CHAPTER 1

Types OF MALIARE

1. Backdoor

software that provides attacker access to

* malicious an a
system .

* allows attacker to access with minimum or no authentication -

can run commands .

.
2 Botnet

* provides
attacker access

*
all infected machines receive commands from a central command-and-control Server

.
3 Downloader

*
downloads and installs malware onto victim's device

* retrieves and installs additional malware

.
4
Information-stealing Malware

* designed to collect data from victim's machine

examples Sniffers
Keyloggers
:

*
,

*
used to capture online
banking or emails

.
5 Launcher

* launches other malware ,

to avoid detection or
gain more access .

6 .
Rootkit

* code designed to hide other malwares .

often paired
* with backdoors : to provide attacker with remote access .

*
difficult for victim to detect

.
7 Scareware

* tricks user into

purchasing fake software

* often mimics legitimate security programs

s .

Spam-spending Malware

*
infects machine and uses it to send spam emails .

↑ attackers profit by offering services that send large volumes of Spam

a .

Worm or Virus

· malicious software that replicates itself across other computers .

HOST-BASED SIGNATURES

·
used to detect malicious activity or malware on a specific host

-detects newly created

NETWORK-BASED SIGNATURES

-used to detect malicious activity or malware

by monitoring network traffic

MALWARE ANALYSIS IMPORTANCE

-
prioritize incidents

* enables incident responders and

security analysts to
effectively assess incidents .

-
reveal hidden Indicators

* helps identify and block concealed indicators of compromise (100)

-enhance locs alerts

* improve effectiveness of alerts and notifications related to IOCs

-suppor threat hunting

* provides additional context to did in proactive threat hunting

malware analysis techniques

xmore in depth
Static Basic Advanced Static
Basic
Analysis Advanced Static Analysis Dynamic Analysis Analysis
*
inspecting executable file without * reverse engineering the Malware *
running the malware to observe uses debugger to
investigate

executing it
.

by loading it to disassembler it's action on the

system the internal state of running

purpose confirms if file malicious and code instructions. - purpose helps remove infections , malware executable .
is
examining
:
:
*

+ provides info about it's * purpose :

provides detailed producing effective signatures, - purpose :

extracts detailed info

of
functionality understanding Or both about the malware's

limitations not detect What the malware requirements safe execution environment Operation that is difficult
may
:
:
*

sophisticated malware does by analysing to prevent system/network to obtain through other methods

or reveal complex instructions executed damage * application

:
often used in conjunction

behaviour by CPU . * limitations :

-can miss significant func- With advanced static

*
challenges requires specialized
:

tionality analysis for a comprehensive

Knowledge in disass- -
not effective against analysis of suspected

embly , code structures . all types of malware. Malware.

and of concepts .
REVERSE ENGINEERING

dismantling an
object to understand it's design and functionality

OBJECTIVES OF REVERSE ENGINEERING

.
malware
understanding
detailed of malware to understand it's Denaviour how it spreads impact on system.
* enables analysis , ,

vulnerability discovery
* helps uncover vulnerabilities that can be exploited ,
allowing developers to patch weaknesses .

· development of defence mechanism

helps create better detection Mechanisms IDS

signature for antivirus .
-

* ,

.
learning and skill development

provides to learn about low-level Malware behaviour and system

*
opportunity programming ,

internals .

IMPORTANCE OF REVERSE ENGINEERING

.
malware analysis
·
threat
intelligence
* provides valuable into emerging threats ,

enabling organizations to stay ahead of attackers .

·
incident response

* helps respond to security incidents by analyzing suspicious software to determine if they're

suspicious and how

they work

·
forensic investigation
* to conduct in-depth forensic investigation
ETHICAL AND LEGAL CONSIDERATIONS

.
ethical implications of reverse engineering

responsible use

to exploit harmful
-

knowledge gained is used to ennance cybersecurity , not systems , or create tools .

xproffessional responsibility
-malware analysts have a
duty to protect sensitive info

·
legal consideration

x intellectual property
-reverse
engineering may trespass on intelectual property rights

x compliance

local and international law .

