Skip to content

Week-15-Lab-C-Static-Malware-Analysis.md

Latest commit

 

History

History
596 lines (444 loc) · 17.2 KB

Week-15-Lab-C-Static-Malware-Analysis.md

File metadata and controls

596 lines (444 loc) · 17.2 KB

Week 15 Lab C: Static Malware Analysis

Learning Outcomes

By the end of this lab, you will be able to:

  • Perform static analysis on a malware sample using a variety of tools
  • Identify key characteristics of a malware sample without executing it
  • Extract Indicators of Compromise (IOCs) from a malware sample
  • Document and report on the findings of a static malware analysis investigation

1. Objective

In this lab, you will perform static analysis on real malware samples without executing them. Static analysis involves examining the malware's code, strings, and structure to understand its functionality and behavior.

2. Prerequisites

  • A FlareVM environment (from Lab B)
  • Malware samples from the PMAT-labs repository (already cloned in the repository)
  • Basic understanding of Windows PE file format
  • CRITICAL: Ensure your FlareVM is isolated from your host network

3. Malware Samples Location

The malware samples for this lab are located in:

/home/ubuntu/soc-training-program/Module-4/Labs/resources/malware_samples/

Available Samples:

  • 2-1.AdvancedStaticAnalysis/Dropper.DownloadFromURL.exe - A dropper malware
  • 2-1.AdvancedStaticAnalysis/Malware.stage0.exe - Multi-stage malware
  • 4-1.Bossfight-wannacry.exe/Ransomware.wannacry.exe - WannaCry ransomware sample

4. Tools Used

All tools are pre-installed in FlareVM:

  • PEStudio - PE file analysis tool
  • Strings - Extract printable strings from binary files
  • PEiD - Detect packers and compilers
  • Dependency Walker (depends.exe) - Analyze DLL dependencies
  • IDA Free - Disassembler for reverse engineering
  • PE-bear - Portable Executable parser
  • CFF Explorer - PE editor
  • Detect It Easy (DIE) - Packer/compiler detector
  • FLOSS - FireEye Labs Obfuscated String Solver

5. Lab Duration

Approximately 3-4 hours

Part 1: Setting Up Your Analysis Environment (15 minutes)

Step 1: Prepare Your FlareVM

  1. Take a snapshot of your clean FlareVM before starting:

    • In VirtualBox/VMware: Right-click VM → Snapshots → Take Snapshot
    • Name it: "Clean FlareVM - Before Malware Analysis"

  2. Disable network adapter:

    • VirtualBox: Settings → Network → Uncheck "Enable Network Adapter"
    • VMware: VM → Settings → Network Adapter → Not Connected

  3. Create a working directory:

    New-Item -Path "C:\MalwareAnalysis" -ItemType Directory
New-Item -Path "C:\MalwareAnalysis\Reports" -ItemType Directory
New-Item -Path "C:\MalwareAnalysis\Samples" -ItemType Directory
New-Item -Path "C:\MalwareAnalysis\Extracted" -ItemType Directory

Step 2: Transfer Malware Samples to FlareVM

Option 1: Using Shared Folder (Recommended)

  1. Configure shared folder in VirtualBox/VMware
  2. Copy samples from the repository to your FlareVM

Option 2: Using ISO/USB

  1. Create an ISO with the malware samples
  2. Mount the ISO in FlareVM

SAFETY REMINDER:

  • DO NOT execute any malware on your host machine
  • ALWAYS work in an isolated VM
  • NEVER connect FlareVM to your production network during analysis

Part 2: Analyzing Dropper.DownloadFromURL.exe (60 minutes)

Step 3: Extract the Malware Sample

  1. Navigate to the malware sample directory on your FlareVM
  2. Extract the sample from the 7z archive: 
    cd C:\MalwareAnalysis\Samples
# Copy Dropper.DownloadFromURL.exe.7z from shared folder
7z x Dropper.DownloadFromURL.exe.7z
# Password: infected

Step 4: Calculate File Hashes

Why: File hashes are unique identifiers for malware samples. They're used for:

