2) Blackboxing, Packers and Internet Resources Flashcards
What are the basic details you can find with static analysis?
- File size
- MD5 hash
- Fuzzy hash
- Entropy
- Type of packer
- strings
- Import / Exports
- Ressource Segments
- API analysis
- online AV test like virustotal.com
Name tools to do Static Analysis.
- PEstudio
- strings
- Dependency Walker
- PEiD
- Detect It Easy
- Resource Hacker
What are PE files?
EXE, DLL, SYS, DRV
What are APIs?
Application Programming Interface. A sub-routine of a program that is made accessible for other programs.
What is meant by packing?
Packing is used to compress a file. Taking the code an compress it. File size is getting smaller and the code is harder to read / to reverse engineer
Why is malware sometimes packed?
To hide what the malware actually does on a system. To make it harder to read the code.
Name a tool to analyze packed malware.
Detect it Easy, ExeinfoPE
What is Entropy? Name a tool to check entropy of a file.
Entropy is the randomness of data. If one section of a PE file has a high entropy, this could be an indication of maleware. Packers will change code in a way that the packed section will have a high entropy. First section is normally the unpacker code and second section the packed code.
What is static unpacking?
Reverse algorithm used by packer.
Name the six stages of blackboxing. Per stage, name tools which can be used.
- Change Monitoring: RegShot or OSForensics
- Registry: RegShot
- File: OSForensics
- Ports: netstat
- Network: Wireshark, FakeNET-NG
- Processes: Process Explorer
What are common Registry keys for malware to alter?
- Firewall
- Autorun
- Hidden Files
- CLSID
- Browser Helper Objects
- Internet Search Settings
- Other Internet Settings (Startup)
- Windows Run Keys
- Winlogon shell
What are common folders malware can be found?
- %WINDIR%
- %WINDIR%\system32
- %WINDIR%\system32\config\hosts
- %PROGRAMFILES%
- %APPDATA%
- RecycleBin
- User Startup
How can you analyze a DLL during blackboxing?
rundll32.exe name.dll,test
Name the six Windows Registry hives.
- HKLM
- HKCU
- HKU
- HKCR
- HKCurrent Config
- HK Performance Data
What are BHOs?
Browser Helper Objects, add-ons for IE like additional search bars.
What are the most common registry keys for malware to change?
- Firewall: On and Off
- Browser: Start page, default search page
- Autorun: Automatic startup after reboot or login
- CLSID: Covering as legit programm
- Hidden Files: Hide file extension that malware looks as a folder
- BHO
With what tool can you intercept network traffic?
Wireshark
What is ProcDoc
Tool to visualize Network flow and Process activities
Another name for Blackboxing is?
Behaviour Analysis
Name some malware self-defense tricks.
- Restrict access to security sites
- Delete/kill security processes / tasks / executables
- Anti-Debugging tricks to avoid reverse engineering
- Packed malware Detected VM (Process, Files, Memory analysis, special CPU instructions, hardware)
- Wait time till execution
- Loading of key payload at a later time
- Use rootkits
How does malware detect VMs?
- Small disk space
- small RAM
- VM tools installed
- VM processes running
- artefacts in the registry
- processes running in memory
- MAC address belongs to VMware
- Send specially CPU instructions
Name a tool to perform API Monitoring.
API Monitor 2.0 by rohitab
What is an API call?
API stands for Application Programming Interface. APIs are code subroutine that one program provides to other programs. Windows API calls in rundll32.exe, shell32.exe or kernel32.dll are very common.
Name some good internet resources.
- robtex.com
- virustotal.com
- hybrid-analysis.com
Name a few online sandboxes
- cuckoosandbox.org
- app.any.run
What is Google Dorking?
Google Dorking is a term used for advanced search techniques in Google. It’s also known as Google Hacking. Advanced search parameters like: intitle:, intext:, filetype:, are used for Dorking. One of the main goals is to use Google for Hacking purposes by finding security holes in configuration or sensitive information for unauthorized access
What is website rating? Name a online platform for this.
Website rating tells a user how dangerous it is to connect to a website. There are various online services available where you can check a URL, like urlvoid.com.
What is the difference between packed malware and a non-packed malware?
Packed malware has a higher entropy. At least the section/segment that contains the payload. Has different section names.
What are typical RegShots findings?
- Disables AV
- Disables Updates
- Disables Task Manager
- Disable Firewall
- Disable Windows Security Center
- Disables AV Notification
- Disables Update Notification (wscsvc)
- Disables Control Panel
- Disables Regedit
- Disables Admin approval popups (LUA)
- Changes Host Files
- Survive reboot by changing Runkeys/Winlogon
How can attackers use a list of IP from security sites?
Malware behave differently, C&C servers refuse all connections from such IP, Carry out DDOS attacks againsts IPs.
How can an attacker collect a list of IP from security sites?
Design malware to profile systems it runs on. Only send malware to sandboxes and security sites but not into the wild..
