Getting started with malware analysis

I’ve been exploring high-level malware analysis over the past few weeks.  This post is a collection of thoughts and learnings from exploring this area of research.

Analysis Lab

First things first, you need to setup a lab environment off of your production network to analyze malware samples.  I recommend using a virtual machine to acomplish this wether that is virtual box or VMware.  You will need a Windows machine running Windows 7 or later depending on your needs.

I have opted for setting up the FLARE VM on Windows as it includes a plethora of utilities to get you started.  A number of which I will be breifly discussing in this post.

It is important to ensure your VM is set to host-only mode when doing analysis to ensure the malware cannot connect to its C2 server or other machines on your network.  This will prevent the malware from doing malicious operations that you will want to prevent when analyzing its inner workings.

FLARE VM

Setting up FLARE VM is straight forward and to this point the only set of tools I’ve explored on this journey.  Download the installer from https://github.com/fireeye/flare-vm and follow the instructions in Readme.md.  This will transform your Windows VM into a malware analysis machine giving you the utilities you need to perform both static and dynamic analysis of malware samples.

Packed Executables

While exploring your malware samples you may encounter packed executables.  This is fairly common for malware authors to pack executables for both obsucaction and to avoid detection by scanners.

A couple tips on detecting if you are working with a packed executable.

  • Running strings returns no human readable text
  • The import address table is very sparse
  • Section headers have declared sections with RAW Size of 0

When you encounter a packed executable there are a few tools included in the FLARE VM to help you unpack the exe.

Take a look at the following utilities to get started.

  • die
  • peid
  • CFF Explorer (supports UPX unpacking)

Tools for Dynamic Analysis

  • Sysinternals
    • tcpview.exe
    • procmon.exe
    • procexplorer.exe
  • Network monitoring
    • FakeNet-NG
    • Wireshark

I’m going to dive a bit into FakeNet-NG as I found it particularly useful.  FakeNet-NG is a dynamic network analysis tool for malware analysis.  It allows you to intercept and redirect all or specific network traffic while simulating legitimate network services.  What does this mean? While you are running in host-only mode on your VM, the malware cannot reach out to its C2 server or other network services.  FakeNet-NG steps in and provides network services for the malware to communicate with providing fake network connectivity for your malware sample. During this process, FakeNet-NG will create a pcap file of all the traffic captured during the execution of the malware sample allowing you to dig deeper into what C2 servers or other network resources the malware is communicating with.  This allows you to profile the malware functionality in safe manor.

I’ve been writing my own python script to do something similar, but trust me, you want to use this tool as it is fully featured and includes a ton of useful features.  For more information on FakeNet-NG visit https://github.com/fireeye/flare-fakenet-ng and read the provided documentation.

I will continue to update this post with additional information as my research progresses.  I hope you found this useful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s