Intro to Malware Analysis Tryhackme Walkthrough

What to do when you run into a suspected malware

This write-up covers the Intro to Malware Analysis Room on TryHackMe.
Learning Path (s): SOC Level 1
Module: Digital Forensics and Incident Response
Skill: Forensics Tool, Malware

Every once in a while, when you are working as a SOC analyst, you will come across content (a file or traffic) that seems suspicious, and you will have to decide whether that content is malicious or not. It is normal to feel confused with all the mixed signals that such content provides. This becomes a little overwhelming for somebody who is just starting in Cybersecurity, and it is common to begin self-guessing oneself. Knowing what steps to take to resolve such a scenario is helpful. This room will lay down some steps to help you make the initial conclusion about a particular suspicious file.

We’re going to be using a Remnux (Reverse Engineering Malware Linux) VM and using commands as pecheck, md5sum, file, and strings to do some static analysis. We’ll also be checking out sites like Virus Total and Hybrid Analysis to look at some data on some malware samples.

Malware Analysis

Malware
The word malware is derived from the term MALicious softWARE. Therefore, any software that has a malicious purpose can be considered malware. Malware is further classified into different categories based on its behavior.
The purpose behind Malware Analysis
Malware Analysis is an important skill to have. As a quick overview, Malware Analysis is performed by the following people in the Security Industry:

• Security Operations teams analyze malware to write detections for malicious activity in their networks.
• Incident Response teams analyze malware to determine what damage has been done to an environment to remediate and revert that damage.
• Threat Hunt teams analyze malware to identify IOCS, which they use to hunt for malware in a network.
• Malware Researchers in security product vendor teams analyze malware to add detections for them in their security products.
• Threat Research teams in OS Vendors like Microsoft and Google analyze malware to discover the vulnerabilities exploited and add more security features to the OS/applications.

Overall, it seems like many different people do malware Analysis for many compelling reasons. So let’s see how to start!

Task Question(s)

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

DFIR

Which team uses malware analysis to look for IOCs and hunt for malware in a network?

• The answer can be found in the reading.

Techniques of Malware Analysis

There are several techniques that can be used for malware analysis, depending on the goals and resources of the analyst. Here are some of the most common techniques:

1. Static Analysis: This technique involves analyzing the code or binary of the malware without actually executing it. This can be done by disassembling or decompiling the code, examining it for patterns or signatures, and identifying functions or behaviors that are characteristic of malware.
2. Dynamic Analysis: This technique involves running the malware in a controlled environment, such as a virtual machine or sandbox, and observing its behavior as it executes. This can be done to identify specific actions or functions that the malware performs, such as connecting to a remote server or modifying system files.
3. Advanced Malware Analysis techniques are used to analyze malware that evades basic static and dynamic analysis. For performing advanced malware analysis, disassemblers and debuggers are used. Disassemblers convert the malware’s code from binary to assembly so that an analyst can look at the instructions of the malware statically. Debuggers attach to a program and allow the analyst to monitor the instructions in malware while it is running. A debugger allows the analyst to stop and run the malware at different points to identify interesting pieces of information while also providing an overview of the memory and CPU of the system. We will not cover advanced malware analysis in this room. However, it will be covered in a future module targeting malware analysis.
4. Others Include Code Reversing, Network Traffic Analysis and Behavioral Analysis

Task Question(s)

Which technique is used for analyzing malware without executing it?

• The answer can be found in the reading.

Which technique is used for analyzing malware by executing it and observing its behavior in a controlled environment?

• The answer can be found in the reading.

Basic Static Analysis

When analyzing a new piece of malware, the first step is usually performing basic static analysis. Basic static analysis can be considered sizing up the malware, trying to find its properties before diving deep into analysis. It provides us with an overview of what we are dealing with. Sometimes it might give us some critical information, for example, what API calls the malware is making or whether it’s packed or not. However, other times, it might only give us information to help us size the malware up and give us an idea of the effort required to analyze it.
So without further ado, let’s see some of the techniques we can use to perform basic static analysis.
Caution!
Although static analysis is performed without running the malware, it is highly recommended that you perform malware analysis in an isolated Virtual Machine. You can create a clean snapshot of your Virtual Machine before performing any malware analysis and revert it to start from a clean state again after every analysis. Don’t perform malware analysis on a live machine not purpose-built for malware analysis. For this room, we will be using the attached Remnux VM. Remnux (Reverse Engineering Malware Linux) is a Linux distribution purpose-built for malware analysis. It has many tools required for malware analysis already installed on it.

