Malware Analysis Theory

Question 1

Which teams perform malware analysis?

Answer 1

• Security Operations
  
  • teams analyze malware to write detections for malicious activity in their networks
• Incident Response
  
  • analyze malware to determine what damage has been done to an environment to remediate and revert that damage
• Threat Hunt
  
  • analyze malware to identify IOCs, which they use to hunt for malware in a network
• Malware Researchers
  
  • in security product vendor teams analyze malware to add detections for them in their security products
• Threat Research
  
  • teams in OS Vendors like Microsoft and Google analyze malware to discover the vulnerabilities exploited and add more security features to the OS/applications

Question 2

What are the rules for handling malware in a safe environment?

Answer 2

1. Never analyze malware or suspected malware on a machine that does not have the sole purpose of analyzing malware
2. When not analyzing or moving malware samples around to different locations, always keep them in password-protected zip/rar or other archives so that we can avoid accidental detonation
3. Only extract the malware from this password-protected archive inside the isolated environment, and only when analyzing it.
4. Create an isolated VM specifically for malware analysis, which has the capability of being reverted to a clean slate once you are done.
5. Ensure that all internet connections are closed or at least monitored.
6. Once you are done with malware analysis, revert the VM to its clean slate for the next malware analysis session to avoid residue from a previous malware execution corrupting the next one.

Question 3

How are executable files often called?

Answer 3

binary or PE (Portable Executable) file

Question 4

What happens during static malware analysis?

Answer 4

malware is analyzed without being executed

Question 5

What are some of the examples of static malware analysis tasks?

Answer 5

• hecking for strings in malware
• checking the PE header for information related to different sections
• looking at the code using a disassemble

Question 6

What happens during dynamic malware analysis?

Answer 6

running the malware in a VM, either in a manual fashion with tools installed to monitor the malware’s activity or in the form of sandboxes that perform this task automatically

Question 7

What is the Linux distribution built for malware analysis?

Answer 7

Remnux VM

Question 8

Which command is used to detect the actial file type in Linux?

Answer 8

file

Question 9

Which Linux command lists down the printable strings present in a file?

Answer 9

strings {filename}

Question 10

What can the strings command reveal?

Answer 10

embedded text such as URLs, file paths, error messages, Windows API calls or even specific keywords

Question 11

What can’t be breached when uploading malware sample to a third party malware analyzer?

Answer 11

confidentiality (malware may contain sensitive information specific to a targeted company)

Question 12

Which Linux command is used to calculate an MD5 checksum?

Answer 12

md5sum

Question 13

What Linux command is used to find out what’s the access, modify, change and potentially birth time of a file?

Answer 13

stat

Question 14

What do most PE files use to perform bulk of their jobs?

Answer 14

Windows API

Question 15

What is entropy?

Answer 15

measure of randomness or unpredictability in a dataset, such as a file or network traffic

Question 16

What is high entropy usually associated to?

Answer 16

encrypted or compressed data, where the content appears random and lacks obvious patterns or structure

Question 17

Why is entropy important for malware analysis?

Answer 17

analyzing the entropy of files can help identify potential malware, especially in file formats that are not typically highly randomized, like executable files

Question 18

Which Linux tool is used for PE file analysis?

Answer 18

pecheck

Question 19

What is the name of a GUI-based tool used to analyze PE files?

Answer 19

pe-tree

Question 20

What is the entropy value range?

Answer 20

typically range from 0 to 8, corresponding to the number of bits in a byte

Question 21

What are Low Entropy values? What do they suggest?

Answer 21

• values are near 0
• suggests very little randomness, with many repeating patterns
• typical for simple text files or files with lots of redundant data

Question 22

What are Medium Entropy values? What do they suggest?

Answer 22

• values are around 4-6
• common for normal executable code and data
• suggest a mix of structured data and some randomness

Question 23

What are High Entropy Values? What do they suggest?

Answer 23

• values are close to 8
• indicate a high degree of randomness, similar to what you would expect from encrypted or compressed data
• little to no visible pattern or structure

Question 24

Which open-source sandbox is the most widely known sandbox in the malware analysis community?