  • Searching in malware databases (VirusTotal, Hybrid Analysis)
  • Tracking malware campaigns
  • Creating detection rules

  1. Open PowerShell as Administrator

  2. Calculate multiple hash types:

    $file = "C:\MalwareAnalysis\Samples\Dropper.DownloadFromURL.exe"

# MD5
Get-FileHash -Algorithm MD5 $file | Format-List

# SHA1
Get-FileHash -Algorithm SHA1 $file | Format-List

# SHA256
Get-FileHash -Algorithm SHA256 $file | Format-List

  3. Document the hashes in your analysis report:

    Sample: Dropper.DownloadFromURL.exe
MD5:    [your result]
SHA1:   [your result]
SHA256: [your result]

  4. Search the hash on VirusTotal:

Step 5: Basic File Information

  1. Get file metadata:

    Get-Item $file | Format-List *

  2. Document:

    • File size
    • Creation date
    • Last modified date
    • File attributes

Step 6: Analyze with PEStudio

PEStudio is a powerful tool for analyzing Windows executables without executing them.

  1. Launch PEStudio from the FlareVM desktop

  2. File → Open and select Dropper.DownloadFromURL.exe

  3. Analyze the File Header:

    • Click on "file" in the left panel
    • Document:
      • File type (EXE, DLL, SYS)
      • Architecture (32-bit or 64-bit)
      • Subsystem (Console, GUI)
      • Compilation timestamp (can be faked!)

  4. Examine the Imports:

    • Click on "imports" in the left panel
    • Look for suspicious API calls:
      • Network: InternetOpenA, InternetReadFile, URLDownloadToFileA
      • File Operations: CreateFileA, WriteFile, DeleteFileA
      • Process: CreateProcessA, CreateRemoteThread
      • Registry: RegSetValueExA, RegCreateKeyExA
      • Crypto: CryptEncrypt, CryptDecrypt

  5. Check for suspicious characteristics:

    • Red/Yellow indicators in PEStudio (these indicate potentially malicious behavior)
    • Unusual section names (e.g., .text, .data are normal; .packed, .upx are suspicious)

  6. Examine Strings:

    • Click on "strings" in the left panel
    • Look for:
      • URLs and IP addresses
      • File paths
      • Registry keys
      • Error messages
      • Suspicious keywords

Questions to Answer:

  1. What suspicious API functions does the malware import?
  2. Are there any URLs or IP addresses in the strings?
  3. What is the compilation timestamp?
  4. Are there any suspicious section names?
  5. What is PEStudio's overall verdict (blacklist score)?

Step 7: Extract Strings with FLOSS

FLOSS (FireEye Labs Obfuscated String Solver) can extract obfuscated and encoded strings that basic strings command might miss.

  1. Open Command Prompt as Administrator

  2. Run FLOSS:

    cd C:\MalwareAnalysis\Samples
floss Dropper.DownloadFromURL.exe > C:\MalwareAnalysis\Reports\dropper_strings.txt

  3. Review the output file:

    notepad C:\MalwareAnalysis\Reports\dropper_strings.txt

  4. Look for:

    • ASCII strings: Human-readable text
    • Unicode strings: Wide character strings
    • Stack strings: Strings built at runtime
    • Decoded strings: Strings that were encoded/obfuscated

  5. Document interesting findings:

    • URLs (e.g., http://malicious-site.com/payload.exe)
    • IP addresses
    • File paths (e.g., C:\Windows\Temp\malware.exe)
    • Registry keys
    • Command-line arguments

Step 8: Identify Packers with Detect It Easy (DIE)

Packers compress or encrypt malware to evade detection.