Setting up: 💡Connect to the Start the Tryhackme VM or deploy the machine locally via OpenVPN
Default Credentials
usernames: ubuntu
Password: 123456

Task Question(s)

In the attached VM, there is a sample named ‘redline’ in the Desktop/Samples directory. What is the md5sum of this sample?

• Navigate to the specified directory cd ~/Desktop/Samples/ and use md5sum redline command. Copy the hash for the answer.

What is the creation time of this sample?

• Use VirusTotal and check the Details → then scroll down to the History section for creation time.

The PE File Header

The PE file header is a data structure at the beginning of a Windows executable file. It contains information such as the machine type, number of sections, timestamp, entry point, image base, and section headers. Analyzing the PE file header can help identify key attributes of the file and potential security threats.

Analyzing PE Header using pecheck utility

PECheck is a command-line utility that analyzes the PE header of Windows executable files. It can display information about the file, header, sections, import/export tables, resources, and digital signatures. This helps analysts quickly identify key attributes of a file and determine whether it needs further analysis.

Check PE Header → pecheck wannacry

Task Question(s)

In the attached VM, there is a sample named ‘redline’ in the directory Desktop/Samples. What is the entropy of the .text section of this sample?

• Use the pecheck redline command and find the "text entropy" value.

The sample named ‘redline’ has five sections. .text, .rdata, .data, and .rsrc are four of them. What is the name of the fifth section?

• This information is in the same section as the entropy value.

From which DLL file does the sample named ‘redline’ import the RegOpenKeyExW function?

• Use pecheck redline | grep -i “regopenkey” to help display results that have “regopenkey” in it.

Basic Dynamic Analysis

This section covers

• Cuckoo’s Sandbox
• CAPE Sandbox
• Online Sandboxes
• Analying samples using HybridAnalysis

Task Question(s)

Check the hash of the sample ‘redline’ on Hybrid analysis and check out the report generated on 9 Dec 2022. How many domains were contacted by the sample?

1. Use HybridAnalysis → Report Search and input the hash to find the relevant report.
2. Look for the result that matches the date we need.
3. Scroll down a little to look for the number of domains.

In the report mentioned above, a text file is accessed by the sample. What is the name of that text file?

• Use Ctrl+F Search for a .txt file in the report.

Anti-analysis techniques

Malware authors have some tricks up their sleeves that hamper that effort. Some of these techniques are as follows:

• Long sleep calls: Malware authors know that sandboxes run for a limited time. Therefore, they program the malware not to perform any activity for a long time after execution. This is often accomplished through long sleep calls. The purpose of this technique is to time out the sandbox.
• User activity detection: Some malware samples will wait for user activity before performing malicious activity. The premise of this technique is that there will be no user in a sandbox. Therefore there will be no mouse movement or typing on the keyboard. Advanced malware also detects patterns in mouse movements that are often used in automated sandboxes. This technique is designed to bypass automated sandbox detection.
• Footprinting user activity: Some malware checks for user files or activity, like if there are any files in the MS Office history or internet browsing history. If no or little activity is found, the malware will consider the machine as a sandbox and quit.
• Detecting VMs: Sandboxes run on virtual machines. Virtual machines leave artifacts that can be identified by malware. For example, some drivers installed in VMs being run on VMWare or Virtualbox give away the fact that the machine is a VM. Malware authors often associate VMs with sandboxes and would terminate the malware if a VM is detected.

The list list is not exhaustive but gives us an idea of what to expect when analyzing malware. In a future module dedicated to malware analysis, we will discuss these techniques and ways to detect malware that employs them.

Task Question(s)

Which of the techniques discussed above is used to bypass static analysis?

• The answer can be found in the reading.

Which technique discussed above is used to time out a sandbox?

• The answer can be found in the reading.

DFIR