
    4. Case study – Dharma
    5. Discovering persistence mechanisms
      1. Run keys
      2. Scheduled tasks
      3. Malicious shortcuts and start up folders
      4. Service installation
      5. Uncovering common techniques
      6. Final word on persistence
    6. Using PowerShell for triage
    7. Persistence identification
      1. Registry keys
      2. Service installation
      3. Scheduled tasks
      4. Less common persistence mechanisms
    8. Checking user logons
    9. Locating secondary stages
    10. Examining NTFS (NT File System) alternate data streams
    11. Challenge
    12. Summary
  10. Chapter 4: A Word on Automated Sandboxing
    1. Technical requirements
    2. Using HybridAnalysis
    3. Using Any.Run
    4. Installing and using Cuckoo Sandbox
      1. Cuckoo installation – prerequisites
      2. Installing VirtualBox
      3. Cuckoo and VMCloak
      4. Defining our VM
      5. Configuring Cuckoo
      6. Network configuration
      7. Cuckoo web UI
      8. Running your first analysis in Cuckoo
    5. Shortcomings of automated analysis tools
    6. Challenge
    7. Summary
  11. Section 2: Debugging and Anti-Analysis – Going Deep
  12. Chapter 5: Advanced Static Analysis – Out of the White Noise
    1. Technical requirements
    2. Dissecting the PE file format
      1. The DOS header
      2. PE file header
      3. Optional header
      4. Section table
      5. The Import Address Table
    3. Examining packed files and packers
      1. Detecting packers
      2. Unpacking samples
    4. Utilizing NSA's Ghidra for static analysis
      1. Setting up a project in Ghidra
    5. Challenge
    6. Summary
    7. Further reading
  13. Chapter 6: Advanced Dynamic Analysis – Looking at Explosions
    1. Technical requirements
    2. Monitoring malicious processes
      1. Regshot
      2. Process Explorer
      3. Process Monitor
      4. Getting away with it
    3. Network-based deception
      1. FakeNet-NG
      2. ApateDNS
    4. Hiding in plain sight
      1. Types of process injection
      2. Detecting process injection
    5. Case study – TrickBot
    6. Challenge
    7. Summary
  14. Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
    1. Technical requirements
    2. Leveraging API calls to understand malicious capabilities
      1. x86 assembly primer
    3. Identifying anti-analysis techniques
      1. Examining binaries in Ghidra for anti-analysis techniques
      2. Other analysis checks
    4. Tackling packed samples
      1. Recognizing packed malware
      2. Manually unpacking malware
    5. Challenge
    6. Summary
  15. Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube
    1. Technical requirements
    2. Identifying obfuscation techniques
      1. String encoding
      2. String concatenation
      3. String replacement
      4. Other methodologies
    3. Deobfuscating malicious VBS scripts
      1. Utilizing VbsEdit
      2. Using WScript.Echo
    4. Deobfuscating malicious PowerShell scripts
      1. Compression
      2. Other methods within PowerShell
      3. Emotet obfuscation
    5. A word on obfuscation and de-obfuscation tools
      1. Invoke-Obfuscation and PSDecode
      2. JavaScript obfuscation and JSDetox
      3. Other languages
    6. Challenges
    7. Summary
  16. Section 3: Reporting and Weaponizing Your Findings
  17. Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense
    1. Technical requirements
    2. Hashing prevention
      1. Blocking hash execution with Group Policy
      2. Other methodologies
    3. Behavioral prevention
      1. Binary and shell-based blocking
      2. Network-based behaviors
    4. Network IOCs – blocking at the perimeter
    5. Common tooling for IOC-based blocking
    6. Challenge
    7. Summary
  18. Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK
    1. Technical requirements
    2. Understanding MITRE's ATT&CK framework
      1. Tactics – building a kill chain
    3. Case study: Andromeda
      1. Initial access
      2. Execution
      3. Persistence
      4. Defense evasion
      5. Command and Control
    4. Utilizing MITRE ATT&CK for C-level reporting
      1. Reporting considerations
    5. Challenge
    6. Summary
    7. Further reading
  19. Section 4: Challenge Solutions
  20. Chapter 11: Challenge Solutions
    1. Chapter 2 – Static Analysis – Techniques and Tooling
      1. Challenge 1
      2. Challenge 2
    2. Chapter 3 – Dynamic Analysis – Techniques and Tooling
    3. Chapter 4 – A Word on Automated Sandboxing
    4. Chapter 5 – Advanced Static Analysis – Out of the White Noise
    5. Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions
    6. Chapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
    7. Chapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the Tube
    8. Chapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for Defense
    9. Chapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CK
    10. Summary
    11. Why subscribe?
  21. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Leave a review - let other readers know what you think

Product information

  • Title: Malware Analysis Techniques
  • Author(s): Dylan Barker
  • Release date: June 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781839212277