Malware

Malware analysis is the process of

understanding the behavior and
purpose of a suspicious file or
URL.
The output of the analysis aids in the
detection and mitigation of the
potential threat
Malware Analysis
The key benefit of malware analysis is that
it helps incident responders and security
analysts:
Pragmatically triage incidents by level of
severity
Uncover hidden indicators of compromise
(IOCs) that should be blocked
Improve the efficacy of IOC alerts and
notifications
Enrich context when threat hunting
Types of Malware Analysis

The analysis may be in

 Static
Dynamic
Hybrid of the two.
Static Analysis
Basic static analysis does not require
that the code is actually run.
Instead, static analysis examines
the file for signs of malicious
intent.
It can be useful to identify malicious
infrastructure, libraries or packed
files
Static Analysis
Technical indicators are identified
such as file names, hashes, strings
such as IP addresses, domains, and
file header data can be used to
determine whether that file is
malicious.
Static Analysis
In addition, tools like
disassemblers and network
analyzers can be used to observe
the malware without actually
running it in order to collect
information on how the malware
works.
Static Analysis
Since static analysis does not
actually run the code, sophisticated
malware can include malicious
runtime behavior that can go
undetected.
E.g , if a file generates a string that
then downloads a malicious file based
upon the dynamic string, it could go
undetected by a basic static analysis.
Static Analysis
Enterprises have turned to dynamic
analysis for a more complete
understanding of the behavior of the
file
Dynamic Analysis
Dynamic malware analysis
executes suspected malicious
code in a safe environment called
a sandbox.
This closed system enables security
professionals to watch the malware in
action without the risk of letting it
infect their system or escape into the
enterprise network.
Dynamic Analysis
Dynamic analysis provides threat
hunters and incident responders with
deeper visibility, allowing them to
uncover the true nature of a threat.
As a secondary benefit, automated
sandboxing eliminates the time it
would take to reverse engineer a file
to discover the malicious code.
Dynamic analysis
The challenge with dynamic analysis
is that adversaries are smart, and
they know sandboxes are out there,
so they have become very good at
detecting them.
 To deceive a sandbox, adversaries
hide code inside them that may
remain dormant until certain
conditions are met. Only then does
the code run
Hybrid Analysis
Basic static analysis isn’t a
reliable way to detect
sophisticated malicious code, and
sophisticated malware can
sometimes hide from the
presence of sandbox technology.
Hybrid Analysis
By combining basic and dynamic
analysis techniques, hybrid analysis
provide security team the best of both
approaches
Primarily because it can detect malicious
code that is trying to hide, and then can
extract many more indicators of
compromise (IOCs) by statically and
previously unseen code.
.
Hybrid Analysis
Hybrid analysis helps detect
unknown threats, even those from
the most sophisticated malware
Hybrid Analysis
 Dynamic analysis would detect that, and
analysts would be alerted to circle back
and perform basic static analysis on that
memory dump.
As a result, more IOCs would be generated
and zero-day exploits would be exposed
Hybrid Analysis
For example, one of the things hybrid
analysis does is apply static analysis
to data generated by behavioral
analysis – like when a piece of
malicious code runs and generates
some changes in memory
Malware Detection
Adversaries are employing more
sophisticated techniques to avoid
traditional detection mechanisms. By
providing deep behavioral analysis
and by identifying shared code,
malicious functionality or
infrastructure, threats can be more
effectively detected.
Malware detection
In addition, an output of malware
analysis is the extraction of IOCs.
The IOCs may then be fed into
SEIMs, threat intelligence platforms
(TIPs) and security orchestration tools
to aid in alerting teams to related
threats in the future.
Threat Alerts and Triage
Malware analysis solutions provide
higher-fidelity alerts earlier in the
attack life cycle.
Therefore, teams can save time by
prioritizing the results of these alerts
over other technologies.
Incident Response
The goal of the incident response (IR)
team is to provide root cause
analysis, determine impact and
succeed in remediation and recovery.
The malware analysis process aids in
the efficiency and effectiveness of
this effort.
Threat Hunting
Malware analysis can expose
behavior and artifacts that threat
hunters can use to find similar
activity, such as access to a
particular network connection, port or
domain.
 By searching firewall and proxy logs
or SIEM data, teams can use this data
to find similar threats
Malware Analysis
Stages of malware analysis
Static Properties Analysis
Static properties include strings
embedded in the malware code,
header details, hashes, metadata,
embedded resources, etc.
This type of data may be all that is
needed to create IOCs, and they can
be acquired very quickly because
there is no need to run the program
in order to see them.
Static Properties Analysis
 Insights gathered during the static
properties analysis can indicate
whether a deeper investigation using
more comprehensive techniques is
necessary and determine which steps
should be taken next.
Behavioral Analysis
Behavioral analysis requires a creative
analyst with advanced skills. The
process is time-consuming and
complicated and cannot be performed
effectively without automated tools.
Interactive Behavior Analysis
Behavioral analysis is used to observe
and interact with a malware sample
running in a lab.
Analysts seek to understand the
sample’s registry, file system, process
and network activities.
Interactive behavioral analysis
They may also conduct memory
forensics to learn how the malware
uses memory. If the analysts suspect
that the malware has a certain
capability, they can set up a
simulation to test their theory.
Fully Automated Analysis
Fully automated analysis quickly and
simply assesses suspicious files.
The analysis can determine potential
repercussions if the malware were to
infiltrate the network and then
produce an easy-to-read report that
provides fast answers for security
teams
Fully automated Analysis

