Malware Analysis for

Incident Response
Ricardo J. Rodríguez
University of Zaragoza

Distributed under CC BY-NC-SA 4.0 license (© R.J. Rodríguez)

https://creativecommons.org/licenses/by-nc-sa/4.0/
Agenda
1. Introduction
2. Malware Analysis Methodology
3. Hands-On: Malware Analysis
4. Incident Response Integration
5. Hands-On: Malware Analysis Integrated into Incident
Response
1. Introduction
1. Introduction
Incident Response

• Incident response phases (NIST SP 800-61)

1. Preparation
• Preparedness for incident management
• Incident prevention
2. Detect and Analysis
• Attack vectors
• Indicators of incidents
• Sources of precursors and indicators
• Incident analysis, documentation, prioritization and notification
3. Containment, Eradication, and Recovery
4. Post-incident activity
1. Introduction
Incident Response

• Know what has happened, preserving all the information related to the incident
• Respond to the well-known 6 W's: what, who, why, how, when, and where
• Usual incident: presence of malicious software (malware)
• Various aspects of forensic analysis:
• Device forensics
• Digital drive (digital media)
• Memory
• Network forensics
1. Introduction
Malware

• Malicious software
• Software specially designed to do some kind of damage to a computer system
• Different types, depending on their functionality: keylogger, banker, ransomware, botnet, etc...
• They can have several functionalities at the same time
• Lifecycle
1. Initial compromise (social engineering attacks, waterhole, insiders, etc.)
2. Persistence
3. Communication with C&C servers
4. Lateral movement
5. Data exfiltration / malicious activity

More details: Uroz, D. & Rodríguez, R. J. Characteris=cs and Detectability of Windows Auto-Start Extensibility Points in
Memory Forensics. Digital InvesHgaHon, 2019, 28, S95-S104, Elsevier. hSps://doi.org/10.1016/j.diin.2019.01.026
1. Introduction
Malware and Incident Response
• Identification and Classification:
• We need to understand the specific characteristics of the malware
• Behavior and Impact Analysis:
• How it spreads, communicates, and interacts with the compromised system/network
• Indicators of Compromise (IOCs):
• Valuable clues for detecting and mitigating the presence of the malware across the systems and networks
• They help identify affected assets, patterns of malicious activity, and potential entry points for future attacks
• Root Cause Analysis:
• How the malware entered the environment (phishing emails, malicious downloads, or other means)
• Mitigation and Remediation:
• Specific actions required to mitigate the impact of the malware and remove it from compromised systems
• Identify the necessary patches, security updates, or configuration changes needed to prevent further propagation and restore the
affected systems to a secure state
• Threat Intelligence and Information Sharing:
• Enhance collective defenses and improve incident response across the industry
1. Introduction
Importance of Malware Analysis in Incident Response

• Threat Understanding
• Understanding helps incident responders assess the severity of the threat, determine its potential impact
on affected systems, and make informed decisions
• Incident Triage and Prioritization:
• Malware analysis aids in the initial triage and prioritization of security incidents
• Categorize incidents based on their severity, potential for damage, and the level of risk they pose to critical
assets
• More efficient allocation of resources and the ability to prioritize the most critical incidents
• Indicators of Compromise (IOCs):
• Malware analysis helps identify and extract indicators of compromise (IOCs) associated with the malware
• File hashes, network signatures, behavior patterns, and other identifiable artifacts
• Crucial role in threat hunting, proactive defense, and future incident prevention
1. Introduction
Importance of Malware Analysis in Incident Response

• Incident Containment and Eradication:

• Insights into the techniques and mechanisms used by the malware to propagate and persist within the
compromised environment
• EffecHve strategies for containing the incident, isolaHng affected systems or networks, and taking appropriate
steps to eradicate the malware

• Post-Incident Analysis and Learning:

