Skip to content

Exam Cookbook

links: MAI MOC - Index


General guide

Static Analysis

  1. Upload to VirusTotal to see if it is a known malware.
  2. Run yara on the executable
yara -w -g PATH\TO\RULEFILE PATH\TO\EXECUTABLE
  1. Run pestudio
    1. Indicators
    2. sections
    3. imports
  2. Identify packing with PEID (entropy > 6.5)
  3. Open in CFF to identify packing mechanism
  4. If not packed run strings (right click on exe + change "Min Size" to 10)
strings PATH\TO\EXECUTABLE

Dynamic Analysis

  1. Run Process Hacker
  2. Make 1st Regshot
  3. Startup procmon and start capture
  4. Start malware as Admin
    1. Wait till malware is finished
  5. Stop procmon capture
    1. Save procmon capture as CSV first!
    2. Filter for "Operation" "is" "Process Create"
    3. Activate ThreadID column
  6. Make 2nd Regshot and create diff
    1. Compare shots
    2. Identify persistence in Registry
  7. Process Hacker: Identify any suspicious processes
    1. Look into memory (RWX regions with PE)
    2. Look into modules (Any suspicious DLL? e.g not verfied)
    3. String analysis (Memory \(\rightarrow\) Strings) with Filter (Cyberchef Regex e.g IPs or domains)
  8. Run HollowsHunter

Identify process hollowing:

hollows_hunter.exe

Identify inline and IAT hooks:

hollows_hunter.exe /hooks /iat
  1. Run yara on the HollowsHunter output if something shows up
yara -r -w -g PATH\TO\YaraRules PATH\TO\HollowsHunter\Directory
  1. Run AutoRuns to identify persistence techniques
  2. Open procmon capture in procdot
    1. Select procmon file \(\rightarrow\) press 3 dots \(\rightarrow\) select malware process \(\rightarrow\) hit refresh

Specific guides

Inline hooking with ida

  1. HollowHunter

  2. Finding IAT and Inline Hooks

hollow_hunter.exe /hooks /iat 1 /imp 1

(2. YARA)

On the Hollow Hunter output directory. Here we can detect malware family

yara -r -w -g PATH\TO\YARA\RULE PATH\TO\OUTPUT\DIR
  1. Show hooked libraries functions from HollowHunter output

  2. Open NUMBER.NAME-OF-DLL.dll.tags

  3. Directory with outputs has the process number in the name
  4. Write down interesting Function like in wininet.dll.tag e.g HttpSendRequestW

  5. Attach Process in IDA

  6. Debugger \(\rightarrow\) Attach \(\rightarrow\) select process (you know the process id from hollow hunter)

  7. IDA analysis

  8. Modules \(\rightarrow\) search (CTRL + F) your dll name \(\rightarrow\) Search Function and double click it \(\rightarrow\) see jump instruction \(\rightarrow\) Profit

Somtimes it is difficult because there are legitimate jumps.

API Monitor

  1. API Filter
    • Important: Select Diagnostics and System Services or the one which are relevant
  2. Capture new process
    • Click on capture new process and select the malware
    • "right click" on call \(\rightarrow\) Exclude or Include \(\rightarrow\) API Name
  3. Look for:
    • Process hollowing: CreateProcess, ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread
    • Direct code injection: OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
    • DLL injection: the same as Direct code injection, check in ProcessHacker (Modules, ...)

Run DLL

  • Start DLL with rundll32.exe
# run first method
rundll32.exe <dll-path>,#1

# run specific method -> find in CFF Explorer/Export Directory
rundll32.exe <dll-path>,<function-name>

General guide (old oli)

1. What happens on execution?
    - Is it standalone process, DLL injection, code injection, etc.?
    - Standalone process and code injection should be visible in Process Hacker
    - If nothing is visible check API Monitor (see ![filter.xml](<_media/xml/filter.xml>))
    - Why is the code suspicious?
    - Is the malware packed?

2. How is the malware persisted?
    - Autoruns

3. Static analysis
    - Virustotal / tria.ge (Should work in most cases)
    - Manually
        Extract code from memory (process hacker) and analyse the dump with yara / string analysis

4. Dynamic analysis
    - Similar to previous steps
    - What processes are created? (Process Monitor with PID filters and Operation filters)
        - Interesting operations
            - Write File
            - RegSetValue
            - Process Create
            - Process Start
    - Process Monitor export into ProdDot
    - Hollows_hunter
        - Check for hooks
        - Look up memory sections in IDA (?)

links: MAI MOC - Index