MALWARE

ANALYSIS
What is malware? And its types?
■ Malware, short for malicious software, refers to any program or file
designed to harm, disrupt, or exploit computers, networks, or devices.
Cybercriminals create malware to gain unauthorized access, steal sensitive
information, or cause damage to systems.
■ Common types of malware include:
• Viruses: Attach themselves to legitimate programs, replicating and
spreading to other systems.
• Worms: Spread independently by exploiting vulnerabilities in networks.
• Trojan Horses: Disguise themselves as legitimate software but carry
malicious intent.
• Ransomware: Locks users out of their devices or files until a ransom is paid.
• Spyware: Secretly gathers information about a user's activities.
• Adware: Displays intrusive advertisements, often bundled with other
software.
Malware Analysis
■ Malware analysis is the process of examining and understanding malicious software to
determine its functionality, origin, and potential impact. It’s often used in cybersecurity to
identify and mitigate threats. Malware analysis can help develop stronger defenses,
create detection mechanisms, and even trace the source of an attack.
■ There are two primary types of malware analysis:
1. Static Analysis: This involves studying the malware's code without running it
2. Dynamic Analysis: Here, the malware is executed in a controlled, isolated environment
(like a sandbox) to observe its behavior. Analysts study how the malware interacts with
the system, such as creating files, establishing network connections, or modifying registry
keys.
■ Other methods include:
• Behavioral Analysis: Monitoring how malware behaves within a system to understand
its effects.
• Memory Analysis: Analyzing the malware’s activity in memory during execution.
• Reverse Engineering: Breaking down the malware's code to gain detailed insights into
its design and operations.
Static Malware Analysis

■ Static malware analysis is the process of examining a malicious file or

code without actually executing it. This method provides valuable
insight into the malware's structure, purpose, and potential behavior,
often as a first step in understanding the threat.
■ The objective is to extract useful information from the malware, this will help us get an
idea of the type of malware and what the malware can do. This information is useful for
future analysis as it will allow us to efficiently analyze the sample going forward.
Static analysis flow - How we will approach a sample

• Identifying the file type - Target OS, architecture & format ( .dll, .exe)
• Identifying the malware - Generating a hash of the malware, will give the malware a
unique identifier. Using the hash to see if anyone else has analyzed the malware.
• Strings - Strings give us an idea/glimpse of what the malware can do.
• Packing & Obfuscation - Obfuscation & packing are techniques used to prevent
detection. Unpacking or deobfuscating can reveal additional information.
• PE headers - The PE header reveals a lot of information on the malware functionality.
Identifying the file type

• Identifying the file type is extremely important as it helps us identify the target OS and the
corresponding architecture.
• An example of a Windows executable file is the PE (Portable Executable).
• A PE could be in the form of; .exe, .dll etc.
• To accurately identify a file type we need to analyze the file signature. This is to avoid
false positives caused by the use of double extensions.
• The file signature exists on the file header.
• The file signature for PE files are represented by hexadecimal values of 4D 5A or MZ in
the first 2 bytes (0-1).
• PE programs also have the notice “This program cannot be run in DOS mode”
• The PE header begins at hex 50 45.
Tools used

• HxD - Hex Editor

• Exeinfo PE - Retrieves the windows PE header information. It also detects if the
executable has been packed and detects the paker version and how to unpack it.
• Pestudio
• CFF explorer
Malware Hashing

• Malware hashing is the process of generating cryptographic hashes for the file
content of the target malware. We are hashing the malware file.
• The hashing algorithms used in malware identification are:
• MD5
• SHA-1
• SHA-256
• The hashing process gives us a unique digest known as a fingerprint.
• This means we can create unique fingerprints for malware samples.
Why should you hash?

• For accurate identification of malware samples, rather than using file names for malware.
Hashes are unique.
• Hashes are used to identify malware on malware analysis sites. (Virus Total).
• Hashes can be used to search for any previous detections or for checking online if the
sample has been analyzed by other researchers.
Analysing Strings

• Strings Analysis - This is the process of extracting readable characters and words from the
malware.
• Strings can give us valuable information about the malware functionality.
• Malware will usually contain useful strings and other random strings, also known as garbage
strings.
• Strings are in ASCII and Unicode format. ( We need to specify the type of strings we want to
extract during analysis, as some tools only extract ASCII.
• The types of strings we are looking for are:
• File names
• URL’s (Domains the malware connects to)
• IP Addresses
• Registry Keys
Tools used

• Strings command line utility.

