Malware Analysis & Reverse Engineering

Prepared by: SHIVAM KUMAR

Date: 09/04/25

About Malware

Malware / Malicious Software is a type of program that contains malicious or harmful code
embedded inapparently harmless programming or data in such a way that it can take control of
a system or its operations and cause damage, such as running the file allocation table on a hard
drive.

Malware poses a major security threat to the information security. Malware writers explore new
attack vectors to exploit vulnerabilities in information systems. This leads to ever more
sophisticated malware attacks, including drive by malware, 'maladvertising' (or 'malvertising'),
Advanced Persistent Threats (APT), and so on. Though organizations try hard to defend
themselves using comprehensive security policies and advanced anti-malware controls, the
current trend indicates that malware applications are targeting 'lower-hanging fruit':
undersecured smartphones, mobile applications, social media, and cloud services. The problem
is further complicated because of threat predictions. As McAfee stated in its McAfee Labs
Threats Report published in December 2017, 'The biggest number of the quarter is our count of
new malware, which reached an all-time high of 57.6 million new samples, an increase of 10%
from Q2. The total count in the McAfee Labs sample databases is now more than 780 million.
New ransomware rose by 36% this quarter, largely from widespread Android screen-locking
malware. The easy availability of exploit kits and dark web sources fuel the rapid creation of
new malware'.

Malware Analysis

Malware analysis provides an in-depth understanding of each individual sample and identifies
emerging technical trends from the large collections of malware samples without actually
executing them. The samples of malware are mostly compatible with the Windows binary
executable. There are variety of goals in performing Malware analysis.
FLARE VM

Why Malware Analysis?

Malware analysis can be conducted with various objectives in mind:

• To understand the capabilities of the malware.

• Determine how the malware functions Asses the intrusion damage.

• Identify indicators that will helps us determine other infected machine by the same
malware and the level of infection in the network.

• Help us identify if the malware is exploiting any vulnerability or on how it is persisting on

the system.

• Determine the nature & purpose of the malware.

• To understand who is targeting & how good they are.

• To understand what information did they steal.

Types of Malware Analysis

• Static analysis: is the process of analyzing malware without executing or running it. The
objective is to extract as much metadata from the malware as possible. (Strings, PE
Headers)

• Dynamic analysis: is the process of executing malware and analyzing it's functionality
and behaviour. The objective is to understand exactly how and what the malware does
during the execution. This is done in a debugger.
 • Code analysis: is the process of analyzing/reverse engineering assembly code. This can
be both statically and dynamically done (Static and Dynamic code analysis).

• Behavioural analysis: is the process of analyzing and monitoring the malware after
execution. It involves monitoring the processes, registry entries and network monitoring
to determine the workings of the malware.

njRAT - Remote Access Trojan

njRAT is a RAT with powerful data-stealing capabilities. In addition to loggin keystrokes, it is

capable of accessing a victim's camera, stealing credentials stored in browsers, uploading and
downloading files, performing the process and file manipulations, and viewing the victim's
desktop.

RATs help an attacker to remotely access complete GUI, control victim's computer without his or
her awareness and are capable of performing screening and camera capture, code execution,
keylogging, file access, password sniffing, registry management, and so on. It infects victims via
phishing attacks and drive by downloads and propagates through infected USB keys or
networked drives. It can download and execute additional malware, execute shell commands,
read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.
njrat-banner

The njRAT Trojan can be used to control Botnets (network of computers), allowing the attacker
to update, uninstall, disconnect, restart, close the RAT, and rename its compaign ID. The attacker
can further create and configure the malware to spread through USB drives with the help of the
Command and Control server software.

https://mrpirate.net/njrat/

Objectives

• Create a server using njRAT.

• Access the target machine remotely.

Requisites

• Windows 10 (Attacker).

• Windows 7, 8 or Server (Target).

Create an Executable Server with njRAT

1. Log in to the Windows 10 and install the njRAT.

2. Launch the njRAT, the GUI appears along with a pop-up, where you need to specify the
port you want to use to interact with the target machine. Use the default port
number 5552, and click Start.

