Basic Malware Analysis For Incident Response(Static Analysis)

As an analyst or IR you will come across many unknown files for analysis which are not present in AV databases, also many incidents pertaining to malware in your day to day work. It is your job to gain an understanding what are the characteristics or indicators of these unknown files/malicious software. What these files does to your network/host and find out the legitimacy of the file and take appropriate steps to safeguard your environment.

I will limit this document only to Static analysis to make it short.

Key features to understand in a malware

1. Understand how it works

2. How to identify it (Indication of compromise)

3. How to remove it

Let’s talk about important indicators of compromise (IOC) or what are the things you need to identify without running tools blindly.

1. Host based indicators

Host based indicators means what are the artefacts or trails that a malware left behind on your host. These artefacts are unique to each malware in most cases.

· Information about the file: Size, file name, hash value

· Binary characteristics: PDB paths, Strings

· What changes it does to the system: change of reg keys, files it created, processes it created, directory changes

· Any other changes on the system: new process, mutexes

2. Network based indicators

These are the malware communication trails on your network

· Domains and Ip addresses (malware communicate with C2 servers)

· Protocols and port numbers(DNS, SMTP,HTTP)

· User agent strings

Before we move on to getting our hands dirty let’s identify some terminologies and important words used in malware world.

Portable Executable (PE file)

PE file format is a data structure used by Microsoft which contains information for the Windows OS loader to manage the executable code.

This file format used by Windows executables, DLLS,and objects.

Remember PE file header always starts with MZ. This is your starting point.

You are free to use any hex editor to analyse the header of your PE file. I use 010 editor in case if you are wondering.

Imports

One of the very important pieces of malware analysis is imports. This will tell what are the functions that the malware imports.

Ex code libraries. (code libraries can contain functionality that is common to many programs. These code libraries can connect to main executable by linking,)

Mutex

mutex is objects used by malware developers to avoid a system to be re-infected)

Ordinal

Number which is map to a function name.

Data encoding

Malware use encoding techniques to evade its presents from anti virus programs. You need to pay special attention to these encoded data which gives you plenty of insight about the malware behavior.

Common encoding types

Hex, Base64, Hex

I’m using cyberchef to decode these encoded strings during analysis.

https://gchq.github.io/CyberChef/

Basic Static analysis

Static analysis is the technique where we analyse an executable to gain important information without running it.

For this static analysis I’m using the famous ransomware “GrandCrab”

I assume you have a virtual machine with multiple snapshots in order to revert back before testing these malware samples.

It is always recommended to starts with getting the hash of the file. You can save lot of time if the hash matches to an analysis done before.

There are multiple softwares available to get the hash value, I’m using certutil to find the md5.

Command:

Certutil -hashfile <file name> MD5

Detecting packers

One of the best tools to detect packers using PEiD. As always there plenty of tools for unpacking.

I’m using the UPX and PEiD both to identify if this file is packed with any packers. You can easily unpack UPX packing programs from UPX tool.

PEiD

UPX

Download UPX: https://upx.github.io/

Command:

Upx -d <filename>

In this case my file is not packed with any packers and we are good to go.

Let’s move on to check the strings of this file.

Checking the strings

I have limited the string to 5 characters so any string hat has characters below 5 will be removed from the output.

Check your output and see what host based and network-based indicators and useful information you can gather from strings.

I have listed few of them below

3. Microsoft Visual C++ Runtime Library

4. hxxp://memesmix.net/media/created/dd0doq.jpg

5. hashbreaker Daniel J. Bernstein let’s dance salsa

6. KRAB-DECRYPT.html

7. KRAB-DECRYPT.txt

8. CRAB-DECRYPT.txt

9. Global\XlAKFoxSKGOfSGOoSFOOFNOLPE — This could be the mutex

After checking string my next steps is to check list of functions imported by grandcrab.

Dependency Walker is a great tool to check the import functions.

Checking dynamically linked functions

Quick overview of common DLLs (refer pane 3 of screenshot below)

Kernel32 DLL

Contains functionality such as access of memory, files and hardware components

Advapi32 DLL

Provides access to core windows components such as registry and service manager

User32 DLL

Contains user interface components

Gdi32 DLL

Functions for graphic displays

Tool name: Dependency walker

Clicking KERNEL32.DLL on pane 3 will show you bunch of imported functions at upper right pane 1. The most interesting is CreatefileW. Which tells us that this program creates a file while its executing so we should watch for additional file creation during our dynamic analysis.also there are some important functions such as GetCurrentPorcess, OpenProcess, ReadFile, WriteFIle, etc

Keep in mind that executables can import functions by ordinal(number) instead of name which makes harder for analysts to determine what function being used. You can map the ordinal values to the function name from pane 2.

As of now we have lot of information about the malware. Our next step is to examine the PE header.

PE file header provides many information than imports.

Analyzing PE header

Summary of PE header

1. .text

executable code contains here

2. .rdata

globally accessible read only data within the program

3. .data

global data which access in the program

4. .rsrc

stores resources which required by the executable.

Tools: PEView or CFF explorer can be used to examine the header of the file.

File header

What information can we get from the file header

1. Basic information about the file

2. When the executable was compiled (very important in incident response, this will tells if the malware is a fresh one or existing one)

3. Characteristics of the file (Executable, DLL, etc)

Next move to the section header

Section header

Important information from this section

1. Virtual size — how much space is allocated for section during the loading process

2. Raw size — this indicates how big the section is on disk

Normally virtual size and raw size is equal or similar in value.

Note: If the virtual size is significantly larger than raw size which indicates of a packed code especially the .txt section is larger in memory than the disk.

Finally we will examine the optional header

Optional header

Important information from this section.

1. File type

2. GUI or CLI

3. DLL characteristics

As we have gathered many data as possible from Static analysis, its time to do the dynamic analysis.

See you in next article..