• IdenHfy the entry point of the malware, determine the vulnerabiliHes or security gaps exploited, and gain insights
into the aSacker's tacHcs, techniques, and procedures (TTPs)
• Enhance prevenHve measures, strengthen defenses, and improve future incident response capabiliHes.
• Threat Intelligence and Information Sharing:
• Enhances collecHve defenses, enables early detecHon of similar threats, and facilitates a more proacHve approach
to incident response
2. Malware Analysis Methodology
2. Malware Analysis Methodology

• Static program analysis (also called dead code or cold analysis)

• The program does not run
• You should take a look at…
• PE proper3es
• Import func3ons (which APIs are used?)
• Hash computa3on (e.g., MD5, SHA1)
• Retrieve strings from the binary file: strings
• Disadvantage:
• All possible execu3on paths are explored (state explosion problem)
• You might be analyzing infeasible code
2. Malware Analysis Methodology

• Dynamic program analysis (also called live code or hot analysis)

• The program does run
• You should take a look at…
• Interaction with the OS: at the filesystem, process, and Windows Registry levels
• Interaction with the Internet: connections to domain names or IPs, network data transmitted
• Helps find out their (malicious?) behaviour
• Disadvantage:
• Only one of the possible execution paths is explored
• It may depend on the current execution conditions (environment variables, datime,
etc.)
2. Malware Analysis Methodology
Analysis Environment

• Isolated or virtualized environments

• Helps analyze malware samples without worrying about malicious
ac6vity affec6ng the system or network
• Virtual machine (guest) and host machine
• Different tools are necessary
• Depends on the purpose of the analysis to be performed
2. Malware Analysis Methodology
Static Analysis

• File structure analysis

• Examine the headers, sections, and metadata
• Binary code examination
• Analyze the instructions, functions, and logic to understand its behavior
• By disassembling or decompiling the code to obtain a human-readable representation for
analysis
• API calls and system functions
• Insights into the malware’s capabilities (accessing files, manipulating processes, establishing
network communications)
• String analysis
• Information about its functionality, communication protocols, or command structures
• Indicators of malicious behavior, hardcoded URLs, encryption keys, or C&C server addresses
2. Malware Analysis Methodology
Static Analysis

• Signature-based detection
• MD5/SHA1/SHA256 hashes
• Approximate matching algorithms (ssdeep, SDHASH, TLSH)
• Unique patterns from the code (e.g., YARA rules)

• Limitations:
• Limited to known malware samples
• Inability to detect polymormihc or encrypted malware
2. Malware Analysis Methodology
Use of Windows APIs

• Static import
• Windows APIs invoked by the binary
• They are present in the DataDirectory section, visible with any PE viewing tool
• Function identified by string name or ordinal position (in EAT)
• Dynamic import
• Windows API is resolved on execution
• Different ways to dynamically import a function
• Usually, LoadLibrary (loads a DLL) + GetProcAddress (gets the address of the function)
• Can also be dynamically resolved by ordinal position (in EAT) instead of function name
2. Malware Analysis Methodology
Use of Windows APIs
• Processes and IPCs (kernel32.dll)
• CreateProcessA, OpenProcess, CreateThread, CreatePipe, CreateNamedPipe, CreateMutex,
OpenMutex, CreateToolhelp32Snapshot, CreateRemoteThread, ...
• Files (kernel32.dll)
• CreateFile, WriteFile, ReadFile, CopyFile, MoveFile, OpenFile ...
• Registry (advap32i.dll)
• RegOpenKey, RegEnumKey, RegEnumValue, RegDeleteKey, RegQueryInfoKey, …
• Network (ws2_32.dll, wininet.dll, …) – Winsocks and others
• WSAStartup, WSASocket, socket, connect, accept, bind, recv, send, htons, …
• urlmon.dll: URLDownloadToFile, …
• wininet.dll: HZpOpenRequest, HZpSendRequestA, FtpOpenFileA, …
2. Malware Analysis Methodology

• Dynamic analysis (the program runs – typically in an isolated environment)

