Home Page Icon
Home Page
Table of Contents for
Malware Analysis Techniques
Close
Malware Analysis Techniques
by
Malware Analysis Techniques
Malware Analysis Techniques
Contributors
About the author
About the reviewer
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Section 1: Basic Techniques
Chapter 1: Creating and Maintaining your Detonation Environment
Technical requirements
Setting up VirtualBox with Windows 10
Downloading and verifying VirtualBox
Installing Windows 10
Installing the FLARE VM package
Isolating your environment
Maintenance and snapshotting
Summary
Chapter 2: Static Analysis – Techniques and Tooling
Technical requirements
The basics – hashing
Hashing algorithms
Obtaining file hashes
Avoiding rediscovery of the wheel
Leveraging VirusTotal
Getting fuzzy
Picking up the pieces
Malware serotyping
Collecting strings
Challenges
Challenge 1
Challenge 2
Summary
Further reading
Chapter 3: Dynamic Analysis – Techniques and Tooling
Technical requirements
Detonating your malware
Monitoring for processes
Network IOC collection
Discovering enumeration by the enemy
Domain checks
System enumeration
Network enumeration
Case study – Dharma
Discovering persistence mechanisms
Run keys
Scheduled tasks
Malicious shortcuts and start up folders
Service installation
Uncovering common techniques
Final word on persistence
Using PowerShell for triage
Persistence identification
Registry keys
Service installation
Scheduled tasks
Less common persistence mechanisms
Checking user logons
Locating secondary stages
Examining NTFS (NT File System) alternate data streams
Challenge
Summary
Chapter 4: A Word on Automated Sandboxing
Technical requirements
Using HybridAnalysis
Using Any.Run
Installing and using Cuckoo Sandbox
Cuckoo installation – prerequisites
Installing VirtualBox
Cuckoo and VMCloak
Defining our VM
Configuring Cuckoo
Network configuration
Cuckoo web UI
Running your first analysis in Cuckoo
Shortcomings of automated analysis tools
Challenge
Summary
Section 2: Debugging and Anti-Analysis – Going Deep
Chapter 5: Advanced Static Analysis – Out of the White Noise
Technical requirements
Dissecting the PE file format
The DOS header
PE file header
Optional header
Section table
The Import Address Table
Examining packed files and packers
Detecting packers
Unpacking samples
Utilizing NSA's Ghidra for static analysis
Setting up a project in Ghidra
Challenge
Summary
Further reading
Chapter 6: Advanced Dynamic Analysis – Looking at Explosions
Technical requirements
Monitoring malicious processes
Regshot
Process Explorer
Process Monitor
Getting away with it
Network-based deception
FakeNet-NG
ApateDNS
Hiding in plain sight
Types of process injection
Detecting process injection
Case study – TrickBot
Challenge
Summary
Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
Technical requirements
Leveraging API calls to understand malicious capabilities
x86 assembly primer
Identifying anti-analysis techniques
Examining binaries in Ghidra for anti-analysis techniques
Other analysis checks
Tackling packed samples
Recognizing packed malware
Manually unpacking malware
Challenge
Summary
Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube
Technical requirements
Identifying obfuscation techniques
String encoding
String concatenation
String replacement
Other methodologies
Deobfuscating malicious VBS scripts
Utilizing VbsEdit
Using WScript.Echo
Deobfuscating malicious PowerShell scripts
Compression
Other methods within PowerShell
Emotet obfuscation
A word on obfuscation and de-obfuscation tools
Invoke-Obfuscation and PSDecode
JavaScript obfuscation and JSDetox
Other languages
Challenges
Summary
Section 3: Reporting and Weaponizing Your Findings
Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense
Technical requirements
Hashing prevention
Blocking hash execution with Group Policy
Other methodologies
Behavioral prevention
Binary and shell-based blocking
Network-based behaviors
Network IOCs – blocking at the perimeter
Common tooling for IOC-based blocking
Challenge
Summary
Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK
Technical requirements
Understanding MITRE's ATT&CK framework
Tactics – building a kill chain
Case study: Andromeda
Initial access
Execution
Persistence
Defense evasion
Command and Control
Utilizing MITRE ATT&CK for C-level reporting
Reporting considerations
Challenge
Summary
Further reading
Section 4: Challenge Solutions
Chapter 11: Challenge Solutions
Chapter 2 – Static Analysis – Techniques and Tooling
Challenge 1
Challenge 2
Chapter 3 – Dynamic Analysis – Techniques and Tooling
Chapter 4 – A Word on Automated Sandboxing
Chapter 5 – Advanced Static Analysis – Out of the White Noise
Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions
Chapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
Chapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the Tube
Chapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for Defense
Chapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CK
Summary
