Analyze malicious samples, write reports, and use industry-standard methodologies to confidently triage and analyze adversarial software and malware

Key Features

  • Investigate, detect, and respond to various types of malware threat
  • Understand how to use what you've learned as an analyst to produce actionable IOCs and reporting
  • Explore complete solutions, detailed walkthroughs, and case studies of real-world malware samples

Book Description

Malicious software poses a threat to every enterprise globally. Its growth is costing businesses millions of dollars due to currency theft as a result of ransomware and lost productivity. With this book, you'll learn how to quickly triage, identify, attribute, and remediate threats using proven analysis techniques.

Malware Analysis Techniques begins with an overview of the nature of malware, the current threat landscape, and its impact on businesses. Once you've covered the basics of malware, you'll move on to discover more about the technical nature of malicious software, including static characteristics and dynamic attack methods within the MITRE ATT&CK framework. You'll also find out how to perform practical malware analysis by applying all that you've learned to attribute the malware to a specific threat and weaponize the adversary's indicators of compromise (IOCs) and methodology against them to prevent them from attacking. Finally, you'll get to grips with common tooling utilized by professional malware analysts and understand the basics of reverse engineering with the NSA's Ghidra platform.

By the end of this malware analysis book, you'll be able to perform in-depth static and dynamic analysis and automate key tasks for improved defense against attacks.

What you will learn

  • Discover how to maintain a safe analysis environment for malware samples
  • Get to grips with static and dynamic analysis techniques for collecting IOCs
  • Reverse-engineer and debug malware to understand its purpose
  • Develop a well-polished workflow for malware analysis
  • Understand when and where to implement automation to react quickly to threats
  • Perform malware analysis tasks such as code analysis and API inspection

Who this book is for

This book is for incident response professionals, malware analysts, and researchers who want to sharpen their skillset or are looking for a reference for common static and dynamic analysis techniques. Beginners will also find this book useful to get started with learning about malware analysis. Basic knowledge of command-line interfaces, familiarity with Windows and Unix-like filesystems and registries, and experience in scripting languages such as PowerShell, Python, or Ruby will assist with understanding the concepts covered.