Fully automated analysis is the best way to

process malware at scale.
Manual Code Reversing
In this stage, analysts reverse-
engineer code using debuggers,
disassemblers, compilers and
specialized tools to decode encrypted
data, determine the logic behind the
malware algorithm and understand
any hidden capabilities that the
malware has not yet exhibited.
Code reversing
Code reversing is a rare skill, and
executing code reversals takes a
great deal of time. For these reasons,
malware investigations often skip this
step and therefore miss out on a lot
of valuable insights into the nature of
the malware.
Malware Analysis
Knowing how to examine Malware
helps you to determine:
Does the file pose a threat to your
organization?
What are the files capabilities?
How to detect the malware on
systems across the enterprise ?
What does the file reveal about your
adversary?
Malware Analysis
Stages
Stages in malware
analysis
You need automation tools for analysis.
Automation tools also have limitations
All malware may not detonate in a sandbox as it
detects
Look at the properties of the malware sample
In static analysis you look at the following

N.B: Triage is the assessment of a security

event to determine if there is a security
incident, its priority, and the need for
escalation.
Static Malware Analysis
Pe studio
Pe-studio is a static analysis tool
used to analyze static analysis
properties in a single application.
Allow you to analyse without running
the file.
Pe-studio- Malware
analysis
PE-studio Malware
Analysis
Pe-studio- Malware
analysis
Malware Analysis
Pe-studio Malware analysis
Malware Analysis
Malware Analysis
Process Hacker :Observes running
processes
Process monitor: Records local
system Interactions
ProcDoT:Cleansup and visualises
ProcessMonitor data
Wireshirk:Records network activities
OSINT
Open source Intelligence gathering
(OSINT )
Getting the hash value and pasting it
in the virus total website is known as
googling or simply Open Source
Intelligent gathering
LIST OF AUTOMATED MALWARE
TOOLS FOR ANLYSIS
Here is a comprehensive listing of free, hosted
services perform automated malware analysis:

AMAaaS(Android files)
Any.run (Community Edition)
Binary Guard True Bare Metal
Intezer Analyze(Community Edition)
IRIS-H (focuses on document files)
LIST OF AUTOMATED MALWARE
TOOLS FOR ANLYSIS

CAPE Sandbox
Comodo Valkyrie
Detux Sandbox (Linux binaries)
FileScan.IO (static analysis)
Yomi
LIST OF AUTOMATED MALWARE
TOOLS FOR ANLYSIS
Gatewatcher Intelligence
Hatching Triage(Individual and
researcher licenses)
Hybrid Analysis
InQuest Labs Deep File Inspection
Joe Sandbox Cloud (Community Edition)
Manalyzer (static analysis)
sandbox.pikker.ee
LIST OF AUTOMATED MALWARE
TOOLS FOR ANLYSIS
SandBlast Analysis
SecondWrite(free version)
SNDBOX
ThreatConnect
ThreatTrack
ViCheck
VirusTotal