• OS interaction: files
• Creation? Access? Modification? Deletion?
• OS interaction: Windows Registry
• Creation? Access? Modification? Deletion?
• OS interaction: processes
• Creation? Access?
• Interaction with the outside: network communications
• IP addresses
• Domain names
3. Hands-On: Malware Analysis
3. Hands-On: Malware Analysis

LAB SESSION 1
• Additional files for Lab session 1
• https://webdiis.unizar.es/~ricardo/sbc-
2023/laboratories/additional_files/lab1_malware_files.7z
• Follow the laboratory workbook provided on the workshop's website:
https://webdiis.unizar.es/~ricardo/sbc-
2023/laboratories/lab1_intro_malware_analysis.pdf
4. Incident Response Integration
4. Incident Response Integration
Collection of Memory Evidence: Memory Acquisition
• Various acquisition techniques
• Tobias Latzo, Ralph Palutke, Felix Freiling, “A universal taxonomy and survey of forensic memory
acquisition techniques,” Digital Investigation, Volume 28, 2019, pp. 56-69, ISSN 1742-2876,
https://doi.org/10.1016/j.diin.2019.01.001
• Software tools for complete memory dump
• WinPmem: https://github.com/Velocidex/WinPmem
• Apache license
• Support for Windows XP up to Windows 10, for 32 and 64 bits
• Example: winpmem_mini_x64.exe physmem.raw
• Linux Memory Extractor (LiME): https://github.com/504ensicsLabs/LiME
• GNU/GPLv2 license
• Support for Linux and Android
• Extraction via local port connection
• FTK Imager: https://accessdata.com/product-download/ftk-imager-version-4-2-1
• Commercial tool
• Support for Windows
4. Incident Response Integration
Collection of Memory Evidence: Memory Acquisition
• Acquisition in virtual machines
• VirtualBox
• vboxmanage debugvm "Win7" dumpvmcore --filename test.elf
• VMWare
1. Create a snapshot of the virtual machine execuKon (.vmss and .vmem files are generated)
2. vmss2core tool: hPps://flings.vmware.com/vmss2core??src=vmw_so_vex_mraff_549
• Other tools for extracting processes or modules
• ProcDump: haps://docs.microsob.com/en-us/sysinternals/downloads/procdump
• procdump -ma 4572
• Single dump (fichero .dmp)
• Windows Memory Extractor: haps://github.com/reverseame/windows-memory-extractor
• GNU/GPLv3 license
• WindowsMemoryExtractor_x64.exe --pid 1234
• Create secKonal dump of process memory
4. Incident Response Integration
Memory Dump Analysis: Volatility

• De facto standard to analyze memory dumps

• FOSS (GNU/GPLv2 license)
• Published in 2007 in BH USA, called Volatoools
• Support for Windows, Linux and MacOS, in 32 and 64 bits
• Very extensive API for your own implementations
• Version 2.6 vs. Version 3
• Python2 vs Python3
• Version 3 is already stable! https://github.com/volatilityfoundation/volatility3
4. Incident Response Integration
First Steps with Volatility
• Virtual machine provided: Debian 10.10
• Volatility 2.6 and Volatility 3.0 already installed
• User/password: alumno / alumno
• Help:
• python2/python3 vol.py –h
• Memory dump to analyze :
• python2 vol.py --f mem.dmp --profile Win7SP1x86
• The profile is only necessary in version 2.6. It indicates where are the internal structures of the SO
• How to know the profile to use? à imageinfo / windows.info plugins (Volatility2 / Volatility3)
• python2 vol.py --f mem.dmp imageinfo
• python3 vol.py --f mem.dmp windows.info
• Plugins are always indicated at the end of the command
4. Incident Response Integration
Detection of Indicators of Compromise with Volatility
• Processes and DLLs
• pslist, pstree (psscan for possible rootkits)
• dlllist, dlldump
• handles
• enumfuncs (list of imported and exported functions, by process/dll)
• Process memory
• memmap, memdump
• procdump
• Vadinfo, vadwalk, vadtree, vaddump
• evtlogs
• iehistory
• Network
• connections, connscan
• sockets, sockscan
• netscan (network artifacts in Win7)

