Malware Analysis Techniques

Questions and Answers

What is the primary purpose of analyzing malware?

• To evaluate the security of existing antivirus programs
• To quantify the financial loss due to the attack
• To determine the impact and intent of the malware (correct)
• To identify the developer of the malware

Which aspect does malware analysis specifically help in understanding?

• The marketing strategies of antivirus companies
• The exploited vulnerabilities in the system (correct)
• The geographical distribution of malware
• The duration of malware on the system

What characterizes an Indicator of Compromise (IoC)?

• A method to prevent malware installation
• A tool used to enhance system performance
• A report generated by antivirus software
• A sign that a system has been compromised (correct)

Why is determining the complexity level of a malware intruder important?

To understand how sophisticated the attack is (D)

What is the main role of analyzing malware signatures?

To help Intrusion Detection Systems (IDS) detect similar attacks (D)

Which option reflects a common misconception about malware analysis?

It focuses solely on the malware's size and growth (A)

What is a significant outcome of understanding the intent of malware?

It informs the refinement of incident response protocols (D)

What is one major benefit of identifying exploited vulnerabilities in malware analysis?

To enable targeted security patches and preventive measures (A)

Which tool is primarily utilized to disassemble malware?

IDA Pro (B)

What function do debugging tools like OllyDbg and WinDbg serve in malware analysis?

To run malware in a controlled environment and observe its behavior (B)

What insight can disassembling malware provide to an investigator?

The program logic and potential threats posed by the malware (B)

What advantage does assembly language offer in malware analysis?

It allows reverse engineering to understand the inner workings of the malware (A)

Why is system baselining important in malware analysis?

To detect changes made to the system during analysis (A)

What type of analysis do tools like VirusTotal primarily perform?

Static analysis of file contents (A)

Which of the following best describes the purpose of reverse engineering in malware analysis?

To understand malicious code and its potential impacts (B)

What is a key benefit of observing malware behavior during dynamic analysis?

Understanding how malware interacts with the system (B)

What type of information can be derived from a PE file's metadata?

Time and date of compilation, imported/exported functions, and linked libraries (D)

Which tool is specifically designed for analyzing PE files and extracting their metadata?

PEview (C)

What resources can tools like PE Explorer and Resource Hacker extract from PE files?

Embedded resources like icons, version info, and strings (A)

In malware analysis, why is examining the imported and exported functions of a PE file critical?

To identify external libraries and track its activities (C)

What is a key reason for identifying file dependencies during malware analysis?

To understand the malware's interactions with the operating system and libraries (C)

Which of the following is NOT a feature of the PE file metadata?

The date the file was last accessed (D)

How does analyzing PE file metadata assist in detecting malware?

It provides insights into its structure and potential malicious behavior (A)

What information can be inferred from the linked libraries of a PE file?

The execution environment's resource requirements (D)

What is the primary goal of file fingerprinting in malware analysis?

To create a unique identifier for the malware file and compare it to known malware (D)

Which method is most effective for uncovering a malware file's true functionality when it is obfuscated?

Identifying packing or obfuscation methods (D)

What insights can be gained from analyzing the Portable Executable (PE) information of a malware sample?

To understand the structure of Windows-based malware through its headers and sections (C)

What does calculating the hash value of a malware binary primarily help with?

To track any changes made to the binary code during analysis (A)

When analyzing malware, what is the significance of the file's dependencies?

They help identify the execution environment of the malware (D)

In static malware analysis, which aspect does disassembly primarily focus on?

Breaking down the executable into readable assembly code (B)

What role does analyzing system behavior play in understanding malware?

It describes how the malware interacts with other files (B)

For what purpose might an analyst perform a strings search on a malware binary?

To extract textual information that might indicate functionality (C)

What is a primary use of the MD5 hash in malware analysis?

It ensures the file has not been altered or corrupted. (C)

If the MD5 checksum of a file changes, what does this indicate?

The file has been modified or tampered with. (A)

Which tool is specifically designed for calculating MD5 hashes on Windows?

WinMD5 (B)

What is the main function of registry entry monitoring tools in malware analysis?

To monitor registry changes made by suspicious applications. (A)

Why is it important to verify the MD5 hash of a file during malware analysis?

It confirms the authenticity of the file. (A)

Which of the following is a significant outcome of detecting changes in a file's MD5 checksum?

It suggests possible malware interference. (C)

Which tool is recognized for monitoring registry activity in real-time during malware analysis?

Process Monitor (B)

What does an unchanged MD5 hash of a file confirm?