3. Click on Builder at lower-left corner.

4. On the Builder dialog-box, enter the IP address of the Attacker machine - Windows 10,
check the option Copy to StartUp and Registry StarUp, then click Build as shown below:
 5. Save the file on the Desktop and name as Example.exe.

6. Now, we need to use any technique to send this server to the intended target through
mail or any other way.
To make this easier in this lab, I copied the Example.exe file in the shared network
location.

Execute the Server on the Target Machine

In this Lab I'm using Windows 7 SP1 virtual machine.

Note: Make sure to enable the Firewall on the target machine.

1. Drag the Example.exe file to your Desktop and double-click it.

As you can see below, the connection was successfully

established.

2. Switch back to the Windows 10 (Attacker). When the target double-clicks the server, the
executable starts running and the njRAT GUI running on the Windows 10 establishes a
persistent connection with the Target machine as show below:
 The GUI displays the machine's basic details such as the IP address, OS, user name and
so on.

Note: Unless the attacker disconnects the server on his own, the victim machine remains under
his control.

Manipulate Files on Target machine

• Right-click on the detected Target machine and click Manager.

Double-click on any directory in the left pane. You can right-click any selected directory
and manipulate it using the contextual options:
Manage the Processes

• Click on Process Manager on the top menu. You will be redirected to the Process
Manager, where you can right-click any process and perform actions such as Kill, Delete,
and Restart.
Manage the Connections

• Click on Connections on the top menu and select a specific connection, right-click on it,
and click Kill Connection. This action kills the connection between two machines
communicating through a particular port.
Manage the Registries

• Click on Registry on the top menu and choose a registry from the left pane, right-click on
its associated registry files, a few options appear to manipulate them.
Launch a Remote Shell

• Click on Remote Shell on the top menu. This action launches a remote command
prompt of the target machine.
 Similarly, you can issue all the other commands that can be executed in the command
prompt of the target.

Run File

• On the main window of njRAT, righ-click on the Target machine and select Run File. An
attacker makes use of these options to execute scripts or files remotely from his/her
machine.
Launch a Remote Desktop Connection

• Righ-click on the Target machine and select Remote Desktop Connection

This launches a remote desktop connection without target's consent. You will be able to
remotely interact with the victim machine using the mouse or keyboard.
 In the same way, you can select the Remote Cam and Microphone to spy on the target
and track voice conversations.

Perform Key Logging

• Switch to the Windows 7 (Target machine). Let's assume that you are a legitimate user
and perform a few activities such as logging into any websites or typing text in some
documents.

• Now, switch back to Windows 10 machine / njRAT GUI and right-click on the target
machine, select the Keylogger option.
 The keylogger window appears, displaying all the keystrokes performed by the target.

In case the victim/target, attempts to break the connection by restarting the machine, however,
as soon the victim logs again, the njRAT client will automatically establishes a connection with
the victim.

HTTP RAT Trojan

HTTP/HTTPS Trojans can bypass any firewall, and work as kind of a straight HTTP tunnel, but one
that works in reverse. They use web-based interfaces and port 80 to gain access. The execution
of these trojans takes places on the internal host and spawns a "child" at a predetermined time.
The child program appears to be a user to the firewall so it allows the program access to the
internet. However, this child executes a local shell, connects to the web server that the attacker
owns on the internet through a legitimate-looking HTTP request, and sends it a ready signal.
The legitimate-looking answer from the attacker's web server is in reality a series of commands
that the child can execute on the machine's local shell.
Auditing a network against HTTP RATs is generally more difficult as well as essential, as most
firewalls and other perimeter security devices cannot detect traffic generated by a HTTP RAT
Trojan.

Remote Access Trojans (RATs) are malicious programs that run invisibly on the host's PC and
permit an intruder remote access and control. A RAT can provide a backdoor for administrative
control over the target computer. Upon compromising the target system, the attacker can use it
to distribute RATs to other vulnerable computers and establish a botnet.

Objectives

• Create a server and Run HTTP Trojan on Windows Server 2012.

• Execute the Server from Windows 10 virtual machine.