-

analysts must ensure reverse

engineering activies compy with

TOOLS FOR MALWARE ANALYSIS

1 .
Disassembler

↓ tool used to convert executable code into human-readable assembly code

allows malware analysts to examine a

program without original source code.

why use a disassembler

understanding malware behaviour

x
finding vulnerabilities

.
2
Debuggers
↓ tool that allows you to execute a malware step by Step , and monitors it's behaviours .

↓ lets analyst inspect registers , memory , and system state

why use a
debugger
x
dynamic analysis
x
identify malicious functions

.
3 Hex Editors

x tools used to
inspect/modify raw
binary data of files

context of file allows data.

xdisplays in Nexa ,
you to manipulate the

why use nex editor

↓ inspect file structure

↓ modifying malware behaviour .

ENVIRONMENTS FOR MALWARE ANALYSIS

X isolated , controlled Setup used to run and andyze malwares safely

x
why use controlled environments :

safety
:
*

malware on virtual machine or sandbox ensures that it can't effect the host or network
-running a a

behaviour monitoring
* allows you to safely observe malware interactions , with files , networks and OS

Common environments :

·
Sandbox

·
Virtual machine
CHAPTER I

STATIC ANALYSIS

·
inspecting malware without execution.

·
used to gather info about structure content and behaviour . ,

· minimizes risk of spreading malicious code .

·
tools help uncover :

x file headers

x imported functions

Xembedded strings .

OBJECTIVE

safely extract :
·

x metadata (file creation date , file type

xidentifying malicious/ suspicious characteristic (file size abnormal header) .

↓
recognizing key indicators (emedded IP address ,
C2 servers (

x
gaining insight into
functionality (use of certain libraries /API

TECHNIQUES

1. File Signature Analysis :

-
identifies type and structure of file from "magic bytes"
first few bytes of the file

analysts can confirm file type and

integrity

importance :

obfuscation
detecting
:
-

·
malware authors use techniques like
encrypting payload; making it harder to
analyze .

identifying file types :

if file
·

Verifying is misnamed ,
such a s exe named pdf

understanding packing tools :

if packed tools (UPX) used to

recognizing a file has been
using compress original code .
-

checking for known Malware :

if Malware shares same signature structure, it's easier to

identify variants of known malware families
Headers and section of port executable file formats :

-data found in the Leader of Pe files DE Files Consits of header followed several sections
may be
by
:
*
.

- header is packed with info because it holds metadata about the file .

Exe Header Information :

-
an
analyst uses static analysis to examine files for patterns ,
commands and functions that indicates program's behavior

-
if exec command in found ,
it
suggests that the
program can launch/create new processes .

-if sleep command is found ,

it
suggets that the program may pause/delay processes or control timing within execution flow .

-
if DDL (dynamic Link Library) is found , it means that the executable may connect to S e r ve r DLL :
file that contains code to perform tasks -

if executable and hidden details are

-
resources are , important not
easily visible
.

Common file Signature Analysis

:

Windows PE Executable (EXE/DLL) : Magic Bytes = 4D 5A (ASCII "MZ")

JPEG Image File : Magic Bytes = FF D8 FF E0

PDF Document : Magic Bytes = 25 50 44 46 2D (ASCII "%PDF-")

ZIP Archive : Magic Bytes = 50 4B 03 04 (ASCII "PK")

2 .

Disassembly

-
process of
converting machine code of executable file back into low-level assembly language.

characteristics of disassembly :

1. Low-level code :

-
turns executable file to code that
closely resembles machine instructions : with no
logical expressions shown (loops/conditions)

. processor-specific
2 :

different code based

-program generates assembly on hardware
design (x86 .
ARM)

.
3 Readable but hard to understand :

code human-readable but knowledge of cou instruction and

-
is ,
requires set
registers .
Tools for disassembly :

· IDA Pro :

-
widely-used interactive disassembler

·
Ghidra :

free disassembler developed NSA

by
.