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
4. Incident Response Integration
Detection of Indicators of Compromise with Volatility
• Kernel memory and other (internal) objects
• modules, modscan, moddump
• driverscan
• filescan
• Register
• hivescan, hivelist, hivedump
• printkey
• lsadump
• userassist, shellbags, shimcache
• dumpregistry
• Filesystem
• mbrparser, mftparser
• Hibernation file analysis or other dumps

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
4. Incident Response Integration
Methodology for Malware Analysis

1. Protect the memory dump

• Store it in read-only filesystems
• Set special permissions to prevent accidental changes (e.g., chattr + i)
2. Preliminary memory dump analysis
• Analyze it with different AVs and check results
3. Data carving, file hashing, and file identification
• Extract content and analyze the extracted data
• Use of several UNIX commands, pipelining them
4. Incident Response Integration
Methodology for Malware Analysis
4. Process-based Volatility plugin memory analysis
• Identify the underlying machine (windows.info)
• Processes (windows.pslist, windows.psscan). See differences in output
• Another good plugin is psxview, but it is only available for Volatility2 (at the moment)
• Commands typed into a command shell (windows.cmdline)
• Network connections (windows.netscan, windows.netstat)
• Analyze the IP addresses (WHOIS, DNS reputation, etc.)
• Relationship between processes and open sockets (check the ports)
• File handles in memory (windows.filescan)
• Windows-thread mutexes (windows.mutantscan)
• Other handles (windows.handles)
• Drivers (windows.driverscan, windows.driverirp)
• Modules (windows.modscan)
• Services (windows.svcscan)
4. Incident Response Integration
Methodology for Malware Analysis
4. Process-based Volatility plugin memory analysis
• Linked modules per process (windows.ldrmodules in Volatility2)
• DLLs loaded (windows.dlllist)
• Thread analysis (threads and thdrscan, only Volatility2)
5. Detection and extraction of suspicious drivers, processes, and other elements of interest
• Create appropriate directories for storing outputs
• For each output, analyze it with AVs and calculate hashes
• Plugins:
• windows.malfind
• With option –dump: windows.pslist, windows.dlllist, windows.modules, windows.memmap
• windows.lsadump
• windows.dumpfiles
• Analyze extracted files using the malware analysis methodology explained before. Enjoy! J
4. Incident Response Integration
Methodology for Malware Analysis

6. Windows Registry memory analysis

• Check Registry hives available in the memory dump:
• windows.registry.hivelist, windows.registry.hivescan
• Get Registry keys: windows.registry.printkey (more details with --recurse)
• Check UserAssist: windows.registry.userassist (useful for persistence)
7. Optional analysis
• Relationship between device drivers and their required Windows services:
• windows.devicetree
4. Incident Response Integration
Best Practices
• Establish cross-functional collaboration between IR and malware analysis teams
• Define IR and malware analysis workflows
• Conduct regular training and skill development
• Implement automated malware analysis tools
• Establish IR and malware analysis metrics to measure the effectiveness of the integration
• Share threat intelligence between IR and malware analysis teams
• Conduct post-incident analysis and lessons learned
• Emphasize continuous improvement
5. Hands-On: Malware Analysis
Integrated into Incident Response
5. Hands-On: Malware Analysis
Integrated into Incident Response
LAB SESSION 2
• Additional files for Lab session 2
• https://webdiis.unizar.es/~ricardo/sbc-
2023/laboratories/additional_files/wannacry.elf.tar.gz
• Follow the laboratory workbook provided on the workshop's website:
https://webdiis.unizar.es/~ricardo/sbc-
2023/laboratories/lab2_malware_analysis_incident_response.pdf