Malware Unicorn

twitter: @malwareunicorn
Company: Endgame, Inc.
MU

View My GitHub Profile

Go Back to Reverse Engineering Malware 101

Section 4: Triage Analysis

alt text

Depending on your workload, you want to spend the least amount of time trying to determine what the malware is doing and how to get rid of it. Many malware analysts use their own triage analysis, similar to that in the Emergency Room at the hospital.

You will want to quickly narrow down specific information and indicators before moving on to deeper static and dynamic analysis.

This checklist should get you started:


Download the Unknown Malware

HERE

Password is “infected”


File Context and Delivery

When you receive the malware binary, it’s important to ask how the malware got there in the first place.

Questions to ask:

File Information & Header Analysis

Get Basic PE information

Collect Strings

Check AV vendors

Quick VM Detonation

Capture network information


Malware Analysis Report

You will want to capture this information throughout your investigation either through notes or report documents.

You can use the Malware Analysis Report template HERE


LAB 1

  1. Run the Victim VM
  2. Copy over the unknown file
  3. Check the file header by opening the file in the hex editor HxD
    • Notice the first 2 bytes are MZ meaning it’s a PE Binary alt text
  4. Add the file extension .exe to the Unknown file so that it reads as Unknown.exe. Now right click the file and select CFF explorer to check the PE header
    • Note the imports it’s using alt text
  5. Calculate the hash using quickhash, go to virustotal.com and search the hash
  6. Open the file in BinText and record any interesting strings
  7. Quick Detonation

The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM’s internet traffic is captured by the Sniffer VM.

alt text

On the Sniffer VM open the terminal and run sudo wireshark to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim.

On the Victim VM open the SysInternals procmon.exe and procexp.exe so that we can monitor filesystem and process events.

Click Image to Enlarge alt text

Go ahead and detonate the the malware.

On the Sniffer VM look for an HTTP request. Right click and Follow->TCP Stream. I will display the HTTP get request that was sent by the malware.

Click Image to Enlarge alt text

Section 3 <- Back Next -> Section 5