Malware Analysis

  • Signatures are not enough today.

  • Virus Total

  • Yara

  • MAEC

  • Sandbox – Running malware inside an isolated virtual environment

    • Mointor changes to system files

    • Monitor changes to processes and services

    • Network Activity

    • Low level system calls

    • File creation, change, deletion during execution

    • Scheduled tasks

  • Cuckoo Sandbox

  • Careful with hypervisor vulnerabilities

  • Reverse-Engineering: Figuring out how software works

    • Decompiler

      • Determine high level source code

      • Obfuscation

      • Pseudo-code

    • Disassembler

      • Binary to assembly code

      • Better file identification

      • Difficult to follow

    • String searching

      • Static string stored together

      • Reveals file names, domains, keys, etc

    • Program packers

      • Sort of a self extracting archive

      • Compression, obfuscation

  • Exploit Techniques – Methods used by malware to attack a target

    • Viruses

      • Infect files

      • Requires user interaction

    • Worms

      • Propagate over network

      • Does not require interaction

    • Fileless malware

      • Executable code passed through a script in a request

      • RAT dropper

    • Code injection

      • Shellcode

      • Masquerading

      • DLL sideloading, hijacking

      • Process hollowing – empty process that starts safe, but changes dynamically to malicious

    • “Living off the land”

      • Just a practice

      • Malware relies on existing tools on the host

      • Powershell, python, bash

PreviousSIEM and Event CorrelationNextCloud Models and Service Threats

Last updated