  1. Launch Detect It Easy (DIE)

  2. File → Open and select the malware sample

  3. Analyze the results:

    • Compiler/Linker (e.g., Microsoft Visual C++, GCC)
    • Packer (e.g., UPX, ASPack, Themida)
    • Entropy (high entropy = likely packed/encrypted)

  4. Check entropy:

    • Normal executables: entropy ~6.0-6.5
    • Packed/encrypted: entropy >7.0

If the malware is packed:

  • Note the packer name
  • Consider unpacking it (advanced topic, not covered in this lab)
  • Packed malware is harder to analyze statically

Step 9: Analyze DLL Dependencies

  1. Launch Dependency Walker (depends.exe)

  2. File → Open and select the malware sample

  3. Analyze:

    • Which DLLs does the malware depend on?
    • Are there any missing DLLs (red icons)?
    • Which functions are imported from each DLL?

  4. Suspicious DLLs to note:

    • WININET.DLL - Internet functions
    • WS2_32.DLL - Windows Sockets (networking)
    • ADVAPI32.DLL - Advanced Windows API (registry, services)
    • KERNEL32.DLL - Core Windows functions

Step 10: Disassemble with IDA Free

IDA (Interactive DisAssembler) is the industry-standard tool for reverse engineering.

  1. Launch IDA Free

  2. File → Open and select the malware sample

  3. Let IDA analyze the file (this may take a few minutes)

  4. Navigate to the entry point:

    • The entry point is where the malware starts executing
    • Look for the start or WinMain function

  5. Identify key functions:

    • Look for function names in the Functions window
    • Suspicious functions might include:
      • Functions that download files
      • Functions that create processes
      • Functions that modify the registry

  6. Examine suspicious API calls:

    • Press Ctrl+F to search for API function names
    • Search for: URLDownloadToFile, CreateProcess, WriteFile

  7. Look for strings references:

    • Go to View → Open subviews → Strings
    • Double-click on interesting strings to see where they're used

Basic IDA Navigation:

  • Space - Toggle between graph view and text view
  • X - Show cross-references (where a function is called from)
  • G - Go to address
  • N - Rename a function/variable
  • ; - Add a comment

Questions to Answer:

  1. What is the address of the entry point?
  2. How many functions does the malware contain?
  3. What API calls are made in the main function?
  4. Can you identify the function that downloads the payload?

Part 3: Analyzing WannaCry Ransomware (60 minutes)

Step 11: Extract the WannaCry Sample

  1. Navigate to the WannaCry directory:

    cd C:\MalwareAnalysis\Samples
# Copy Ransomware.wannacry.exe.malz.7z from shared folder
7z x Ransomware.wannacry.exe.malz.7z
# Password: infected

  2. Calculate hashes:

    $file = "C:\MalwareAnalysis\Samples\Ransomware.wannacry.exe"
Get-FileHash -Algorithm SHA256 $file

Step 12: PEStudio Analysis of WannaCry

  1. Open WannaCry in PEStudio

  2. Examine imports for ransomware indicators:

    • CryptEncrypt - File encryption
    • CryptGenKey - Key generation
    • FindFirstFileA / FindNextFileA - File enumeration
    • CreateFileA / WriteFile - File operations
    • RegSetValueExA - Registry modification (persistence)

  3. Look for ransom note strings:

    • Search for strings containing:
      • "bitcoin"
      • "decrypt"
      • "payment"
      • File extensions (e.g., ".WNCRY")

  4. Check for embedded resources:

    • Click on "resources" in PEStudio
    • WannaCry embeds the ransom note and encryption keys as resources

Step 13: Extract Embedded Resources

  1. Use Resource Hacker or PE-bear to extract resources:

    # Using PE-bear (GUI tool on FlareVM desktop)

  2. Extract any embedded files:

    • Text files (ransom notes)
    • Images (ransom wallpaper)
    • Executables (additional payloads)

Step 14: Network Indicators

  1. Search for network-related strings:

    strings Ransomware.wannacry.exe | Select-String -Pattern "http|https|ftp|www|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"

  2. WannaCry-specific indicators:

    • Kill switch domain: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • Bitcoin addresses for ransom payment
    • Tor .onion addresses

Step 15: YARA Rule Creation

YARA is a pattern-matching tool used to identify malware.

