Malware Analysis
Malware Analysis
STUDENT NAME
NUR NABILAH SHAFIQAH BINTI ROSLI (2019268474)
GROUP
RCS2455A
LECTURER
ENCIK MOHD FARIS BIN MOHD FUZI
Table of Contents
INTRODUCTION.....................................................................................................................................2
Overview of lab exercise...................................................................................................................2
Objective of lab exercise...................................................................................................................3
STATIC ANALYSIS...................................................................................................................................4
Lab 1 Determining the File Type........................................................................................................4
Lab 1.1 Identifying File Type Using Manual Method......................................................................4
Lab 2 Fingerprinting the Malware.....................................................................................................6
Lab 2.1 Generating Cryptographic Hash Using Tools.....................................................................6
Lab 3 Multiple Anti-Virus Scanning....................................................................................................7
Lab 3.1 Scanning the Suspect Binary with VirusTotal....................................................................7
Lab 4 Extracting Strings......................................................................................................................9
Lab 4.1 String Extraction Using Tools.............................................................................................9
Lab 5 Determining File Obfuscation...............................................................................................10
Lab 5.1 Detecting File Obfuscation Using Exeinfo PE................................................................10
DYNAMIC ANALYSIS.............................................................................................................................11
Lab 1 Dynamic Analysis (Monitoring) Tools.....................................................................................11
Lab 1.1 Process Inspection with Process Hacker..........................................................................11
Lab 1.2 Determining System Interaction with Process Monitor..................................................13
1
INTRODUCTION
In this lab exercise, I will run some of sample malware for analysis which is Static analysis
and Dynamic Analysis. Static Analysis is the first step in malware analysis that allows us to
extract valuable information from the binary and helps in comparing and classifying the
malware samples.
This project analysis will show to various tools and techniques, using which different aspects
of malware binary can be determined without executing it. Next, Dynamic Analysis, we will
learn how to determine the behaviour of malware by executing it within an isolated
environment.
Static malware analysis involves examining any given malware sample without actually
running or executing the code. This is usually done by determining the signature of the
malware binary; the signature is a unique identification for the binary file. Calculating the
cryptographic hash of the binary file and understanding each of its components helps
determine its signature. Static analysis includes determining file type, fingerprinting the
malware, multiple anti-virus scanning, extracting strings, determining file obfuscation,
inspecting PE header information and comparing and classifying the malware.
Dynamic malware analysis is not same like static malware analysis, it is because dynamic
malware analysis run code in a controlled environment. The malware is run in a closed,
isolated virtual environment and then its behavior studied. The intention is to understand its
functioning and behavior and use this knowledge to stop its spread or to remove the infection.
Debuggers are used, in advanced dynamic malware analysis, to determine the functionality of
the malware executable. Dynamic malware analysis, unlike static analysis, is behavior-based
and hence analysts won’t miss out on important behaviors of any malware strain.
2
Objective of lab exercise
Static Analysis:
-Collecting information about the malicious application without running it
-To identify the malware’s target operating system such as Windows, Linux
-Identify the architecture (32-bit or 64-bit platforms)
-To analysis the fingerprinting of the malware
-Scanning the suspect binary with anti-virus engines
-Extracting strings, functions, and metadata associated with the file
-Identifying the obfuscation techniques used to thwart analysis
-Classifying and comparing the malware samples
Dynamic Analysis:
-Explore Dynamic analysis tools and their features
-Simulating internet services
-Looking forward the steps involved in dynamic analysis
-Monitoring the malware activity and understanding its behavior
3
STATIC ANALYSIS
Lab 1 Determining the File Type
Lab 1.1 Identifying File Type Using Manual Method
Tools used:
-A HxD hex editor is a tool that allows us to inspect each byte of the file
-Hex editor provide many functionalities that help in the analysis of a file.
4
Output:
Analysis on result from Windows 7 in Oracle VM Virtualbox:
Explanation:
Most Windows-based malware are executable files ending with extensions such as .exe,
.dll, .sys, and so on. But relying on file extensions alone is not recommended. File
extension is not the sole indicator of file type. Attackers use different tricks to hide their file
by modifying the file extension and changing its appearance to trick users into executing it.
Instead of relying on file extension, File signature can be used to determine the file type.
A file signature is a unique sequence of bytes that is written to the file's header. Different
files have different signatures, which can be used to identify the type of file. The Windows
executable files, also called PE files (such as the files ending with .exe, .dll, .com, .drv,
.sys, and so on), have a file signature of MZ or hexadecimal characters 4D 5A in the first
two bytes of the file.
5
Lab 2 Fingerprinting the Malware
Lab 2.1 Generating Cryptographic Hash Using Tools
Tools used:
-HashMyFiles is used to generate hash values for single or multiple files, and it also highlights
identical hashes with same colours.
1.Download HashMyFiles to examine and inspect the process running, from website
(http://www.nirsoft.net/utils/hash_my_files.html)
Output:
6
Explanation:
Based on the screenshot above we can see file log.exe and bunny.exe has the same hash values but
different filenames, it also highlights identical hashes with same colours.
Nowadays, identifying a malware specimen based on filename is ineffective it is because the same
malware sample can use different filenames, but the cryptographic hash that is calculated based on
the file content will remain the same. Hence, a cryptographic hash for your suspect file serves as a
unique identifier throughout the course of analysis. File hash is frequently used as an indicator to
share with other security researchers to help them identify the sample. File hash can be used to
determine whether the sample has been previously detected by searching online or searching the
database of multi Anti-virus scanning service like VirusTotal.
Tools used:
3.The VirusTotal will run the file and will generate a detailed report about the malware.
Output:
7
Explanation
Based on the screenshot above, The VirusTotal contain malicious files and detect all malware
pieces. Using VirusTotal Graph, you can visualize the relationship between the file that you
submit and its associated indicators such as domains, IP addresses, and URLs. It also allows
you to pivot and navigate over each indicator; this feature is extremely useful if you want to
quickly determine the indicators associated with a malicious binary.
8
Lab 4 Extracting Strings
Lab 4.1 String Extraction Using Tools
Tools used:
-pestudio
Output:
Tools used:
9
Steps of conducting lab:
5.The application will show the output and details about the malware file
Output:
UPX is a common packer, and many times you will come across malware samples packed
with UPX.
DYNAMIC ANALYSIS
Lab 1 Dynamic Analysis (Monitoring) Tools
Lab 1.1 Process Inspection with Process Hacker
Tools used:
-ProcessHacker
1.Download Process Hacker to examine and inspect the process running, from
10
Website (http://processhacker.sourceforge.net/)
Output:
11
Lab 1.2 Determining System Interaction with Process Monitor
Tools used:
-Process Monitor
12
3. Run Process Monitor in the operating system (run as Administrator)
4. Analyse the real-time interaction of the processes with the filesystem, registry, and
process/thread activity.
Output:
CONCLUSION
Malware analysis is of utmost importance since it helps understand malware infections and
stop malware from spreading into other systems, files, directories etc. Malware analysis,
static as well as dynamic, helps understand malware and their functioning in a better way and
also helps us prevent further attacks in a very effective manner.
13