2) Blackboxing, Packers and Internet Resources

Question 1

What are the basic details you can find with static analysis?

Answer 1

• File size
• MD5 hash
• Fuzzy hash
• Entropy
• Type of packer
• strings
• Import / Exports
• Ressource Segments
• API analysis
• online AV test like virustotal.com

Question 2

Name tools to do Static Analysis.

Answer 2

• PEstudio
• strings
• Dependency Walker
• PEiD
• Detect It Easy
• Resource Hacker

Question 3

What are PE files?

Answer 3

EXE, DLL, SYS, DRV

Question 4

What are APIs?

Answer 4

Application Programming Interface. A sub-routine of a program that is made accessible for other programs.

Question 5

What is meant by packing?

Answer 5

Packing is used to compress a file. Taking the code an compress it. File size is getting smaller and the code is harder to read / to reverse engineer

Question 6

Why is malware sometimes packed?

Answer 6

To hide what the malware actually does on a system. To make it harder to read the code.

Question 7

Name a tool to analyze packed malware.

Answer 7

Detect it Easy, ExeinfoPE

Question 8

What is Entropy? Name a tool to check entropy of a file.

Answer 8

Entropy is the randomness of data. If one section of a PE file has a high entropy, this could be an indication of maleware. Packers will change code in a way that the packed section will have a high entropy. First section is normally the unpacker code and second section the packed code.

Question 9

What is static unpacking?

Answer 9

Reverse algorithm used by packer.

Question 10

Name the six stages of blackboxing. Per stage, name tools which can be used.

Answer 10

• Change Monitoring: RegShot or OSForensics
• Registry: RegShot
• File: OSForensics
• Ports: netstat
• Network: Wireshark, FakeNET-NG
• Processes: Process Explorer

Question 11

What are common Registry keys for malware to alter?

Answer 11

• Firewall
• Autorun
• Hidden Files
• CLSID
• Browser Helper Objects
• Internet Search Settings
• Other Internet Settings (Startup)
• Windows Run Keys
• Winlogon shell

Question 12

What are common folders malware can be found?

Answer 12

• %WINDIR%
• %WINDIR%\system32
• %WINDIR%\system32\config\hosts
• %PROGRAMFILES%
• %APPDATA%
• RecycleBin
• User Startup

Question 13

How can you analyze a DLL during blackboxing?

Answer 13

rundll32.exe name.dll,test

Question 14

Name the six Windows Registry hives.

Answer 14

• HKLM
• HKCU
• HKU
• HKCR
• HKCurrent Config
• HK Performance Data

Question 15

What are BHOs?

Answer 15

Browser Helper Objects, add-ons for IE like additional search bars.

Question 16

What are the most common registry keys for malware to change?

Answer 16

• Firewall: On and Off
• Browser: Start page, default search page
• Autorun: Automatic startup after reboot or login
• CLSID: Covering as legit programm
• Hidden Files: Hide file extension that malware looks as a folder
• BHO

Question 17

With what tool can you intercept network traffic?

Answer 17

Wireshark

Question 18

What is ProcDoc

Answer 18

Tool to visualize Network flow and Process activities

Question 19

Another name for Blackboxing is?

Answer 19

Behaviour Analysis

Question 20

Name some malware self-defense tricks.

Answer 20

• Restrict access to security sites
• Delete/kill security processes / tasks / executables
• Anti-Debugging tricks to avoid reverse engineering
• Packed malware Detected VM (Process, Files, Memory analysis, special CPU instructions, hardware)
• Wait time till execution
• Loading of key payload at a later time
• Use rootkits

Question 21

How does malware detect VMs?

Answer 21

• Small disk space
• small RAM
• VM tools installed
• VM processes running
• artefacts in the registry
• processes running in memory
• MAC address belongs to VMware
• Send specially CPU instructions

Question 22

Name a tool to perform API Monitoring.

Answer 22

API Monitor 2.0 by rohitab

Question 23

What is an API call?

Answer 23

API stands for Application Programming Interface. APIs are code subroutine that one program provides to other programs. Windows API calls in rundll32.exe, shell32.exe or kernel32.dll are very common.

Question 24

Name some good internet resources.

Answer 24

• robtex.com
• virustotal.com
• hybrid-analysis.com

Question 25

Name a few online sandboxes

Answer 25

• cuckoosandbox.org
• app.any.run

Question 26

What is Google Dorking?

Answer 26

Google Dorking is a term used for advanced search techniques in Google. It’s also known as Google Hacking. Advanced search parameters like: intitle:, intext:, filetype:, are used for Dorking. One of the main goals is to use Google for Hacking purposes by finding security holes in configuration or sensitive information for unauthorized access

Question 27

What is website rating? Name a online platform for this.

Answer 27

Website rating tells a user how dangerous it is to connect to a website. There are various online services available where you can check a URL, like urlvoid.com.

Question 28

What is the difference between packed malware and a non-packed malware?

Answer 28

Packed malware has a higher entropy. At least the section/segment that contains the payload. Has different section names.

Question 29

What are typical RegShots findings?

Answer 29

• Disables AV
• Disables Updates
• Disables Task Manager
• Disable Firewall
• Disable Windows Security Center
• Disables AV Notification
• Disables Update Notification (wscsvc)
• Disables Control Panel
• Disables Regedit
• Disables Admin approval popups (LUA)
• Changes Host Files
• Survive reboot by changing Runkeys/Winlogon

Question 30

How can attackers use a list of IP from security sites?

Answer 30

Malware behave differently, C&C servers refuse all connections from such IP, Carry out DDOS attacks againsts IPs.

Question 31

How can an attacker collect a list of IP from security sites?

Answer 31

Design malware to profile systems it runs on. Only send malware to sandboxes and security sites but not into the wild..