LoginSignup
0
0

More than 1 year has passed since last update.

@forest_moririri(forest moririri)

Introduction to Malware Analysis (in English)

Posted at

Introduction

This article is a brief summary of malware analysis.
Also a note to myself. I may be a little too beginner-oriented.
However, abuse is strictly prohibited.

Who am I ?

I'm a humble engineer.

Expected readers

  • Those who are new to malware analysis and want to try it
  • others

What is the purpose of malware analysis in the first place?

It is intended to be useful for investigation during incident response (IR). You should know how malware behaves.

What should be prepared

The first thing to do is prepare the specimen analysis environment for analyzing malware specimens.
It is necessary to prepare a dedicated environment for running the sample, and basically an offline environment such as a dedicated VM environment should be prepared.
However, there are some malware that do not work without an Internet connection, so I think you should prepare multiple environments.
*Basically, the reason for not connecting to the Internet is that the provider may get angry.
It may also be a good idea to get into the habit of searching for and investigating malware information based on the information in the Sandbox.
In the case of targeted attacks, the specimens are tuned by the organization, so they are often not caught by Virus Total's hash search, etc., so I think it's a good idea to get into the habit of investigating the characteristics of the malware from the specimens yourself. increase.

Example of malware dynamic analysis environment

Although it is a very miscellaneous example, I will describe an example environment for malware analysis.

image.png

localhost: physical machine (OS can be anything)
VM(1): Environment for running malware samples (OS changes according to sample type)
VM(2): Attacker's pseudo server (Any OS is fine here as well)

Take a snapshot of VM(1) and VM(2) for backup.

For VMware, the paid version of VMware WorkStation is recommended.

For details on building the environment, see "How to create a hacking lab". It looks like you are using Virtual Box.

Malware analysis environment construction and frequently used tools

Windows:

(1) Various tools

Sysinternals

You may find the following tools useful.

  • Process Explorer
  • Process Monitor
    -TCP View
  • Auto Runs

(2) Packet capture tool

WireShark

(3) A group of various tools

Ghidra

IDA Pro

(4) It is convenient to be able to use Linux commands (for example, WSL)

(5) Binary editor

(6) Debugger (if necessary)

Ollydbg

x64dbg

(7) Decompiler (if necessary)

dnSpy (this for .Net)

(8) retdec

You can also use IDA or Ghidra decompiler.

Linux:

kali Linux

  • gdb
  • Ghidra
  • WireShark, etc.

In addition, install tools such as Python as appropriate.

It seems that the Linux version of ProcMon (process monitor) is out.

Frequently used sites

Virus Total and Hybrid Analysis are very useful at surface analysis level.

Virus Total

Miter Attack

Hybrid Analysis

Shodan

Any Run

URLhaus

lastly

Since the analysis method for malware analysis changes depending on the sample, there is no unconditional "do this" method, but I think it would be beneficial to study the general theory.

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0