Malware analysis

This page is inspired by the video of Lenny Seltzer

Demo of Remnux

Download Remnux

https://remnux.org/#distro

lablo@linuxserver$ Sudo apt-get update

remnux update (Takes some time the first time)

Transfer files to remnux

sshd start (for at starte FTP) Ifconfig for IP

sftp://IP-adress

> User: remnux > pass: malware

Extract zip files with password

sudo apt-get install p7zip-full

extract file 7z x filenavn.zip -> herefter bliver du promptet for kodeord

Static analysis of the file

for API calls, strings and

yara-rules filename What happens then?

(Update clam = freshclam) clamscan filename What happens then?

----------- SCAN SUMMARY -----------

Known viruses: 8921175 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.48 MB Data read: 0.46 MB (ratio 1.04:1) Time: 16.517 sec (0 m 16 s)

manalyze filename What happens then

(Trickster = meadow and Finnish language and compile date 20 May 2015)

peframe filename What happens then

(Maybe can be used for yara ???? Yara rules take effect)

pecheck filename Entropy gives a hint about packaged files / compressed files / payload More info about what happens in the file (look for overlay)

strings filename

Do we see anything here?

Pestr filename is there any difference?

What about floss filename?

Maybe it can be used?

md5sum filename copies to virus total What happens then?

Xorsearch filename http

(Searching for http or whatever might be interesting)

a little more emulation before detonation.

binee filename

gives apikald

can be used for debugger later

capa -vv filename

Watch for api cold

Copy offset into ghidra so you can see what is happening in decompiled code

Fakedns together with inetsim

starts a dns server and responds like the internet

Sample sharing

  • Check if the HASH can be found on some of the online services. Many times you can find the HASH value without dividing the sample. So you do not reveal yourself to those who watch (it sounds sneaky, but opponents keep an eye)
  • Examine whether you are allowed to share the malware by the company / partner.
  • The zip format is frequently used, but you should consider using the 7-Zip format to better hide the contents of the archive.
  • The "infected" password is often used, as many sandbox labs can use the code to extract the file.
  • Instead of emailing the sample as an attachment, consider sending the researcher a link where they can download the file.
  • Specify the hash for the malware sample using a modern algorithm such as SHA256 so that the recipient can confirm that they have got the correct file.

The Above is inspired by Lenny Zeltzer