Introduction to Malware Analysis

To get you started, read https://digital-forensics.sans.org/media/malware-analysis-cheat-sheet.pdf

https://dribbble.com/shots/2194105-Malware-detection-in-Firefox-Downloads

You’ll see multiple articles numbered “MA-X”, for example “MA-01 — Emerging Malware Analysis News/Intel”, I recommend you read them sequentially if you’re new. You can refer to the series as a handbook.

Malware analysis methodology

These are going to be questions that you want to answer when analysing malware, what you want to achieve essentially by performing malware analysis.

Does the file pose a threat to the org, specifically? I.e. does it check for specific infrastructure, services or files that only the org’s users would hold.

What ways to defend against this threat, can we carve out from the analysis/reverse engineering of this malware?

What are the files capabilities?

What are the key functions of the file?

What can we extract that will support lessons learnt, threat hunting and future detection? I.e. IOC’s, specific behaviour not seen before etc.

What does the file reveal about the adversary? You want to attribute the attack to a group/actor, is there anything specific to an actor i.e. certain coding methods, certain IP’s/infrastructure used, certain TTP’s used etc.

Malware Analysis — 3 tips

  1. Don’t overthink the sample
  • Try to get a general understanding of the malware, rather than digging into why the attacker may have setup a function in a certain way, for example.

2. Keep an open mind

  • Your samples will react differently to different environments, either through configuration/compatibility or evasion/detection from the sample.
  • If static analysis isn’t working, try dynamic.

3. Malware will constantly evolve, so should your analysis techniques/tools.

  • As its likely the techniques you employ will be from here aswell a well known books/resources, the malware authors will be aware and aim to avoid/evade these techniques you learn. Try to apply what you learn to develop your own techniques.

People to watch, follow and listen to…

Watch: Hackersploit Malware Analysis boot camp ← Click

YouTube

Colin Hardy

MalwareAnalysisForHedgehogs

Kindred Security

CheerioLive

Danooct1 (His viewer made malware playlist is also quite funny to watch)

HackerSploit

SANS Digital Forensics and Incident Response

MalwareTech

Twitter

Malwaretech

Podcasts

Darknet Diaries

Cyber by Motherboard

Books

Introduction to malware analysis by Packt

Practical malware analysis by No Starch Press

Malware Data Science by No Starch Press

Malware Unicorn Workshops RE101 and RE102: From 0 to Reverse Engineering Crypto Algorithms used by common malware samples. The first workshop presents a good workflow that it’s helpful during any malware analysis task. The RE102 it’s a good hands on tutorial and step by step guide to dissect a malware and walk through some of the most common “Anti-” techniques used by malware writers.

https://github.com/RPISEC/Malware: Materials developed by RPISEC. It includes Lectures, Labs and Projects. As a Textbook it references ‘Practical Malware Analysis’, it also contains a list of further places where to continue to pick up more samples or challenges.

Some anti virus companies will put out “Crack me’s” as a challenge for recruitment, you can openly download these and try them even if you don’t want to apply: https://join.eset.com/en

FireEye Flare-On challenges: https://www.flare-on.com

Twitter: @mikecybersec