Week 2 - Lecture

Malware Forensics
Malware Analysis Environments
Why Use an Analysis Environment vs Local
● Fresh malware can be full of surprises, and if you run it on a local machine:
○ It can spread
○ Install backdoors
○ Lock your files
○ and, so on
● A safe environment will allow you to investigate the malware without
○ exposing your machine or other machines
○ the network to unexpected and unnecessary risk
○ IT contacting you and blocking your machine or traffic (happen w/ last year’s c.w.)
● Options
○ Dedicated physical machine - can build a cheap network using old PCs off E-Bay
■ See https://www.ebay.co.uk/sch/i.html?_nkw=Dell+optiplex
○ Virtual machines - can study malware usually quite safely, issue is PC resources
VM Structure

● A guest OS is installed within the host OS as a virtual machine - isolated in the virtual machine.
● Snap-shotting allows you to save the current state and roll back.
● Can clone or copy virtual machines and distribute.
● Run multiple machines at once - easier said than done on a stock PC/Laptop.
Setting up a Windows VM on Windows 10/11
● Go to https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ and get a VM
image
● Download and install in Virtual Box or use a OVA file
● Boot it in Virtual Box or another tool
● Disable Updates and add Anti-Virus folder exceptions
● Add your tools and setup any networking configuration: e.g., https://github.com/theRealFr13nd/analysisTools
Connections and Snapshots
● Never connect malware to the Internet without first performing some analysis to
determine what the malware might do when connected. Turn Network on/off (figure)
● Taking snapshots allows you save a computer’s current state and return to an earlier
state, so you see before and after the malware ran
● You can also share folders / drag and drop to share files
● Some malware can detect when it is running within a virtual machine. VMs also have
vulnerabilities which could theoretically be exploited.
Connections and Snapshots
● Never connect malware to the Internet without first performing some analysis to
determine what the malware might do when connected. Turn Network on/off (figure)
● Taking snapshots allows you save a computer’s current state and return to an earlier
state, so you see before and after the malware ran
● You can also share folders / drag and drop to share files
● Some malware can detect when it is running within a virtual machine. VMs also have
vulnerabilities which could theoretically be exploited.
Other Options
● VMware Workstation/Fusion https://www.vmware.com
● QEMU https://www.qemu.org/ very good for running IoT and Router OS’es images
● Cuckoo Sandbox https://cuckoosandbox.org/ - no explicit Windows OS due to licensing
Basic Dynamic Analysis
Step1 - Dynamic Analysis via Sandboxes online
● Online sandboxes e.g., hybrid-analysis.com
○ Number of options and choices to choose from
○ Can profile in multiple OS’es
○ Quick solution to find out as much as possible early on
○ Will run through various tools and tell you what is found
○ Try the lab’s first file
Dynamic Analysis via Sandboxes online
Dynamic Analysis via Sandboxes online
Optional Step - DNS Spoofing / Monitoring with NCAT
● You can spoof the DNS requests of Malware possible to redirect it locally
○ This isn’t always consistent on Windows, due to the complexities of the Networking stack
● But the process is to use ApateDNS, redirect to local host and listen on port 80 to see the
request (and reply, if relevant)
○ Can see the same in Wireshark often, and things via strings
● Alternative is a linux host to do similar, various Python scripts for this - example:
https://github.com/balle/python-network-hacks/blob/master/dns-spoof.py
Step 2 - Running Malware
Assuming your VM is setup and you’ve done preliminary analysis, you can run
malware carefully in isolation.
First take an initial snapshot of your VM so you can roll-back.
Executables
● Simply run from the command line which will show you output (or double click)
DLLs
● Execute rundll32.exe on the DLL with the exported function to run
○ Need to find the exports first e.g., PEView or PEiD
Running Malware - DLL example
rundll32.exe utility is a Windows program that allows users to invoke functions exported from a DLL (Dynamic Link Library).

● It’s used legitimately by Windows to run system operations

● It can also be exploited for malicious purposes as a means to run malware, and thus a way to run malware for analysis
● To run: rundll32.exe <DLLname>, <Export arguments>

For example: rundll32.exe shell32.dll, Control_RunDLL

● rundll32.exe is the utility that runs the DLL.

● shell32.dll is the DLL file containing the
functions to be executed.
● Control_RunDLL is the name of the function to
be invoked, which opens the Control Panel.
Step 3 - Monitoring Processes - ProcMon

You can monitor Malware that has been started with Process Monitor (procmon). It provides a way to monitor certain registry,
file system, network, process, and thread activity of the malware.
● Displays configurable columns containing information about individual events,
● The event’s sequence number, timestamp, name of the process causing the event, event operation, path used by the
event, and result of the event
Usage Steps:
1. Use File > Capture Events to stop monitoring and Edit > Clear Display to clear events
2. Next, run the subject malware with capture turned on.
3. choose Filter > Filter to set a filter of events
You can also filter by event types using the icons on the toolbar
● Registry - By examining registry operations, you can tell how a piece of malware installs itself in the registry.
● File system - Exploring file system interaction can show all files that the malware creates or configuration files it uses.
● Process activity - Investigating process activity can tell you whether the malware spawned additional processes.
● Network connections - shows you any ports on which the malware is listening.
Monitoring Processes - Process Explorer
● You can also monitor Malware in process explorer, it gives different information than ProcMon and shows how it is running on
the system, you can also kill the malware and see a number properties which can guide your investigation. It provides a useful
strings function, that will show strings on-file and in-memory, so you can see the difference, if any.
 Step 4 - Comparing Registry Snapshots with Regshot
● Allows you to see the registry before and after in time i.e., before malware and after running it.