.
Radare 2 :

- Open-source disassembler and reverse

engineering framework.

Disassembly example :

emalware VirtuallAlloc which used to inject malicious code into

is
Calling ,
may be
memory

.
3 Decompilation :

- transforming binary executable to

high-level source code (Cor C-like pseudocode) .

-offers more detailed and readable form of original code-closer to source code written before compilation.

characteristics of decompilation :

1.
High-level code :

original logical expressions (if / loops/function calls

- output resembles source code ,

showing high-level ; with

.
2 Easier to understand :

not
easier to analyze However code
might be exact as source code -

.
3 Not perfect :

optimized binaries code incomplete hard to understand .

-
may struggle with ,

making resulting or
tools for decompilation :

·
Ghidra :

-decompiles to
higher-level pseudocode

.
Hex-Rays Decompiler (IDA pro
plugin)

C-like pseudocode
-converts assembly back into

.
RetDec :

- Open-source decompiler

decompilation example :

-
malware is
downloading payload from malicious domain

>
-

payload is saved to local file then executed .

disassembly vs .

decompilation
when to use disassembly

eto trace malware's control flow at low level

~ analyze specific instructions and their effect on

memory/registers

·
handle obfuscated or
highly optimized binaries where decompilers might fail .

when to use decompilation :

of malware's function
When
- you want a
higher level
understanding

-
you're analyzing simple code without heavy obfuscation.

-
time is limited ,
quick overview is needed ·
CHAPTER 3

DYNAMIC ANALYSIS

·
executing program/malware sample in a controlled environment to observe and understand it's behavior

.
reveals runtime characteristics ,
including process creation , file system manipulation , network activity

TECHNIQUES

1.
Sandboxing
-
virtualized environment where suspicous are executed safely.

-
captures changes made by malware ,
including file modifications , network communications , and process creation .

Why use sandboxing :

- isolates malware from infecting other devices

observation of realtime behavior file traffic

-
allows ,

including system calls ,

changes , network

-often first step in

dynamic analysis to
gather malware's understanding

of
key components sandboxing
:

* Virtualization :

running malware inside a virtual machine to protect the host.

*
logging mechanisms :

-
tracks and records all actions in an environment (network connections , actions taken, errors encountered
HOW SANDBOX WORKS :

9. File Submission :

-File Input :

- file is submitted to the sandbox for analysis ,

file may be malicious or legitimate

-Unknown nature :

-
file May be malware or
goodware

-BE File :

-common format for windows executables : will be analyzed in a sandbox.

.
2 Execution in aSandbox :

-
Execution :

e file is executed in a isolated controlled environment

-often YM that emulates Windows or Linux

-
Isolation :

>
-
Sandbox ensures all malicious behavior doesn't effect real system

Monitoring
:
-

execution Sandbox monitors all file's actions

during
:
,
-

* file modification

>
- creating deleting
, ,
modifying system files

* process creation :

- launching processes , or
injecting code into existing machines

registry changes
:
*

- modifying windows registry keys

network
activity
:
*

>
-
attemps to communicate with external server or command and control servers .
.
3
Generating the report

x after the file completes it's execution ,

sandbox generates a report summarizing all

Observed Dehaviors .

metrics in the
key report :
~

file
*
system changes
:

create/modify files
did malware ?
-

* network communications :

-
did attacker communicate with external Ip or C2 Server ?

*
registry modification :

-
were
system configurations modified ?

* process injection :

- were
any files injected with malicious code ?

· malware identification :

-
file in classified an
malware/goodware based on it's behavior in the Jandbox
.
2
Debugging
breakpoints and it's
-

analyzing a
program by running it step by setting ,
examining state.