Answer 24

Cuckoo’s Sandbox

Question 25

What is the issue with Cuckoo’s Sandbox?

Answer 25

• it has been archived, and an update is pending
• doesn’t support Python 3, making it obsolete right now

Question 26

Which sandbox is the more advanced version of Cuckoo’s sandbox?

Answer 26

CAPE Sandbox

Question 27

Describe the CAPE Sandbox - what is supports and who is it used by

Answer 27

• supports debugging and memory dumping to support the unpacking of packed malware
• used by experienced engineers - advanced knowledge is required for making full use of it
• so far actively developed and supports Python 3

Question 28

What are some of the common online sandboxes?

Answer 28

• Online Cuckoo Sandbox
• Online CAPE Sandbox
• Any.run
• Intezer
• Hybrid Analysis

Question 29

Why is malware packing used by the attackers?

Answer 29

to make it difficult to analyze malware statically

Question 30

What happens when strings search is ran against a packed malware?

Answer 30

no important information is shown

Question 31

What are the techniques that malware uses for sandbox evasion?

Answer 31

• long sleep calls
  
  • malware is programmed to not to perform any activity for a long time after execution
  • purpose of this technique is to time out the sandbox
• user inactivity detecion
  
  • wait for user activity before performing malicious activity based on the premise that there will be no user in a sandbox
  • advanced malware also detects patterns in mouse movements that are often used in automated sandboxes
• footprinting user activity
  
  • some malware checks for user files or activity, like if there are any files in the MS Office history or internet browsing history
  • if no or little activity is found, the malware will consider the machine as a sandbox and quit
• detecting VMs
  
  • VMs leave artifacts that can be identified by malware, such as drivers (VMwarae or Virtualbox specific)

Question 32

What is the malware analysis process?

Answer 32

Question 33

What questions should be asked when analyzing the malware?

Answer 33

• Is the file malicious?
  
  • the first answer analyst needs to come up with
• How does the malware modify the system?
  
  • What files does it drop?
  • What registry entries it adds or modifies?
• What does the malware contact and why?
  
  • most malware communicates over the network
  • what protocol, port is it using
• How can the malware be detected or removed?
  
  • needs to come through answering the questions above

Question 34

What do packers do?

Answer 34

encrypt the original program in addition of compressing it

Question 35

What is Sandnet?

Answer 35

specific type of sandbox environment used for analyzing and observing malware behavior in a networked context

Question 36

What does a Sandnet do?

Answer 36

mimic internet services, like DNS or web servers, allowing the malware to communicate as if it were in a real network environment

Question 37

What does the free Windows tool FakeNet do?

Answer 37

• tricks malware into thinking it’s online by intercepting and responding to network communication
• logs network connections into a logfile and creates a pcap

Question 38

What are the 2 types of strings to look for during an analysis?

Answer 38

1. ASCII
2. Unicode

Question 39

What are ASCII characters composed of?

Answer 39

characters that are one byte long and end in a null character (7 bits long with the most significant bit set to 0)

Question 40

How many ASCII characters are there?

Answer 40

128

Question 41

Why was Unicode created?

Answer 41

to fix the 128 character limitation of ASCII

Question 42

What is the possible length of Unicode?

Answer 42

8, 16 or 32 bits (UTF-8, UTF-16, UTF-32)

Question 43

Why is there the extra character . between each character?

Answer 43

beacause each character is 16b long and these specific characters take only 1 byte, so the extra byte is set to 0

Question 44

Why is it important to understand the difference between ASCII and Unicode when analyzing strings in malware?

Answer 44

some tools only look for ASCII strings by default and won’t find any Unicode strings because they interpret the null bytes between each character as the end of one character ASCII string - make sure that the tool being used is extracting both ASCII and Unicode strings

Question 45

Why do certain tools extract only a string that has a minimum number of characters in it?

Answer 45

to cut down on garbage strings - the longer the strings being pulled are, the less likely they’ll be garbage strings