MAL: Malware Introductory
TryHackMe Walkthroughs â‹… Guided â‹… MAL: Malware Introductory
Task 1: What is the Purpose of Malware Analysis?
Malware analysis is a form of incident response that focuses on malware. Malware analysis explores what point of entry (PoE) into the system a malware used, indicators of its presence, how it performs, and how we can protect against it.
Task 2: Understanding Malware Campaigns
Malware can be divided into two types, targeted and mass campaign, based on their intended audience.
Task 3: Identifying if a Malware Attack has Happened
Malware leaves an extensive papertrail of evidence at each step of the attack. Malware generally leaves behind two types of fingerprints on a host. Host-based signatures are the results of execution and persistence performed by malware, such as downloaded software or encrypted files. In contrast, network-based signatures are the observation of networking communication taking place during delivery, execution, and propagation.
Task 4: Static Vs. Dynamic Analysis
We use both static and dynamic analysis when analyzing malware. Static analysis looks at the code without execution in order to gain a high-level understanding of the sample. In contrast, dynamic analysis builds upon static analysis by running the sample in an isolated environment and observing the sample's effects.
Task 5: Discussion of Provided Tools & Their Uses
Though some tools are purely static or dynamic analyzers, other tools provided in this task can be used for both static and dynamic analysis.
Task 6: Connecting to the Windows Analysis Environment (Deploy)
Connect to the machine associated with this task by pressing the "Start Machine" button on the top-right of the task.
Task 7: Obtaining MD5 Checksums of Provided Files
The application HashTab, preinstalled with the VM, calculates the checksums of a file using MD5 and other hash functions. The results of the application are available by viewing a file's properties.
Task 8: Now lets see if the MD5 Checksums have been analyzed before
Virustotal can be used to see if an file with the same MD5 checksum has been analyzed before.
Task 9: Identifying if the Executables are obfuscated / packed
PeID is a tool that can be used to identify if an executable is packed. Remember that an executable does not necessarily end with a .exe
extension. A file that ends with .jpeg
, for example, but starts with the hex header 4D 5A
is still an executable.
Task 10: What is Obfuscation / Packing?
Packing is a form of obfuscation used by software developers to prevent the analysis of programs. Packing has legitimate and illegitimate uses: it can be used to protect intellectual property and to prevent malware analysts from reverse engineering and ultimately defending against malicious code.
Task 11: Visualizing the Differences Between Packed & Non-Packed Code
We can visualize what a packed executable looks like with IDA Freeware. When we open up a packed executable in the application, we notice that there are a few imports and small program execution flowchart. These are both indicators that the executable has been packed. Non-packed code tends to have more imports and a larger execution flowchart.
Task 12: Introduction to Strings
Microsoft's Sysinternals's strings
program allows us to visualize the text contents of a program. The command strings <porgram>
outputs the strings found in that program.
Viewing all strings at once may not always be informative. To view just imports, we can use PE Explorer. Opening an executable in PE Explorer and navigating to View -> Imports
allows us to view imports for that executable.
Task 13: Introduction to Imports
Tools like IDA Freeware, which can be used for both static and dynamic analysis, tend to be classified as either disassemblers or debuggers. Disassemblers reverse a compiled program from machine code to assembly code. Debuggers allow an analyzer to view the changes made at each step of an executing program.
Task 14: Practical Summary
Analyze ComplexCalculator.exe
in the directory Tasks/Task 14
to answer the following questions.
Last updated