• Shell extensions
• Pestudio
• peid
Packers

• A packer is a tool that is used to compress the content of the malware.

• Attackers will use packers to obfuscate the content of the malware, this makes it difficult
to analyze strings.
• Packers compress an executable and when executed the packed executable will be
decompressed. This allows us to analyze the original unpacked executable.

Tools used:
• UPX
• EXEinfo PE
PE Header

• The PE header contains the information the OS requires to run the executable.
• This information is very useful, as it can give us more information about the functionality
of the malware and how the malware interacts with the OS.
■ Why is the PE header important?
1. It contains all of the important and necessary information required by the OS to execute
the executable.
2. It contains information that specifies where the executable needs to be loaded in to
memory.
3. It contains the libraries that the executable requires to be loaded (dll).
4. It contains information that specifies where the execution begins.
PE Header Structure

MZ Header/DOS Header Defines the file as an executable binary

DOS Stub
(Program cannot be run in Prints a message when run in DOS (Exists for compatibility)
DOS mode)

PE File Header (Signature) Defines the executable as a PE

Image Optional Header Stores important information about the executable: Like the
subsystem and the entry point
Sections Table
Instructions on how to load the executable into memory
Sections
Executable sections of code and data used by the
executable
PE Sections

Section Name Function

.code / .text Executable code

.data Stores Data (R/W)

.rdata Stores Data (Read Only)

.idata Stores The Import Table

.edata Stores Export Data

.rsrc Stores Resources (Strings, icons)

Dynamic Malware Analysis

■ Dynamic malware analysis is the process of studying how a piece of malware behaves in
a controlled or monitored environment, usually by running it in real time. This approach
helps cybersecurity experts understand its functionality, capabilities, and potential
impacts on a system. Here's a breakdown of the tools and methods commonly used for
dynamic analysis:
■ Methods for Dynamic Malware Analysis
1. Behavioral Analysis: Observing how the malware interacts with the operating system,
network, and files.
2. System Monitoring: Tracking changes to the registry, file systems, and processes
initiated by the malware.
3. Network Monitoring: Analyzing the malware's communication with external systems to
identify Command and Control (C&C) servers or data exfiltration attempts.
4. Memory Analysis: Inspecting the memory to uncover malware execution paths,
decryption routines, or injected code.
5. Sandboxing: Running the malware in a virtualized or isolated environment to safely
observe its behavior without affecting the host system.
■ Tools Used for Dynamic Malware Analysis
■ Here are some popular tools that cybersecurity experts use:
• Cuckoo Sandbox: An open-source automated malware analysis system that runs
suspicious files in a virtualized environment.
• Process Monitor (Procmon): A real-time monitoring tool for Windows systems that
captures detailed information about file system, registry, and process/thread activity.
• Wireshark: A network protocol analyzer used to inspect packet data and detect
malware's network activity.
• Volatility Framework: A memory forensics tool that helps extract information about
processes and malware running in RAM.
• Sysinternals Suite: A collection of Windows utilities like Process Explorer and
Autoruns, used for diagnosing and analyzing malware behavior.
• Remnux: A Linux-based toolkit for malware analysis and reverse engineering.
• Noriben: An automated dynamic malware analysis script that simplifies sandboxing
and behavioral logging.
• CAPA: A tool that detects capabilities of malware by identifying specific patterns of
code.
 Defence against malware

•Use Antivirus Software: Install and regularly update reputable antivirus or anti-malware
programs. These can detect and remove malicious files.
•Keep Software Up to Date: Regularly update your operating system, browsers, and applications.
Updates often patch vulnerabilities that malware can exploit.
•Be Cautious with Links and Attachments: Avoid clicking on suspicion
us links or downloading attachments from untrusted sources. This is a common method for spreading malware.
•Enable a Firewall: A firewall adds an additional layer of defense by monitoring incoming and outgoing network traffic.
•Practice Strong Password Hygiene: Use strong, unique passwords for your accounts, and consider a password manager to
keep track of them.
•Use Two-Factor Authentication (2FA): Enable 2FA on your accounts to add an extra layer of security.
•Backup Your Data: Regularly back up your important files to an external drive or a secure cloud service, so you can restore
them if your device is compromised.
•Be Skeptical of Unsolicited Downloads: Only download apps and software from official or trusted sources, like app stores or
the software's official website.
•Educate Yourself: Stay informed about the latest cybersecurity threats and practices to avoid falling prey to scams.
•Consider Security Software for Browsing: Browser extensions or software that flags suspicious websites can prevent
you from visiting dangerous sites.