The file has retained its original state. (A)

What is the primary function of the Windows Service Manager?

To manage Windows services, including creating, deleting, and changing configurations (D)

Which action can the Windows Service Manager (SrvMan) perform without restarting Windows?

Create Win32 and Legacy Driver services without restarting Windows (C)

What types of services can be created using the Windows Service Manager?

Win32 and Legacy Driver services (C)

What initial step is recommended for detecting malware in document files?

Enlist common vulnerabilities and exploits (D)

What specific elements should be scrutinized in a document to identify malware?

Suspicious elements or pointers of malware (C)

What is the purpose of searching for encrypted scripts in a document during malware analysis?

To decrypt and identify hidden malicious scripts (B)

What should be done with scripts extracted from a document during malware analysis?

Analyze the scripts for malicious activity (D)

Which of the following is NOT a primary function of the Windows Service Manager?

Creating new user accounts (A)

Flashcards

Why Analyze Malware?

Analyzing malware helps understand its impact and malicious intent, such as stealing data or disrupting systems.

What does malware analysis reveal?

Malware often exploits vulnerabilities in systems. Analyzing it reveals which vulnerability was used, allowing you to fix it and prevent future attacks.

What is an IoC?

Indicators of Compromise are patterns, files, or behaviors suggesting a system has been compromised. They help security teams detect and respond to attacks.

Why assess intruder complexity?

Knowing the complexity of the intruder helps assess the sophistication of the attack - a skilled hacker or an amateur threat. This guides defense strategies.

Why find malware signatures?

Malware analysis identifies unique patterns (signatures) that help Intrusion Detection Systems (IDS) recognize and stop similar attacks in the future.

File Fingerprinting

A technique used in static malware analysis to generate a unique identifier for a malware file. This identifier is then compared to a database of known malware signatures to identify the malware.

Static Malware Analysis

The process of analyzing the contents of a malware file without executing it. This involves examining file headers, strings, functions, and other static properties.

Packing/Obfuscation

Techniques used by malware authors to hide the actual purpose and functionality of malware. This involves altering the code to make it difficult to understand and analyze.

PE (Portable Executable) Format

A standard executable file format used by Windows operating systems. It contains metadata and information about the structure of the executable, such as headers, sections, and entry points.

Hash Value

A unique hash value calculated from the contents of a file. It acts as a digital fingerprint, allowing for verification of file integrity and detection of modifications.

Identifying Packing/Obfuscation

Malware often hides its true behavior by using packing and obfuscation techniques. Identifying these methods helps analysts reveal the malware's actual functionality.

Analyzing PE Information

Analyzing the PE information helps in understanding the structure and functionality of a Windows executable by examining headers, sections, and other details.

Dynamic Malware Analysis

A type of analysis that focuses on the actions and behavior of malware during execution. This involves monitoring the malware's interactions with the system, network, and other processes.

What info does PE file metadata reveal?

PE files store metadata revealing key details about the executable, such as the date and time of compilation, imported functions it uses from external libraries, and linked libraries it depends on.

How do we analyze PE files?

PEview is a frequently used tool for analyzing PE files to extract metadata like imported functions and resources.

What can we discover inside executables?

PE Explorer and Resource Hacker are specialized tools for examining embedded resources within PE files. These resources can include things like icons, menus, version information, and strings.

Why analyze imported/exported functions in malware?

Examining imported and exported functions helps identify which external libraries a PE file uses to run. This provides vital clues about its behavior. In the context of malware analysis, it helps understand how malware interacts with the system.

Why analyze executable's dependencies?

Understanding an executable's file dependencies, such as external libraries, explains how it interacts with the operating system. This is crucial for understanding a malware's tactics and impact.

What tool disassembles malware?

IDA Pro is a tool commonly used to disassemble and reverse engineer malware into assembly code, allowing analysts to understand its logic and functionality.

What do OllyDbg and WinDbg do?

OllyDbg and WinDbg are debugging tools that provide a safe environment to run malware, allowing analysts to examine its behavior step-by-step.

What do you discover by disassembling malware?

By disassembling malware, investigators can understand the program's logic and identify potential threats, such as data theft or system damage.

Why is assembly code helpful for malware analysis?

Assembly code provides a low-level view of malware's functions, allowing analysts to analyze its inner workings and understand its manipulation techniques.

Purpose of system baselining

System baselining creates a snapshot of the system's initial state, allowing analysts to detect any changes made by the malware during analysis.

What is dynamic malware analysis?

