FACULTY OF COMPUTER AND MATHEMATICAL SCIENCES

BACHELOR OF COMPUTER SCIENCE (HONS.)

DATA COMMUNICATION AND NETWORKING

ITT592 Lab Report for Malware Analysis

STUDENT NAME
NUR NABILAH SHAFIQAH BINTI ROSLI (2019268474)

GROUP
RCS2455A

LECTURER
ENCIK MOHD FARIS BIN MOHD FUZI
Table of Contents
INTRODUCTION.....................................................................................................................................2
Overview of lab exercise...................................................................................................................2
Objective of lab exercise...................................................................................................................3
STATIC ANALYSIS...................................................................................................................................4
Lab 1 Determining the File Type........................................................................................................4
Lab 1.1 Identifying File Type Using Manual Method......................................................................4
Lab 2 Fingerprinting the Malware.....................................................................................................6
Lab 2.1 Generating Cryptographic Hash Using Tools.....................................................................6
Lab 3 Multiple Anti-Virus Scanning....................................................................................................7
Lab 3.1 Scanning the Suspect Binary with VirusTotal....................................................................7
Lab 4 Extracting Strings......................................................................................................................9
Lab 4.1 String Extraction Using Tools.............................................................................................9
Lab 5 Determining File Obfuscation...............................................................................................10
Lab 5.1 Detecting File Obfuscation Using Exeinfo PE................................................................10
DYNAMIC ANALYSIS.............................................................................................................................11
Lab 1 Dynamic Analysis (Monitoring) Tools.....................................................................................11
Lab 1.1 Process Inspection with Process Hacker..........................................................................11
Lab 1.2 Determining System Interaction with Process Monitor..................................................13

1
INTRODUCTION

Overview of lab exercise

In this lab exercise, I will run some of sample malware for analysis which is Static analysis
and Dynamic Analysis. Static Analysis is the first step in malware analysis that allows us to
extract valuable information from the binary and helps in comparing and classifying the
malware samples.

This project analysis will show to various tools and techniques, using which different aspects
of malware binary can be determined without executing it. Next, Dynamic Analysis, we will
learn how to determine the behaviour of malware by executing it within an isolated
environment.

Static malware analysis involves examining any given malware sample without actually
running or executing the code. This is usually done by determining the signature of the
malware binary; the signature is a unique identification for the binary file. Calculating the
cryptographic hash of the binary file and understanding each of its components helps
determine its signature. Static analysis includes determining file type, fingerprinting the
malware, multiple anti-virus scanning, extracting strings, determining file obfuscation,
inspecting PE header information and comparing and classifying the malware.

Dynamic malware analysis is not same like static malware analysis, it is because dynamic
malware analysis run code in a controlled environment. The malware is run in a closed,
isolated virtual environment and then its behavior studied. The intention is to understand its
functioning and behavior and use this knowledge to stop its spread or to remove the infection.
Debuggers are used, in advanced dynamic malware analysis, to determine the functionality of
the malware executable. Dynamic malware analysis, unlike static analysis, is behavior-based
and hence analysts won’t miss out on important behaviors of any malware strain.

2
Objective of lab exercise

Static Analysis:
-Collecting information about the malicious application without running it
-To identify the malware’s target operating system such as Windows, Linux
-Identify the architecture (32-bit or 64-bit platforms)
-To analysis the fingerprinting of the malware
-Scanning the suspect binary with anti-virus engines
-Extracting strings, functions, and metadata associated with the file
-Identifying the obfuscation techniques used to thwart analysis
-Classifying and comparing the malware samples

Dynamic Analysis:
-Explore Dynamic analysis tools and their features
-Simulating internet services
-Looking forward the steps involved in dynamic analysis
-Monitoring the malware activity and understanding its behavior

3
STATIC ANALYSIS
Lab 1 Determining the File Type
Lab 1.1 Identifying File Type Using Manual Method
Tools used:

-A HxD hex editor is a tool that allows us to inspect each byte of the file

-Hex editor provide many functionalities that help in the analysis of a file.

Steps of conducting lab:

On Windows operating system:

1. Download Hex Editor to examine and inspect the process running, from
website (https://mh-nexus.de/en/hxd/):
2. Install the software into the operating system.
3. Run Hex Editor in the operating system.
4.Upload file sample malware in the application.
5.Analize the sample malware
6.You can download sample malware from this website https://zeltser.com/malware-sample-
sources/

4
Output:
Analysis on result from Windows 7 in Oracle VM Virtualbox:

Explanation:
Most Windows-based malware are executable files ending with extensions such as .exe,
.dll, .sys, and so on. But relying on file extensions alone is not recommended. File
extension is not the sole indicator of file type. Attackers use different tricks to hide their file
by modifying the file extension and changing its appearance to trick users into executing it.
Instead of relying on file extension, File signature can be used to determine the file type.

