Starting with guidelines, you should always password protect the malicious sample, you can compress the sample with a password as someone or even yourself can click on the executable. If you are dealing with a malicious sample on a server or a malicious website always defang the URL. If the malicious link is : http:-//www.malicioussite.com/win32/sc.exe defang the URL as : hxxp://www[.]malicioussite[.]com/win32/sc.exe OR if the malicious link is : 192.168.1.105/sc.exe defang the URL as 192[.]168[.]1[.]105/sc.exe so even if someone clicks on it accidentally nothing goes wrong. These are just preliminary precautions for handling a sample. Moving on, you should always set up a Virtual Machine(VM) for analysing a malicious sample. If you are brave enough not to use a VM, you should use a system you don’t care about and segment the system away from the network (wait, you don’t have such a system so set up a VM).
To set up a Virtual Machine, choose a suitable Operating System for your sample and tools. Most of the malwares and analysis tools are based on 32-bit architectures. So I prefer you choose Windows 7 Ultimate 32-bit for you VM. If you are confused on choosing the best hypervisor i prefer VMware workstation as it is easier to take snaps and it is byfar the most stable. There are malwares which detect if they are being run inside a VM and quits once they detect that they are being analysed. Some even disguise themselves as something else(common 0-days) and quits. So it is important to make your VM look as real as possible. To hide you virtual machines :
- Make sure to provide atleast 2 CPU cores and 1 GB of RAM to your VM.
- Install common Application software like Adobe Reader, Microsoft Office Package, Browsers, Music Players(as some malicious samples check if these tools are present).
- Open multiple files/documents and a browser before executing a malicious sample(as some malicious samples check how many processes are running and only execute if processes > (say)5 ).
- Make sure to keep your VM’s network configuration to HOST ONLY mode as the malware may propagate through the network and infect your system.
- Since we setup our VM in host only mode, install applications like fakenet to trick malware into thinking it is online (as some malicious sample quit if ping request fails).
- Keep two snapshots of VM, one fresh with only basic applications and one with all the analysis tools installed (as some malware may check for analysis tools and quit if present).
Now coming to analysis part, we know we have two types of analysis static analysis and dynamic analysis. There is no guidelines or some specific steps for analysis of a malicious sample. But we can define a set of questions for both static and dynamic analysis to make the analysis simple and less time consuming and get a proper picture what the malicious program does or is capable of. This will make further reversing of the malicious sample much easier for us. Starting with static analysis, the questions we need to keep in our mind are :
- What kind of file is it? Just checking the extension of the file is not enough as most malicious samples disguise their extensions by using false extensions or multiple extensions. We need to check the file signature to figure out what kind of malicious sample we are dealing with. Windows executable have a signature MZ in the 0th and 1st byte, pdf files have a signature %PDF within first 1024 bytes. Check list of file signatures for more info.
- Is there any information already available about it? Generate a MD5/SHA-1/SHA-256 hash of your malicious sample and search it on popular platforms like virusbay or perform a google search to see if the sample has already been found and analysed.
- What do the embedded strings tell about? You can either write a simple script to extract all the strings with length greater than 3 or 5 from the malicious sample or use tools like strings or PE explorer to find the embedded strings. The embedded strings provides an insight on what the malicious sample is or capable of by extracting URL’s, filenames, commands. We also get to know if the file is packed(encrypted) and the technique used or the packer used to pack the executable.
- Is there anything unusual in the PE Header? The PE header contains all the information needed for the operating system to execute the program. The PE header has different sections like .code, .text, .data, .idata, .edata, .rdata, .rsrc. The .code and .text sections contain executable code, .idata and .edata contains import and export tables and .rsrc contains all the resources required by the program to run. You can check for any unusual methods in import table or export table and also for unusual files in the .rsrc section.
- Is the executable packed? Till now we must have got the insight if the executable is packed from the above steps. However there are tools like PEid, cantor dust to check if the malicious sample is packed. PEid also identifies the packer used to pack the sample. Identify the packer and unpack the executable for further Reversing.
Now coming to dynamic analysis. In dynamic analysis we execute the malicious sample to see what it actually does. Here we take a snapshot of the Virtual Machine before and after executing the malicious sample and compare the results, whitelist all the windows processes and find all the changes made by the malicious sample. The questions we need to keep in mind and find answers to are :
- How does the malware modify the system when it runs?
- What files does it drops/downloads?
- What files are created, deleted, edited, moved by the malware?
- What temporary files are created by the malware?
- What Registry files does the malicious program make changes to?
- Where does the malware contact? What URL or IP?
- What is the protocol used by the malware?
- What network traffic does the malware generates?
- Does the malware launch any other programs?
- What is the persistence mechanism used by the malware?
- How does the malware autostart?
Finding answers to these questions are pretty easy using the wide variety of dynamic tools available. Make a note of all the answers for further reversing. Now with answers to all the questions mentioned we know what our malicious sample is or what it exactly does. Now the question remains “How does it do all those things?”. And to find the answer to that question we need to reverse engineer the malicious sample.