Malware Analysis Series (MAS): Part 1
Introduction
Welcome to MAS (Malware Analysis Series). Quite frankly, it was quite difficult to stop my research work to write an article in the last year and it would not be possible to write a series of articles, but I think it is possible now and we will try it. For example, the last time I wrote a Surface article was in 2022, and sure enough, I didn’t remember until a colleague recently talked about it.
The goal is to produce a series of articles on malware analysis and explain since simple malware binaries up to most complex ones, covering a large list of topics such as unpacking, API resolving, C2 extraction, C2 emulation and, of course, reverse engineering in addition to some dynamic analysis and, maybe, use few de-obfuscation techniques. When it’s necessary, I’ll cover other topics such as COM (Component Object Model), cryptography, IDC/IDA Python and everything it necessary to help readers to have a better comprehension of analysis.
During this series of articles, I’m going to use several tools and try to point where you can get them to make things simpler for you.
I am not going to propose only hard samples because, in my humble opinion, this kind of approach wouldn’t help anyone (mainly professionals that aim to learn to something) and, at end, it would be only a waste of time (and an useless show-off). Therefore, we’ll analyze different samples, each one with a distinguished level of difficulty, and discuss some lines of code. As I mentioned previously, the strategy is to break up an article in different parts if it’s necessary to avoid turning the reading so exhausting.
Lab Setup
Explaining about the lab setup, I usually analyze all samples using one or more of the following systems:
- Windows 7, Windows 8.1 or Windows 10: If you need a Windows 10 virtual machine, Microsoft continue offering one with expiration time on this website: https://developer.microsoft.com/enus/windows/downloads/virtual-machines/
- REMnux (best distribution for reverse engineering): https://docs.remnux.org/install-distro/getvirtual-appliance
- Ubuntu 22.10.x: https://ubuntu.com/download/deskto
I’ll try to avoid using any non-sense techniques and focus on well-known tools. Unfortunately, few of them are not free (like IDA Pro, which is my favorite one, by far and, in my opinion, the best reversing tool around the world since ever), but Hex-Rays offers the IDA Free and an affordable paid version named IDA Home:
- IDA Free: https://hex-rays.com/blog/announcing-version-7-6-for-ida-freeware/
- IDA Home: https://hex-rays.com/ida-pro/#main-differences-between-ida-editions
No doubts, you can use Ghidra to disassemble, decompile and debug any code just in case you’re more comfortable with it: https://github.com/NationalSecurityAgency/ghidra/releases
You’ll need a good debugger and certainly the best one is x64dbg/x32dbg, which you can download from the following website:
- x64dbg: https://x64dbg.com/#start
Additionally, there’re tons of x64dbg plugins that could be installed to extend x64dbg/x32dbg functionality and are quite recommended during dynamic analysis (mainly to avoid anti-debugging techniques used by malware), so few of them that you could like to install are shown below:
- ScyllaHide: it’s an advanced anti-debug library that hooks several functions to hide the debugging activity from malware: https://github.com/x64dbg/ScyllaHide/releases
- DbgChild: it provides an automatic detection of child processes created by the debugged process and automatically attaches a new instance of x64dbg to if the the main process forks a new process, so saving your time in many opportunities. DbgChild is available from: https://github.com/David-Reguera-Garcia-Dreg/DbgChild
Other useful plugins exist, but let’s wait for the appropriate moment to talk about them. On time: many available plugins don’t have been regularly kept by their authors and maintainers, so they could not work anytime. Be careful
All remaining tools will be shown during our analysis and many future articles.
I do not expect to write this article any longer. In the next article we will see about MAS goals and much more.
See You.. : )
