Exam Cookbook¶
General guide¶
Static Analysis¶
- Upload to VirusTotal to see if it is a known malware.
- Run yara on the executable
yara -w -g PATH\TO\RULEFILE PATH\TO\EXECUTABLE
- Run pestudio
- Indicators
- sections
- imports
- Identify packing with PEID (entropy > 6.5)
- Open in CFF to identify packing mechanism
- If not packed run strings (right click on exe + change "Min Size" to 10)
strings PATH\TO\EXECUTABLE
Dynamic Analysis¶
- Run Process Hacker
- Make 1st Regshot
- Startup procmon and start capture
- Start malware as Admin
- Wait till malware is finished
- Stop procmon capture
- Save procmon capture as CSV first!
- Filter for "Operation" "is" "Process Create"
- Activate ThreadID column
- Make 2nd Regshot and create diff
- Compare shots
- Identify persistence in Registry
- Process Hacker: Identify any suspicious processes
- Look into memory (RWX regions with PE)
- Look into modules (Any suspicious DLL? e.g not verfied)
- String analysis (Memory \(\rightarrow\) Strings) with Filter (Cyberchef Regex e.g IPs or domains)
- Run HollowsHunter
Identify process hollowing:
hollows_hunter.exe
Identify inline and IAT hooks:
hollows_hunter.exe /hooks /iat
- Run yara on the HollowsHunter output if something shows up
yara -r -w -g PATH\TO\YaraRules PATH\TO\HollowsHunter\Directory
- Run AutoRuns to identify persistence techniques
- Open procmon capture in procdot
- Select procmon file \(\rightarrow\) press 3 dots \(\rightarrow\) select malware process \(\rightarrow\) hit refresh
Specific guides¶
Inline hooking with ida¶
-
HollowHunter
-
Finding IAT and Inline Hooks
hollow_hunter.exe /hooks /iat 1 /imp 1
(2. YARA)
On the Hollow Hunter output directory. Here we can detect malware family
yara -r -w -g PATH\TO\YARA\RULE PATH\TO\OUTPUT\DIR
-
Show hooked libraries functions from HollowHunter output
-
Open NUMBER.NAME-OF-DLL.dll.tags
- Directory with outputs has the process number in the name
-
Write down interesting Function like in wininet.dll.tag e.g HttpSendRequestW
-
Attach Process in IDA
-
Debugger \(\rightarrow\) Attach \(\rightarrow\) select process (you know the process id from hollow hunter)
-
IDA analysis
-
Modules \(\rightarrow\) search (CTRL + F) your dll name \(\rightarrow\) Search Function and double click it \(\rightarrow\) see jump instruction \(\rightarrow\) Profit
Somtimes it is difficult because there are legitimate jumps.
API Monitor¶
- API Filter
- Important: Select
Diagnostics
andSystem Services
or the one which are relevant
- Important: Select
- Capture new process
- Click on capture new process and select the malware
- "right click" on call \(\rightarrow\)
Exclude
orInclude
\(\rightarrow\) API Name
- Look for:
- Process hollowing:
CreateProcess
,ZwUnmapViewOfSection
,VirtualAllocEx
,WriteProcessMemory
,SetThreadContext
,ResumeThread
- Direct code injection:
OpenProcess
,VirtualAllocEx
,WriteProcessMemory
,CreateRemoteThread
- DLL injection: the same as Direct code injection, check in ProcessHacker (Modules, ...)
- Process hollowing:
Run DLL¶
- Start DLL with
rundll32.exe
# run first method
rundll32.exe <dll-path>,#1
# run specific method -> find in CFF Explorer/Export Directory
rundll32.exe <dll-path>,<function-name>
General guide (old oli)¶
1. What happens on execution?
- Is it standalone process, DLL injection, code injection, etc.?
- Standalone process and code injection should be visible in Process Hacker
- If nothing is visible check API Monitor (see ![filter.xml](<_media/xml/filter.xml>))
- Why is the code suspicious?
- Is the malware packed?
2. How is the malware persisted?
- Autoruns
3. Static analysis
- Virustotal / tria.ge (Should work in most cases)
- Manually
Extract code from memory (process hacker) and analyse the dump with yara / string analysis
4. Dynamic analysis
- Similar to previous steps
- What processes are created? (Process Monitor with PID filters and Operation filters)
- Interesting operations
- Write File
- RegSetValue
- Process Create
- Process Start
- Process Monitor export into ProdDot
- Hollows_hunter
- Check for hooks
- Look up memory sections in IDA (?)