A large number of computer intrusions involve some form of malicious software (malware), which finds its way to the victim’s workstation or to a server. When investigating the incident, the IT responder typically seeks to answer questions such as: What actions can the malware specimen perform on the system? How does it spread? How, if at all, does it maintain contact with the attacker? These questions can all be answered by analyzing the offending malware in a controlled environment.
Static Analysis
This procedure includes extraction and examination of different binary components and static behavioral inductions of an executable, for example, API headers, Referred DLLs, PE areas and all the more such assets without executing the samples.
Any deviation from the normal outcomes are recorded in the static investigation comes about and the decision given likewise.Static analysis is done without executing the malware whereas dynamic analysis was carried by executing the malware in control environment.
- Disassembly -Programs can be ported to new computer platforms, by compiling the source code in a different environment.
- File Fingerprinting – network data loss prevention solutions for identifying and tracking data across a network
- Virus Scanning -Virus scanning tools and instructions for malware & virus removal. Remove malware, viruses, spyware and other threats. ex: VirusTotal
- Analyzing memory artefacts -During the time spent breaking down memory ancient rarities like[RAM dump, pagefile.sys, hiberfile.sys] the inspector can begin Identification of Rogue Process
- Packer Detection: Packer Detection used to Detect packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers.+ New Symbols+ .
Static analysis tools:
Dynamic Analysis
The dynamic analysis should always be an analyst’s first approach to discovering malware functionality. In dynamic analysis, you will be building a virtual machine that will be used as a place to do a malware analysis.
Important consideration in virtual Environment
- single path (execution trace) is examined
- analysis environment possibly not invisible
- analysis environment possibly not comprehensive
- scalability issues
-
allow to quickly restore analysis environment
- might be detectable (x86 virtualization problems)
Dynamic analysis tools:
- Procmon
- Process Explorer
- Anubis
- Comodo Instant Malware Analysis
- Process Monitor
- Regshot
- ApateDNS
- OllyDbg
- Regshot
- Netcat ,
- Wireshark
Memory Forensics
Memory volatile artifacts found in physical memory. Volatile memory Forensics contains valuable information about the runtime state of the system, provides the ability to link artifacts from traditional forensic analysis (network, file system, registry).
- mage the full range of system memory (no reliance on API calls).
- Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps, and stacks.
- Image a specified driver or all drivers loaded in memory to disk.
- Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.)
- Verify the digital signatures of the EXEs and DLLs (disk-based).
- Output all strings in memory on a per-process basis.
Important Tools
- WinDbg –Kernel debugger for Windows systems
- Muninn – A script to automate portions of analysis using Volatility
- DAMM –Differential Analysis of Malware in Memory, built on Volatility
- FindAES –Find AES encryption keys in memory
- Volatility — Advanced memory forensics framework
Malware Detection
Signature Based or Pattern Matching: A signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus.
Heuristic Analysis or Pro-Active Defense: Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs.
Rule Based: The component of the heuristic engine that conducts the analysis (the analyzer) extracts certain rules from a file and this rules will be compared against a set of rule for malicious code.
Behavioral Blocking: The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs.
Weight-Based: A heuristic engine based on a weight-based system, which is a quite old styled approach, rates each functionality it detects with a certain weight according to the degree of danger
Sandbox: allows the file to run in a controlled virtual system (or“sandbox”) to see what it does.
Important Tools
- YARA – Pattern matching tool for analysts.
- Yara rules generator – Generate yara rules based on a set of malware samples. Also, contains a good strings DB to avoid false positives.
- File Scanning Framework – Modular, recursive file scanning solution.
- hash deep – Compute digest hashes with a variety of algorithms.
- Loki – Host-based scanner for IOCs.
- Malfunction – Catalog and compare malware at a function level.
- MASTIFF – Static analysis framework.
Web Domain Analysis
Domain analysis is the process by which a software engineer learns background information, Inspect domains and IP addresses.domain analysis should simply include a brief summary of the information you have found, along with references that will enable others to find that information.
Important Tools
- SpamCop – IP-based spam block list.
- SpamHaus – Block list based on domains and IPs.
- Sucuri SiteCheck – Free Website Malware and Security Scanner.
- TekDefense Automatic – OSINT tool for gathering information about URLs, IPs, or hashes.
- URLQuery – Free URL Scanner.
- IPinfo – Gather information about an IP or domain by searching online resources.
- Whois – DomainTools free online whois search.
- mail checker – Cross-language temporary email detection library.
Network interactions Analysis
While focusing on network security monitoring comprehensive platform for more general network traffic analysis as well.
A passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing.
Important Tools
- Tcpdump – Collect network traffic.
- tcpick – Trach and reassemble TCP streams from network traffic.
- tcpxtract – Extract files from network traffic.
- Wireshark – The network traffic analysis tool.
- CapTipper – Malicious HTTP traffic explorer.
- chopshop – Protocol analysis and decoding framework.
- CloudShark – Web-based tool for packet analysis and malware traffic detection
Debugging & Debugger
Debuggers are useful tools that allow analysis of code at a low level. One of the most important functionality of a debugger is the breakpoint.
A debugger is a piece of software that utilizes Central Processing Unit (CPU) facilities that were specifically designed for the purpose.
A debugger provides an insight into how a program performs its tasks, allows the user to control the execution, and provides access to the debugged program’s environment.
This could be very helpful when analyzing malware, as it would be possible to see how it tries to detect tampering and to skip the garbage instructions inserted on purpose.
Important Tools
- obj dump – Part of GNU Binutils, for static analysis of Linux binaries.
- OllyDbg – An assembly-level debugger for Windows executable
- FPort – Reports open TCP/IP and UDP ports in a live system and map them to the owning application.
- GDB – The GNU debugger.
- IDA Pro – Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger – Debugger for malware analysis and more, with a Python API.
Analyze malicious URL’s
Today, websites are exposed to various threats that exploit their vulnerabilities. A compromised website will be used as a stepping-stone and will serve attackers’ evil purposes.
For instance, URL redirection mechanisms have been widely used as a means to perform web-based attacks covertly.Redirection refers to automatically replacing access destinations, and it is generally controlled by an HTTP protocol on the web.
In addition to this conventional method, other methods for automatically accessing external web content, e.g., iframe tag, have been often used, particularly for web-based attacks.
Important Tools
- Firebug – Firefox extension for web development.
- Java Decompiler – Decompile and inspect Java apps.
- jsunpack-n – A javascript unpacker that emulates browser functionality.
- Krakatau – Java decompiler, assembler, and disassembler.
- Malzilla – Analyze malicious web pages.
Sandboxes Technique
Sandboxing is a critical security system that segregates programs, keeping malevolent or failing projects from harming or snooping on whatever remains of your PC. The product you utilize is as of now sandboxing a significant part of the code you run each day.
A sandbox is a firmly controlled condition where projects can be run. Sandboxes limit what a bit of code can do, giving it similarly the same number of consents as it needs without including extra authorizations could be abused.
Important Tools
- firmware.re – Unpacks, scans and analyzes almost any firmware package.
- Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
- IRMA – An asynchronous and customizable analysis platform for suspicious files.
- Cuckoo Sandbox – Open source, self-hosted sandbox, and automated analysis system.
- cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL.
- PDF Examiner – Analyse suspicious PDF files.
- ProcDot – A graphical malware analysis toolkit.
- Recomposer – A helper script for safely uploading binaries to sandbox sites.
- Sand droid – Automatic and complete Android application analysis system.
