You get an email, saying it’s a sponsorship from an indie game company. You reply to them, and they send you a game file or a link to a file so that you can test the game and make an ad/video about it. You are excited because it is your first sponsorship or the offer has some nice digits. You download the file from the link and start the game. A window pops up but then it crashes, nothing happens. Your antivirus didn’t detect anything. Next thing you know is that your PC is compromised, your credentials are stolen. YOU ARE HACKED!!

You are enjoying a nice cup of coffee, you get a call from the network department notifying you of a possible cyber attack. The IDS/IPS system didn't raise an alert. The antivirus can not isolate the threat. Sensitive Information is being stolen and your boss wants an explanation!! You don’t have an actual answer. 

This is a fairly common scenario among many others of such malware attacks. In today’s world, the digital weapons and decoys are these malwares. Someone click ‘em, your network is done for. That's the story. But have you ever wondered how these malware get caught and analyzed by Investigators, analysts and such. 

What is Malware?

In layman's terms, Malware is a software that does something to your system that you don’t want it to do. So, anything can be malware depending on the perspective. Let’s say, I downloaded an online game on my android device. Now, the game wants permission to access : Files, contacts, mics, camera, and so on. By given definition this is a malware, it doesn’t matter if the game is from a trusted vendor.

The Malware that we are here for are the ones that are defined as “malicious software”, that harms the system, steals sensitive data etc, etc. 

Types of Malware:

1. Bots , Downloader, Launcher
2. Rootkits
3. Ransomware
4. Virus
5. Backdoor
6. Info Stealer

Some popular examples can be Emotet, Stuxnet, Astaroth, Zacinlo etc.

Pre-Requisites?

Malwares are programs basically, so to understand what a program does, understanding some  programming concepts and languages is crucial. Familiarity with different OS environments is also useful.

Malware Analysis Chapter 0

By analyzing the malware we can collect information about the intrusion and potentially get something crucial like an IP of a c2(command and control) server. Suspected programs can be analyzed via debuggers, disassembler in a sandbox. Malware analysis helps us to improve detection via getting Host-based Signature and Network-based Signature. These are respectively in short, what malware does to a system and the network traffic generated by the malware.

There are several techniques to analyze a malware:

• Static Analysissome text
  • Basic Static Analysis
  • Advanced Static Analysis 

• Dynamic Analysissome text
  • Basic Dynamic Analysis
  • Advanced Dynamic Analysis

Malware Analysis Chapter 1

Now for the interesting part, let’s analyze a malware and understand how the technique works. Let’s start with Basic Static Analysis. 

Md5sum of the malware: 

Using Virustotal:  https://www.virustotal.com/gui/file/f9495e968f9a1610c0cf9383053e5b5696ecc85ca3ca2a338c24c7204cc93881

Strings: 

Strings command can be used to view the ASCII and Unicode characters from any file including a binary.Sometimes we can get functions name or DLL names.

‍

‍

Malwares can be packed and obfuscated so that they are harder to analyze. Malwares that are obfuscated and packed contains very few strings. A great tool to detect packed files is PEiD.

Now, to unpack the file, a tool called ‘upx’ can be used.

Static Linking the libraries is used but it is the least commonly used method. Static linking can make the binary file bigger in size , so now modern malwares use dynamically linked libraries.

We can explore Dynamically Linked Functions  using Dependency Walker 

‍

 Basic Dynamic Analysis

Now for the dirty work, we need a sandbox. No, not a box made out of sand or something like that (although it would be a nice thing to have). Sandbox is a virtual machine / virtual environment that is isolated and separated from all the networks and custom setup for testing malwares. In the sandbox, we can use a tool called procmon which will show us what process is running, what it's fetching and where it’s fetching from and is the fetching successful or not.

Here we can see what the packed.exe malware is doing via the procmon. Similarly using process explorer is also useful.

Network Traffic analysis tools like wireshark, tshark can be used to view the incoming and outgoing packets.

Advanced Analysis

For the Advanced analysis of any executables it is crucial to have a good grasp on low level programming language such as assembly. It is necessary to understand how the instructions work, How registers work, Branching, Memory sections like Stack, Heap and so on. There are many crash courses available online. 

Today, we will just look at available tools and techniques to make our job easier in the analysis process. And, Welcome GHIDRA, a tool made by the NSA, yeah that one. We can also use IDA /IDA pro.

Open the malware/executable in the GHIDRA and we will have a disassembly window and if we select a function we can also see a decompiler window trying to give us the closest human readable code to understand the binary.

Using Ghidra we can see and understand what is the purpose of the executable and what it's doing, its functions, headers, everything. This is just like cutting open the binary and seeing what's inside.

Another very very useful tool we can use is “any.run”. This platform is very useful for forensic investigators and malware analysts.

Using this platform we can see the incoming and outgoing network requests, process trees, MITRE ATT&CK MATRIX, events etc.

Any.run graph view - 

In our exploration of malware analysis and threat hunting, we’ve delved into the intricacies of Emotet, dissected the stealthy maneuvers of Stuxnet, and wielded tools like GHIDRA and any.run to demystify binary puzzles. We’ve learned that static analysis unveils the blueprint of malicious code, while dynamic analysis reveals its behavior in action. As we prepare to conclude, let’s carry forward these insights and continue our journey toward a more secure digital landscape.

Threat Hunting

Threat hunting is a proactive cybersecurity technique that involves searching for, identifying, and mitigating potential threats before they can exploit vulnerabilities within a network. In the context of malware analysis, threat hunting plays a crucial role in preempting malicious activities. Analysts use their knowledge of attackers’ tactics, techniques, and procedures (TTPs) to hunt for indicators of compromise (IoCs) that suggest the presence of malware.

By combining analytical skills with powerful tools like SIEM systems, threat intelligence platforms, and endpoint detection solutions, threat hunters sift through data to spot anomalies that could signal an infection. They also simulate attacks in controlled environments to understand how malware operates and to develop strategies to detect similar threats in the wild.

For example, uses of honeypots and attack simulation and machine learning can greatly improve the IDS / IPS.

The six stages of data driven threat hunting methodology by Roberto and Jose Luis Rodriguez are:

1. Defining the research goal
2. Modeling the data
3. Emulating the adversary
4. Defining the detection model
5. Validating the detection model
6. Documenting and Communicating findings.

Data documenting and structuring tools:

1. Elastic
2. OSSEM
3. Splunk

Adversary Emulation Platforms:

1. MITRE ATT&CK FRAMEWORKS
2. MORDOR
3. Atomic Red teaming

Threat Hunting Platforms:

1. Huntress
2. The Helk
3. Endgame

Below, I attached some resources from the SANS threat hunting summit 2021.

‍Conclusion

As we wrap up our discussion on malware analysis and threat hunting, it’s clear that these are more than just tasks; they’re part of a crucial mission to keep our digital world safe. By understanding how malware works and using tools to spot suspicious activity, we’re like cyber superheroes, protecting data, trust, and peace of mind in our connected world.

References:

• Cyberdefenders.org
• MalwareBazaar
• TryHackMe

‍