·
key concepts in
debugging

* breakpoints

·
Stepping

* code manipulation

1. Breakpoints :

1. software breakpoints

>
- tools that allows developers to pause code execution at a specific point

How software breakpoints work :

9. instruction replacement :

modifies code by replacing INT3 at the breakpoint location

>
-
debugger

2. resumption :

- debugger pauses to allow inspection of memory ,

reguters , state

~ When to use
:

1 Suspicious functions :

When
- you want to halt at a critical function such as CreateProcess or WriteFile

2 system calls :

-to catch system call requested by malware

.
2 Conditional Breakpoints :

* halts the
program only if a specified condition a true when the breakpointa reached

~
How conditional breakpoints work :

x Condition evaluation :

When execution reaches conditional breakpoint evaluate if true if false continue

debugger
,
; -pauses ,
-
-

x flexible monitoring
:

-allows for more focused debugging , without constant

halting

When
* to use :

x Reguter or Variable
Changes
:

-
only when reguter contains specific value ·

xComplex behavior :

-only when you want to halt under specific conditions

.
3 Data breakpoints

-monitors specific address or variables and hoult execution when data read Written execution
memory u , ,

-
How data breakpoints work :

x
memory monitoring

continuously watchel pauses execution when malware reacl writes

X
debugger memory ,

xvariable tracking

Xtracks
changes to variables in stack , where malware manipulates sensitive data : like
encryption keys

>
- When to use :

and
xheap stack monitoring

x data manipulation

Xtrack . When a particular data structure in

memory in modified by the malwar

4
. Instruction breakpoints

>
-
halts execution when a specific instruction is executed : Useful to monitor Malware behavior at specific points .

-
how instruction breakpoints work :

x exact instruction hault

X stop execution at particular instruction. (system calls , function calls)

x instruction-level prection

of how functions .
X allows
tracking malware interacts with system Apls or it's own custom

-when to use :

xAPI CallS :

xto monitor specific API call : file manipulation (CreateFile) , network .

Communication (Send , Recul ,
process Injection (CreateProcess

System call
monitoring
:
x

X halts when Malware calls sensitive system instruction that

may perform critical actions (modifying/inject code
 Stepping
:
2 .

code instructions flow of malware

·

executing one time at time : helps

tracking
Step-over
:
·

- executes single information without stepping to function calle .

· Step-into :

-steps into function call ,

allowing you to observe it's execution in detail .

.
3 Code manipulation :

modify malware's code during runtime to observe how change's affects

behavior .

tools :
·

debugging
Ollydbg
:
·

X
32-bit
debugger that allows setting breakpoints ,

stepping through code ,

viewing memory

States

supports and modern OS

x similar to Ollydbg ; 64-bit malware

advanced for both user-mode and Kernel mode malware

X
debugger analyzing
MEMORY ANALYSIS

·
examining a
system's Ram for evidence of malicious activities

·
used to uncover evidence of malware injection , hidden process ,
encrypted payloads.

KEY OBJECTIVES OF MEMORY ANALYSIS

·
discovering code injection :

discovering injection of malicious code into memory of legitimate space.

finding hidden processes :

·

-
advanced malware may create hidden processes that don't appear in standard listing

decrypted payload injection

:

identifying malicious payload that malware has decrypted in

memory
·
API calls :

calls from memory reveal real-time actions of malware.

-analyzing API can

KEY MEMORY ARTIFACTS TO ANALYZE

· processes and threade :

identify hidden/unusual running processes

·
loaded modules :

for processes
- looks suspicious DLLs or
injected codes into

network connections
:
·

malware's connection to external C2 servers can be identified through memory

-

.
· handles or descriptors :

-
used to track file and
registry access from memory .

TOOLS FOR MEMORY ANALYSIS :

Votality
:
·

-open-source forensics framework that can extract and analyze memory

memory
· process nacker :

-tool for real-time monitoring

. process monitor :

-used for tracking real-time and file changes

memory
.
DYNAMIC MALWARE ANALYSIS-MONITORING MALWARE BEHAVIOR IN REAL- TIME

·
file and process monitoring :

file creations .
Capture system changes , new process

traffic
network
analysis
:
·

traffic using to detect comand-and-control communication

Capturing Wireshark .

·
API Call logging
-to detect which system calls the malware relies on.

DIC SLIDE 22