2) Blackboxing, Packers and Internet Resources Flashcards
What are the basic details you can find with static analysis?
- File size
- MD5 hash
- Fuzzy hash
- Entropy
- Type of packer
- strings
- Import / Exports
- Ressource Segments
- API analysis
- online AV test like virustotal.com
Name tools to do Static Analysis.
- PEstudio
- strings
- Dependency Walker
- PEiD
- Detect It Easy
- Resource Hacker
What are PE files?
EXE, DLL, SYS, DRV
What are APIs?
Application Programming Interface. A sub-routine of a program that is made accessible for other programs.
What is meant by packing?
Packing is used to compress a file. Taking the code an compress it. File size is getting smaller and the code is harder to read / to reverse engineer
Why is malware sometimes packed?
To hide what the malware actually does on a system. To make it harder to read the code.
Name a tool to analyze packed malware.
Detect it Easy, ExeinfoPE
What is Entropy? Name a tool to check entropy of a file.
Entropy is the randomness of data. If one section of a PE file has a high entropy, this could be an indication of maleware. Packers will change code in a way that the packed section will have a high entropy. First section is normally the unpacker code and second section the packed code.
What is static unpacking?
Reverse algorithm used by packer.
Name the six stages of blackboxing. Per stage, name tools which can be used.
- Change Monitoring: RegShot or OSForensics
- Registry: RegShot
- File: OSForensics
- Ports: netstat
- Network: Wireshark, FakeNET-NG
- Processes: Process Explorer
What are common Registry keys for malware to alter?
- Firewall
- Autorun
- Hidden Files
- CLSID
- Browser Helper Objects
- Internet Search Settings
- Other Internet Settings (Startup)
- Windows Run Keys
- Winlogon shell
What are common folders malware can be found?
- %WINDIR%
- %WINDIR%\system32
- %WINDIR%\system32\config\hosts
- %PROGRAMFILES%
- %APPDATA%
- RecycleBin
- User Startup
How can you analyze a DLL during blackboxing?
rundll32.exe name.dll,test
Name the six Windows Registry hives.
- HKLM
- HKCU
- HKU
- HKCR
- HKCurrent Config
- HK Performance Data
What are BHOs?
Browser Helper Objects, add-ons for IE like additional search bars.
What are the most common registry keys for malware to change?
- Firewall: On and Off
- Browser: Start page, default search page
- Autorun: Automatic startup after reboot or login
- CLSID: Covering as legit programm
- Hidden Files: Hide file extension that malware looks as a folder
- BHO
With what tool can you intercept network traffic?
Wireshark
What is ProcDoc
Tool to visualize Network flow and Process activities
Another name for Blackboxing is?
Behaviour Analysis
Name some malware self-defense tricks.
- Restrict access to security sites
- Delete/kill security processes / tasks / executables
- Anti-Debugging tricks to avoid reverse engineering
- Packed malware Detected VM (Process, Files, Memory analysis, special CPU instructions, hardware)
- Wait time till execution
- Loading of key payload at a later time
- Use rootkits
How does malware detect VMs?
- Small disk space
- small RAM
- VM tools installed
- VM processes running
- artefacts in the registry
- processes running in memory
- MAC address belongs to VMware
- Send specially CPU instructions
Name a tool to perform API Monitoring.
API Monitor 2.0 by rohitab
What is an API call?
API stands for Application Programming Interface. APIs are code subroutine that one program provides to other programs. Windows API calls in rundll32.exe, shell32.exe or kernel32.dll are very common.
Name some good internet resources.
- robtex.com
- virustotal.com
- hybrid-analysis.com