• Control Windows 10 machine remotely from Windows Server 2012.

Requisites

• Windows Server 2012 virtual machine (Attacker).

• Windows 10 virtual machine (Target).

Create a Trojan on Windows Server

1. Log on to Windows Server 2012 and install the HTTP RAT TROJAN
tool: https://anonfile.com/HaT8v9Jbn7/HTTP_RAT_TROJAN_zip
2. Double-click httprat.exe, the HTTP RAT main window appears as shown below:

3. Uncheck send notification with IP address to mail option, enter the server
port to 84 and click Create.

4. Once the httpserver.exe file is created, a pop-up will be displayed, click OK and share the
file with Windows 10 virtual machine.
 The file will be saved into HTTP RAT TROJAN folder as show below:

Execute the Trojan on Windows 10

5. Now log into Windows 10 and navigate to the place where you saved the httpserver.exe
file. Double click to run the Trojan.
 6. You will be able to see the Httpserver process in the task manager:

Analyze the Target Machine

1. Switch back to the Windows Server 2012 and launch the web browser.

2. Enter the IP address of Windows 10 in the address bar to access the machine.

Note: it is normal to get some errors on the first requests, the browser may fail to connect - just
reload the webpage a couple times.
• If everything works, you should get this window:

• Click on the Running procesess link to list down processes running on the Windows 10.
It is possible to kill any process from here.
 • Click browse and then click Drive C to explore the contents in this drive.

• Click computer info to view information of the computer, users and hardware.

After you done, end the Httpserver.exe process in Windows 10.

Obfuscating a Trojan using SwayzCryptor

SwazCryptor a encrypter (or 'cypher') that allows users to encrypt the source code of their
program.
A Crypter is a software used to hide viruses, keyloggers, or any RAT tool from antiviruses so that
are not detected and deleted by AV's. It simply assings hidden values to each individual code
within the source code. Thus, the source becomes hidden, making it difficult for the AV tools to
scan it.

Objectives

• How to crypt a Trojan and make it partially/ completely undetectable.

Requisites

• Windows 10 virtual machine (Attacker).

• Windows 7 or 8 virtual machine (Target).

Scanning Malicious File

1. Log into Windows 10.

2. Launch a web browser and enter the URL: https://antiscan.me

3. Uplaod the malware file created in previous lab and start the scanner.

• This site scan with various anti-virus programs in its database, and displays the scan
result shown below:
 • Note the number of detection from AV's 21/26.

Crypt a Trojan file using SwayzCryptor

1. Download the SwayzCryptor and launch the program.

https://anonfile.com/JfI8EfI7ne/SwayzCryptor_zip

2. Select the same malicious file that you have scanned:

 3. Check the options Start up, Mutex and Disable UAC, then click Encrypt to start.

4. Scan the generated CryptedFile from SwayzCryptor on https://antiscan.me

Note the file detected by very few anti-virus programs now, 12/26.

Test out the CryptedFile.exe

You can easily test if everything works using njRAT, share the malicious file with any Windows
virtual machine, execute the file with njRAT opened on the Windows 10 machine. In case you're
reading this tutorial randomly, on the previous lab is explained how to do this.
Malware Analysis Virtual Environment

REMnux

REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering
malicious software. It strives to make it easier for forensic investigators and incident responders
to start using the variety of freely-available tools that can examine malware, yet might be
difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight
distro incorporates many tools for analyzing Windows and Linux malware, examining browser-
based threats such as obfuscated JavaScript, exploring suspicious document files and taking
apart other malicious artifacts. Investigators can also use the distro to intercept suspicious
network traffic in an isolated lab when performing behavioral malware analysis.

https://remnux.org/

Tsurugi Linux

Tsurugi Linux is a new heavily customized Linux distribution (first release 03/Nov/2018 at
AvTokyo security conference in Japan) based on Ubuntu 16LTS version (64-bit with the new
5.4.2 custom kernel) and is designed to support DFIR investigations, malware analysis and OSINT
activities.

https://tsurugi-linux.org/

FLARE VM

FLARE VM is a freely available and open sourced Windows-based security distribution designed
for reverse engineers, malware analysts, incident responders, forensicators, and penetration
testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and
others, FLARE VM delivers a fully configured platform with a comprehensive collection of
Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic
analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability
assessment applications, and many others.
FLARE VM

Setup the Flare VM Environment

The process is very simple, make sure to download the FLARE VM on official GitHub
repository by FireEye, and the Windows 7 virtual machine.