Steps: Select “HTML document” ; select “1st Shot” (may take 5 mins) ; select “2nd shot” ; select “compare” ;
inspect log.
 Step 4 - Comparing Registry Snapshots with Regshot
Allows you to see the registry before and after in time i.e., before malware and after running it.

Steps: Select “HTML document” ; select “1st Shot” ; select “2nd shot” ; select “compare”; inspect
log.
Step 5 - Packet Sniffing with Wireshark
● Investigate the network
traffic packets from the
malware, to confirm other
forensic sources (network
indicators, etc), and see any
other activity.
● Same approach as you’ll
have done in other modules
Basic Dynamic Analysis In Practice
● All the tools can be used in order or together as required.
○ Using Snapshots is preferable on the VM so you can go back and forwards
○ Different malware may call for a different approach.

● Basic dynamic analysis of malware can assist and confirm your basic static analysis
findings.

● The aim is, as with basic static analysis, is find as much information upfront to thwart
the threat before a more comprehensive analysis.

Key Observation: basic static and dynamic analysis can give a lot upfront in a short period
of time
x86 Assembly I
Instruction Set Architecture (ISA)
● Is an abstract model of a computer, which defines the supported instructions,
data types, registers, etc.
● ISA specifies the behavior of machine code running on implementations of
that ISA
● Examples: Intel x86-64, ARM variants, MIPS, etc
○ https://www.mips.com/products/architectures/mips32-2/
Instruction Set Architecture (ISA)
● Essentially the machine’s language and built up from discrete statements or
instructions, which reduce to mathematical definitions.
● A given instruction may specify:
○ opcode (the instruction to be performed)
○ any explicit operands: registers, literal/constant values, addressing modes used to access
memory
 Micro-architecture
● Micro-architecture is the way a given instruction set architecture (ISA) is
implemented in hardware (i.e., microchips) – i.e., the processor.

MIPS32, 5 Stage pipeline, Havard architecture

https://github.com/grantae/mips32r1_core/tree/master/mips32r1
PC Computer Architecture
Fetch-Execute Cycle
All CPUs follow this process:
● Fetch instruction from RAM
● Decode instruction
● Execute instruction
○ Result is stored in local registers or sent back to RAM (external memory e.g., DDR)
Definitions
● Instruction: An atomic action that the cpu can perform. e.g. Add
two numbers, move some data around, etc.
○ By combining instructions we can do more complicated things.
● Register: ‘Variable’ like things in the CPU, local memory which
is fast
● Memory/RAM: Where the data and instructions are stored.
Instruction types
● Data handling and memory operations
● Arithmetic and logic operations: Add, subtract, multiply, AND, XOR
● Control flow operations: Jump, branching (go to another location in the
program and execute instructions there)
● Co-processor instructions
Low-level data types in x86 Assembly
● Word = 2 bytes. 2^16 possible values.
● Dword = 4 bytes. 2^32 possible values.
● Qword = 8 bytes. 2^64 possible values.
Registers x86
● Temporary storage local to processor
● Almost exactly the same as variables, except fixed size.
● 64-bit processors have R* registers as well that are 64bits long. e.g. RAX is
64bits, where the lower 32bits are EAX.
Instruction anatomy x86
● mnemonic op1, op2, op3
● mov eax, 4 ;
○ Mnemonic : mov
■ is the (e.g the action) – here move
■ Often called ‘instruction’
○ Op1: eax
■ is the destination
○ Op2: 4
■ is the source
● Result is:
○ eax = 4
Instruction anatomy x86

● An assembler, takes instructions and converts them to a binary executable.

● Conversely, a disassembler converts the binary to assembly language.
Register Access in x86

● 32 bit: mov eax,ecx - Affects whole register eax ← ecx

● 16 bit: mov ax,cx - Only affects low 16 bits, rest unchanged ax ← cx
○ Only the lower 16 bits of eax will be modified (i.e., the AL and AH bytes). The upper 16 bits of eax will remain
unchanged.
● 8 bit: mov al,cl - Only affects low 8 bits, rest unchanged al ← cl
Putting Instructions Together (Intel x86) = Programs

● mov EAX, 5 ; puts 5 into EAX

● mov EBX, EAX ; puts 5 into ebx
● add EBX, 10 ; adds 10 to ebx
● sub EAX, 5 ; minus five from eax
● xor EAX, EAX ; XOR eax with itself

Comments
Program Structure in Assembly*

*NASM is used here to build x86 programs

https://www.nasm.us/
Structure of a program
● DATA segment (.data)
○ Variables, strings, etc

● CODE segment (.text)

○ Assembly instructions
○ Often called the ‘text’ segment confusingly

● ENTRY POINT (Can be found in PE/ELF header)

○ An address inside the code section where the program starts. On Linux, the _start symbol –
analogous to main() in C
Anatomy of an assembly (asm) program (NASM)
Writing Assembly: Defining data (NASM)
Making Function Calls (NASM)

Function return values are typically stored in the EAX register for integer and pointer values. Therefore to use returned
value you must access it in EAX (See last lab question).
Example Windows Library call – Displaying a Message Box (Def. below)
Example Windows Library call – Displaying a Message Box (Code and Running below)
Example C Library call (MSVCRT.dll) – printf() (Code and Running below)