A file signature is a unique sequence of bytes that is written to the file's header. Different
files have different signatures, which can be used to identify the type of file. The Windows
executable files, also called PE files (such as the files ending with .exe, .dll, .com, .drv,
.sys, and so on), have a file signature of MZ or hexadecimal characters 4D 5A in the first
two bytes of the file.

5
Lab 2 Fingerprinting the Malware
Lab 2.1 Generating Cryptographic Hash Using Tools

Tools used:

-HashMyFiles is used to generate hash values for single or multiple files, and it also highlights
identical hashes with same colours.

Steps of conducting lab:

1.Download HashMyFiles to examine and inspect the process running, from website
(http://www.nirsoft.net/utils/hash_my_files.html)

2. Install the software into the operating system.

3. Run HashMyFiles in the operating system

4.Download sample malware such as SHA256 malware

4.Upload some sample malware in the application

5.Identify the hash values of sample malware

Output:

6
Explanation:

Based on the screenshot above we can see file log.exe and bunny.exe has the same hash values but
different filenames, it also highlights identical hashes with same colours.

Nowadays, identifying a malware specimen based on filename is ineffective it is because the same
malware sample can use different filenames, but the cryptographic hash that is calculated based on
the file content will remain the same. Hence, a cryptographic hash for your suspect file serves as a
unique identifier throughout the course of analysis. File hash is frequently used as an indicator to
share with other security researchers to help them identify the sample. File hash can be used to
determine whether the sample has been previously detected by searching online or searching the
database of multi Anti-virus scanning service like VirusTotal.

Lab 3 Multiple Anti-Virus Scanning

Lab 3.1 Scanning the Suspect Binary with VirusTotal

Tools used:

-VirusTotal is web-based malware scanning service.

Steps of conducting lab:

1.Open the web-based malware scanning service from the (http://www.virustotal.com)

2.At the option, upload file sample malware

3.The VirusTotal will run the file and will generate a detailed report about the malware.

Output:

7
Explanation
Based on the screenshot above, The VirusTotal contain malicious files and detect all malware
pieces. Using VirusTotal Graph, you can visualize the relationship between the file that you
submit and its associated indicators such as domains, IP addresses, and URLs. It also allows
you to pivot and navigate over each indicator; this feature is extremely useful if you want to
quickly determine the indicators associated with a malicious binary.

8
Lab 4 Extracting Strings
Lab 4.1 String Extraction Using Tools

Tools used:

-pestudio

Steps of conducting lab:

1.Download and run pestudio from the website (https://www.techspot.com/downloads/6350-

pestudio.html)

2.Extract the file

3.Run the application

4.Upload the file and analyse the file malware

Output:

Lab 5 Determining File Obfuscation

Lab 5.1 Detecting File Obfuscation Using Exeinfo PE

Tools used:

-Freeware tools such as Exeinfo PE

9
Steps of conducting lab:

1.Install Exeinfo PE from website (http://exeinfo.atwebpages.com/);

2.Extract the files

3.Run the application

4.Upload the sample malware file into the Exeinfo PE

5.The application will show the output and details about the malware file

Output:

UPX is a common packer, and many times you will come across malware samples packed
with UPX.

DYNAMIC ANALYSIS
Lab 1 Dynamic Analysis (Monitoring) Tools
Lab 1.1 Process Inspection with Process Hacker

Tools used:

-ProcessHacker

Steps of conducting lab:

1.Download Process Hacker to examine and inspect the process running, from

10
Website (http://processhacker.sourceforge.net/)

2. Install the software into the operating system.

3. Run Process Hacker in the operating system.

4. Identify all the process running on the system.

5. Find wininit.exe process and right-click on it.

6. Select Properties from the options.

7. Examine the process attribute.

Output:

11
Lab 1.2 Determining System Interaction with Process Monitor

Tools used:

-Process Monitor

Steps of conducting lab:

1.Download Process Monitor from website

(https://technet.microsoft.com/enus/sysinternals/processmonitor.aspx)

2. Install the software into the operating system.

12
3. Run Process Monitor in the operating system (run as Administrator)

4. Analyse the real-time interaction of the processes with the filesystem, registry, and

process/thread activity.

5. Press Ctrl + E on keyboard to stop capturing the events.

6. Filter to display on events only related to the process, svchost.exe

Output:

CONCLUSION
Malware analysis is of utmost importance since it helps understand malware infections and
stop malware from spreading into other systems, files, directories etc. Malware analysis,
static as well as dynamic, helps understand malware and their functioning in a better way and
also helps us prevent further attacks in a very effective manner.

13