The setup is very easy, just fire up your fresh new Windows 7 VM and install the Flare VM PS
scripts. I separeted some useful links on setting up the FLARE VM.

• Official FireEye Repo - Flare VM

• Tutorial by FireEye

• HackerSploit Environment Setup Tutorial [Video]

• HackerSploit Malware Analysis Playlist [Video]

MoSucker

MoSucker is a visual basic Trojan. MoSucker's edit server program. It has a client with the same
layout as sub Seven's client.

MoSucker is a powerful backdoor-hacker's remote access tool. The backdoor renames

NETSTAT.EXE to NETSTAT.OLD when it is first activated and renames the file back when it is
uninstalled. The backdoor also can install itself in a system with modification of startup keys in
the Registry or INI files.

https://anonfile.com/90ZeF1Ifn7/MoSucker_zip
mosucker
ProRat

ProRat is a Remote Administration Tool written in C, and capable of working with all Windows
OS.

ProRat was designed to allow users to control their own computers remotely from other
computers. However, attackers have co-opted it for their own nefarious purposes. Some hackers
take control of remote computer systems to conduct a denial of service (DoS) attack, which
renders the target system unavailable for normal personal or business uses.

https://anonfile.com/V4x6GfI8nb/ProRat_zip

Theef

Theef is a Windows-based application for both client and server. The Theef server is a virus that
you install on a target computer, and the Theef client is what you then use to control the virus.

Theef is a Remote Access Trojan written in Delphi, which gives remote attackers system access
via port 9871.

https://anonfile.com/faf0H8I7na/Theef_zip
JPS Virus Maker Tool

JPS Virus Maker is a tool to create viruses. It also has a feature for converting a virus into a
worm.

https://anonfile.com/b4A1x0J6ne/JPS_Virus_Maker_zip
Internet Worm Maker Thing

Internet Worm Maker Thing is an automated scripting tool used to generate malicious code. It
enables you to specify criteria down to the most basic element, including the action you want it
to perform, it display language, and its launch date.

https://anonfile.com/x9Y9x8J6nf/IWMT_zip
Regshot

The purpose of this software is to compare your registry at two separate points by creating a
snapshot of the registry before any system changes or when programs are added, removed, or
modified and then taking a second snapshot after the modifications then comparing them.

Regshot is a great utility that you can use to compare the amount of registry entries that have
been changed during an installation or a change in your system settings. It is a great tool for
troubleshooting and monitoring your registry.

https://sourceforge.net/projects/regshot/
WinPatrol

WinPatrol is a computer monitoring utility used to protect files and folders from any unwanted
changes.

http://www.winpatrol.com/download.html
winpatrol

TCPView

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints
on your system, including the local and remote addresses and state of TCP connections. On
Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns
the endpoint. TCPView provides a more informative and conveniently presented subset of the
Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a
command-line version with the same functionality.

https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
Autoruns

This utility, which has the most comprehensive knowledge of auto-starting locations of any
startup monitor, shows you what programs are configured to run during system bootup or login,
and when you start various built-in Windows applications like Internet Explorer, Explorer and
media players. These programs and drivers include ones in your startup folder, Run, RunOnce,
and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper
objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond
other autostart utilities.

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

ClamWin

ClamWin is a Free Antivirus program for Microsoft Windows 10 / 8 / 7 / Vista / XP / Me / 2000 /

98 and Windows Server 2012, 2008 and 2003. ClamWin Free Antivirus is used by more than
600,000 users worldwide on a daily basis. It comes with an easy installer and open source code.
You may download and use it absolutely free of charge.

http://www.clamwin.com/
clamwin