Table of Contents

  1. Malware Analysis Techniques
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Reviews
  6. Section 1: Basic Techniques
  7. Chapter 1: Creating and Maintaining your Detonation Environment
    1. Technical requirements
    2. Setting up VirtualBox with Windows 10
    3. Downloading and verifying VirtualBox
    4. Installing Windows 10
    5. Installing the FLARE VM package
    6. Isolating your environment
    7. Maintenance and snapshotting
    8. Summary
  8. Chapter 2: Static Analysis – Techniques and Tooling
    1. Technical requirements
    2. The basics – hashing
    3. Hashing algorithms
    4. Obtaining file hashes
    5. Avoiding rediscovery of the wheel
    6. Leveraging VirusTotal
    7. Getting fuzzy
    8. Picking up the pieces
    9. Malware serotyping
    10. Collecting strings
    11. Challenges
    12. Challenge 1
    13. Challenge 2
    14. Summary
    15. Further reading
  9. Chapter 3: Dynamic Analysis – Techniques and Tooling
    1. Technical requirements
    2. Detonating your malware
    3. Monitoring for processes
    4. Network IOC collection
    5. Discovering enumeration by the enemy
    6. Domain checks
    7. System enumeration
    8. Network enumeration
    9. Case study – Dharma
    10. Discovering persistence mechanisms
    11. Run keys
    12. Scheduled tasks
    13. Malicious shortcuts and start up folders
    14. Service installation
    15. Uncovering common techniques
    16. Final word on persistence
    17. Using PowerShell for triage
    18. Persistence identification
    19. Registry keys
    20. Service installation
    21. Scheduled tasks
    22. Less common persistence mechanisms
    23. Checking user logons
    24. Locating secondary stages
    25. Examining NTFS (NT File System) alternate data streams
    26. Challenge
    27. Summary
  10. Chapter 4: A Word on Automated Sandboxing
    1. Technical requirements
    2. Using HybridAnalysis
    3. Using Any.Run
    4. Installing and using Cuckoo Sandbox
    5. Cuckoo installation – prerequisites
    6. Installing VirtualBox
    7. Cuckoo and VMCloak
    8. Defining our VM
    9. Configuring Cuckoo
    10. Network configuration
    11. Cuckoo web UI
    12. Running your first analysis in Cuckoo
    13. Shortcomings of automated analysis tools
    14. Challenge
    15. Summary
  11. Section 2: Debugging and Anti-Analysis – Going Deep
  12. Chapter 5: Advanced Static Analysis – Out of the White Noise
    1. Technical requirements
    2. Dissecting the PE file format
    3. The DOS header
    4. PE file header
    5. Optional header
    6. Section table
    7. The Import Address Table
    8. Examining packed files and packers
    9. Detecting packers
    10. Unpacking samples
    11. Utilizing NSA's Ghidra for static analysis
    12. Setting up a project in Ghidra
    13. Challenge
    14. Summary
    15. Further reading
  13. Chapter 6: Advanced Dynamic Analysis – Looking at Explosions
    1. Technical requirements
    2. Monitoring malicious processes
    3. Regshot
    4. Process Explorer
    5. Process Monitor
    6. Getting away with it
    7. Network-based deception
    8. FakeNet-NG
    9. ApateDNS
    10. Hiding in plain sight
    11. Types of process injection
    12. Detecting process injection
    13. Case study – TrickBot
    14. Challenge
    15. Summary
  14. Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
    1. Technical requirements
    2. Leveraging API calls to understand malicious capabilities
    3. x86 assembly primer
    4. Identifying anti-analysis techniques
    5. Examining binaries in Ghidra for anti-analysis techniques
    6. Other analysis checks
    7. Tackling packed samples
    8. Recognizing packed malware
    9. Manually unpacking malware
    10. Challenge
    11. Summary
  15. Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube
    1. Technical requirements
    2. Identifying obfuscation techniques
    3. String encoding
    4. String concatenation
    5. String replacement
    6. Other methodologies
    7. Deobfuscating malicious VBS scripts
    8. Utilizing VbsEdit
    9. Using WScript.Echo
    10. Deobfuscating malicious PowerShell scripts
    11. Compression
    12. Other methods within PowerShell
    13. Emotet obfuscation
    14. A word on obfuscation and de-obfuscation tools
    15. Invoke-Obfuscation and PSDecode
    16. JavaScript obfuscation and JSDetox
    17. Other languages
    18. Challenges
    19. Summary
  16. Section 3: Reporting and Weaponizing Your Findings
  17. Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense
    1. Technical requirements
    2. Hashing prevention
    3. Blocking hash execution with Group Policy
    4. Other methodologies
    5. Behavioral prevention
    6. Binary and shell-based blocking
    7. Network-based behaviors
    8. Network IOCs – blocking at the perimeter
    9. Common tooling for IOC-based blocking
    10. Challenge
    11. Summary
  18. Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK
    1. Technical requirements
    2. Understanding MITRE's ATT&CK framework
    3. Tactics – building a kill chain
    4. Case study: Andromeda
    5. Initial access
    6. Execution
    7. Persistence
    8. Defense evasion
    9. Command and Control
    10. Utilizing MITRE ATT&CK for C-level reporting
    11. Reporting considerations
    12. Challenge
    13. Summary
    14. Further reading
  19. Section 4: Challenge Solutions
  20. Chapter 11: Challenge Solutions
    1. Chapter 2 – Static Analysis – Techniques and Tooling
    2. Challenge 1
    3. Challenge 2
    4. Chapter 3 – Dynamic Analysis – Techniques and Tooling
    5. Chapter 4 – A Word on Automated Sandboxing
    6. Chapter 5 – Advanced Static Analysis – Out of the White Noise
    7. Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions
    8. Chapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
    9. Chapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the Tube
    10. Chapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for Defense
    11. Chapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CK
    12. Summary
    13. Why subscribe?
  21. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Leave a review - let other readers know what you think