Dynamic analysis involves observing the malware's behavior and interactions with the system, network, and other processes while it is running.

Why is dynamic malware analysis crucial?

Dynamic analysis helps analysts observe real-time interactions, understand the malware's functionality in a live environment, and gather valuable insights about its behavior.

What is an MD5 hash?

A unique digital fingerprint created by hashing the contents of a file. It's used to check if the file has been tampered with or modified.

What tool is useful for calculating MD5 hashes on Windows?

WinMD5 is a dedicated software tool designed for calculating the MD5 hash of files on Windows operating systems.

What does a change in a file's MD5 hash indicate?

A change in the MD5 hash indicates that the file has been modified in some way, potentially due to malware tampering.

What is the purpose of registry entry monitoring in malware analysis?

Registry entry monitoring tools are used to track modifications made to the Windows registry. This is particularly helpful in detecting changes caused by suspicious programs like malware.

What tool is commonly used for monitoring registry changes during malware analysis?

Process Monitor is a widely used tool for monitoring system activity, including changes to the registry. It provides real-time data about processes and registry events.

What is static malware analysis?

Static analysis involves examining the contents of a file without actually running it. This includes looking at the file header, strings, functions, and other static properties.

What are packing and obfuscation in the context of malware?

Packing and obfuscation are techniques used by malware authors to hide the true purpose and functionality of malware. They alter the code to make it more difficult to understand and analyze.

What is Windows Service Manager?

Windows Service Manager (SrvMan) is a tool used for managing Windows services, including creating new ones, deleting existing ones, and modifying their configurations.

What types of services can SrvMan create?

SrvMan can create both Win32 and Legacy Driver services without requiring a system restart.

What's the first step in detecting malware in documents?

The first step in detecting malware in document files is to identify common vulnerabilities and exploits that could be targeted by malicious code.

What should you examine in a document for malware?

When analyzing a document for malware, you should look for elements or patterns that suggest malicious activity.

Why extract encrypted scripts?

Extracting encrypted scripts from a document during malware analysis is done to decrypt and analyze hidden malicious code.

What to do after extracting scripts during malware analysis?

After extracting scripts from a document, you should analyze them for malicious activity, such as data theft, system disruption, or network access.

What is packing and obfuscation?

Malware often uses packing and obfuscation techniques to conceal its purpose and functionality.

What is PE format?

PE (Portable Executable) is a standard file format used by Windows for executables. It contains metadata and essential information about the executable's structure.

Study Notes

Malware Analysis Techniques

• Static analysis: Examining the malware's code without running it.
• Dynamic analysis: Running the malware in a controlled environment to observe its behavior and interactions.
• Behavioral analysis: Analyzes the actions and behavior of the malware to understand its purpose and effect.
• File fingerprinting: Creating a unique identifier for a file.
• Hashing: Calculating a unique value for a file, used to compare files.
• Malware disassembly: Converting the binary code into assembly language to understand the program logic and behavior.

Malware Analysis Tools

• VirusTotal: A free online service analyzing files for malicious content.
• RegScanner: Searching for specific registry values.
• TCPView: Displaying a list of all currently opened TCP/IP and UDP ports.
• PEview: Analyzing PE files to extract metadata.
• Wireshark: Analyzing network traffic in real-time.
• Process Monitor: Monitoring system processes and changes.
• Hex Workshop: Extracting strings from an executable file.
• IDA Pro: Disassembling malware into assembly language.
• Capsa Network Analyzer: Capturing and analyzing live network traffic.
• PortMon: Monitoring live open ports.
• DriverView: Viewing installed device drivers.
• Regshot: Snapshots of the registry.
• API Monitor: Intercepts API calls made by a suspected program.
• CurrPorts: Showing a list of TCP/IP and UDP ports.
• Dependency Walker: Identifying file dependencies.

Malware Analysis Procedures

• Identify the malware type and its possible behavior.
• Execute the malware in a controlled sandbox.
• Monitor system activity during execution.
• Investigate changes in the file system.
• Analyze network traffic and communications.
• Observe registry modifications.
• Extract readable strings.
• Determine the impact and intent of the malware.
• Analyze all possible vulnerabilities exploited by the malware.
• Identify any data exfiltration occurring during execution.

Anti-Analysis Techniques

• Encryption / Obfuscation: Hiding the true functionality of the malware's code.
• Packing / Compression: Compressing the file's size and obfuscating the code.
• Modifying system behavior: Changing how the operating system functions.
• Record deletion / Anti-debugging measures: Techniques to avoid detection or analysis.