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Leave a review - let other readers know what you think
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Malware Analysis Techniques
Next
Next Chapter
Preface
Table of Contents
Preface
Section 1: Basic Techniques
Chapter 1
: Creating and Maintaining your Detonation Environment
Technical requirements
Setting up VirtualBox with Windows 10
Downloading and verifying VirtualBox
Installing Windows 10
Installing the FLARE VM package
Isolating your environment
Maintenance and snapshotting
Summary
Chapter 2
: Static Analysis – Techniques and Tooling
Technical requirements
The basics – hashing
Hashing algorithms
Obtaining file hashes
Avoiding rediscovery of the wheel
Leveraging VirusTotal
Getting fuzzy
Picking up the pieces
Malware serotyping
Collecting strings
Challenges
Challenge 1
Challenge 2
Summary
Further reading
Chapter 3
: Dynamic Analysis – Techniques and Tooling
Technical requirements
Detonating your malware
Monitoring for processes
Network IOC collection
Discovering enumeration by the enemy
Domain checks
System enumeration
Network enumeration
Case study – Dharma
Discovering persistence mechanisms
Run keys
Scheduled tasks
Malicious shortcuts and start up folders
Service installation
Uncovering common techniques
Final word on persistence
Using PowerShell for triage
Persistence identification
Registry keys
Service installation
Scheduled tasks
Less common persistence mechanisms
Checking user logons
Locating secondary stages
Examining NTFS (NT File System) alternate data streams
Challenge
Summary
Chapter 4
: A Word on Automated Sandboxing
Technical requirements
Using HybridAnalysis
Using Any.Run
Installing and using Cuckoo Sandbox
Cuckoo installation – prerequisites
Installing VirtualBox
Cuckoo and VMCloak
Defining our VM
Configuring Cuckoo
Network configuration
Cuckoo web UI
Running your first analysis in Cuckoo
Shortcomings of automated analysis tools
Challenge
Summary
Section 2: Debugging and Anti-Analysis – Going Deep
Chapter 5
: Advanced Static Analysis – Out of the White Noise
Technical requirements
Dissecting the PE file format
The DOS header
PE file header
Optional header
Section table
The Import Address Table
Examining packed files and packers
Detecting packers
Unpacking samples
Utilizing NSA's Ghidra for static analysis
Setting up a project in Ghidra
Challenge
Summary
Further reading
Chapter 6
: Advanced Dynamic Analysis – Looking at Explosions
Technical requirements
Monitoring malicious processes
Regshot
Process Explorer
Process Monitor
Getting away with it
Network-based deception
FakeNet-NG
ApateDNS
Hiding in plain sight
Types of process injection
Detecting process injection
Case study – TrickBot
Challenge
Summary
Chapter 7
: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
Technical requirements
Leveraging API calls to understand malicious capabilities
x86 assembly primer
Identifying anti-analysis techniques
Examining binaries in Ghidra for anti-analysis techniques
Other analysis checks
Tackling packed samples
Recognizing packed malware
Manually unpacking malware
Challenge
Summary
Chapter 8
: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube
Technical requirements
Identifying obfuscation techniques
String encoding
String concatenation
String replacement
Other methodologies
Deobfuscating malicious VBS scripts
Utilizing VbsEdit
Using WScript.Echo
Deobfuscating malicious PowerShell scripts
Compression
Other methods within PowerShell
Emotet obfuscation
A word on obfuscation and de-obfuscation tools
Invoke-Obfuscation and PSDecode
JavaScript obfuscation and JSDetox
Other languages
Challenges
Summary
Section 3: Reporting and Weaponizing Your Findings
Chapter 9
: The Reverse Card: Weaponizing IOCs and OSINT for Defense
Technical requirements
Hashing prevention
Blocking hash execution with Group Policy
Other methodologies
Behavioral prevention
Binary and shell-based blocking
Network-based behaviors
Network IOCs – blocking at the perimeter
Common tooling for IOC-based blocking
Challenge
Summary
Chapter 10
: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK
Technical requirements
Understanding MITRE's ATT&CK framework
Tactics – building a kill chain
Case study: Andromeda
Initial access
Execution
Persistence
Defense evasion
Command and Control
Utilizing MITRE ATT&CK for C-level reporting
Reporting considerations
Challenge
Summary
Further reading
Section 4: Challenge Solutions
Chapter 11
: Challenge Solutions
Chapter 2 – Static Analysis – Techniques and Tooling
Challenge 1
Challenge 2
Chapter 3 – Dynamic Analysis – Techniques and Tooling
Chapter 4 – A Word on Automated Sandboxing
Chapter 5 – Advanced Static Analysis – Out of the White Noise
Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions
Chapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill
Chapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the Tube
Chapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for Defense
Chapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CK
Summary
Other Books You May Enjoy
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset