handbook/tools/5.Malware-Analysis/Malware.md

Malware

Take note that most of the tools create for malware analysis are on windows (Flare VM).

• Steps
  • Get Flare VM ---> [HERE](1 - Flare VM)
  • Launch Detect it Easy on the file ---> [HERE](2 - Detect it Easy)
  • Decode the file package ---> HERE
  • Run CAPA ---> [HERE](3 - Decode Malware Package)
  • Run the malware and check process Monitor ---> [HERE](5 - Process Monitor)

Video ---> https://www.youtube.com/watch?v=kdQZPLRnr3g

More information

A prominent word in cybersecurity, malware is software created to harm a computer or an entire network. Threat actors develop malware to achieve specific goals, such as infiltrating networks, breaching sensitive data, or disrupting operational services.

If you were to inspect several malware samples in the wild, a typical pattern arises, making analysing other samples easier with experience. Knowing these common behaviours gives us an idea of what to look for on the defensive side, such as:

• Network connections - Malware tends to establish either external network connections or internal connections. External connections allow remote access or for downloading staged payloads from a threat actors' infrastructure. Meanwhile, internal connections allow for lateral movement, a technique used to extend access to other hosts or applications within the network.
• Registry key modifications - Malware typically uses registry keys to establish persistence, a technique used by threat actors to discreetly maintain long-term access to a system despite disruptions. A good example is Registry Run Keys, which allows binaries to be automatically executed when a user logs in or the machine boots up.
• File manipulations -  Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.

Given this knowledge, we can expect the possible behaviour of malware during an investigation.

Dangers of Analysing Malware Samples

WARNING: Handling a malware sample is dangerous. Always consider precautions while analysing it. 

With this, here are some helpful tips when handling live malware

• Always assume that malware samples will infect your device; hence executing it is not always the first and only step in analysing it.
• Only run the malware sample in a controlled environment that prevents potential compromise of unwanted assets.
• It is always recommended to have your sandbox, which allows you have a worry-free execution of malware samples.

A sandbox is a controlled test environment that mimics a legitimate end-user working environment. It gives analysts a safe environment to execute malware samples and learn their behaviour. Lastly, having a ready sandbox prevents analysts from running malware samples in their workstations, which is highly dangerous and impractical for the possibility of unwanted impact.

In a typical setup, sandboxes also provide automated analysis at the disposal of Security Analysts to determine if a binary from a set of malware samples requires further manual investigation.

For this task, you may start the attached FlareVM instance by clicking on the Start Machine button. This VM will serve as your sandbox. However, do not expect this machine to provide an automated analysis since we will assist Forensic McBlue in conducting manual analysis. 

Note: If the VM is not visible, use the blue Show Split View button at the top-right of the page.

Static and Dynamic Analysis

We have understood the prerequisites needed to handle the malware safely from the previous section. Now, let's have a quick refresher on the two methods of malware analysis.

Static Analysis is a way of analysing a malware sample without executing the code. This method mainly focuses on profiling the binary with its readable information, such as its properties, program flow and strings. Given the limitation of not executing it, sometimes this method gives insufficient information, which is why we resort to Dynamic Analysis.   

Meanwhile, Dynamic Analysis mainly focuses on understanding the malware by executing it in a safe environment, such as a Sandbox. By doing this, you will see the malware live in action, its exact behaviour, and how it infects the environment.