  1. Create a YARA rule for WannaCry:

    rule WannaCry_Ransomware
{
    meta:
        description = "Detects WannaCry Ransomware"
        author = "Your Name"
        date = "2024-01-01"
        reference = "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/"
    
    strings:
        $killswitch = "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
        $ransom_ext = ".WNCRY" ascii
        $ransom_note = "@WanaDecryptor@" ascii
        $bitcoin = "bitcoin" nocase ascii
        
    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of ($killswitch, $ransom_ext, $ransom_note, $bitcoin)
}

  2. Save the rule as wannacry.yar

  3. Test the rule:

    yara64.exe wannacry.yar Ransomware.wannacry.exe

Part 4: Comparative Analysis (30 minutes)

Step 16: Compare Multiple Samples

Create a comparison table of all analyzed samples:

Characteristic Dropper.DownloadFromURL.exe WannaCry Malware.stage0.exe
File Size
SHA256
Packer
Compiler
Key APIs
Network IOCs
File IOCs
Registry IOCs
Malware Family
Threat Level

Part 5: Creating an IOC Report (30 minutes)

Step 17: Compile Indicators of Compromise

Create a comprehensive IOC report in Markdown format:

# Static Malware Analysis Report

**Analyst:** [Your Name]
**Date:** [Today's Date]
**Lab:** Week 15 Lab C - Static Malware Analysis

## Executive Summary

This report documents the static analysis of three malware samples: Dropper.DownloadFromURL.exe, WannaCry ransomware, and Malware.stage0.exe. The analysis was conducted in an isolated FlareVM environment using industry-standard tools.

## Sample 1: Dropper.DownloadFromURL.exe

### File Information
- **Filename:** Dropper.DownloadFromURL.exe
- **File Size:** [size]
- **MD5:** [hash]
- **SHA1:** [hash]
- **SHA256:** [hash]
- **File Type:** PE32 executable
- **Compilation Timestamp:** [timestamp]

### Technical Analysis
- **Packer:** [None/UPX/etc.]
- **Compiler:** [MSVC/GCC/etc.]
- **Architecture:** [32-bit/64-bit]

### Behavioral Indicators

**Network Activity:**
- Downloads payload from: [URL]
- C2 Communication: [IP/Domain]

**File System Activity:**
- Creates: [file paths]
- Modifies: [file paths]
- Deletes: [file paths]

**Registry Activity:**
- Creates: [registry keys]
- Modifies: [registry keys]

### Indicators of Compromise (IOCs)

**File Hashes:**

MD5: [hash] SHA1: [hash] SHA256: [hash]


**Network IOCs:**

URL: http://example.com/payload.exe IP: 192.168.1.100 Domain: malicious-domain.com


**File IOCs:**

C:\Windows\Temp\dropped.exe C:\Users\Public\malware.dll


**Registry IOCs:**

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Malware


### MITRE ATT&CK Mapping
- **T1566.001** - Phishing: Spearphishing Attachment
- **T1204.002** - User Execution: Malicious File
- **T1105** - Ingress Tool Transfer
- **T1547.001** - Boot or Logon Autostart Execution: Registry Run Keys

### Detection Rules

**YARA Rule:**
```yara
rule Dropper_DownloadFromURL
{
    strings:
        $url = "http://malicious-site.com" ascii
        $api1 = "URLDownloadToFileA" ascii
        $api2 = "CreateProcessA" ascii
    condition:
        uint16(0) == 0x5A4D and all of them
}

Snort Rule:

alert tcp any any -> any 80 (msg:"Dropper downloading payload"; content:"GET /payload.exe"; sid:1000001;)

[Repeat for Sample 2 and Sample 3]

Conclusion

[Summary of findings and recommendations]


---

## Deliverables

Submit the following files:

1. **Static-Malware-Analysis-Report.md** - Your complete analysis report
2. **dropper_strings.txt** - FLOSS output for the dropper
3. **wannacry.yar** - YARA rule for WannaCry
4. **IOC-List.csv** - Spreadsheet with all IOCs
5. **Screenshots/** - Directory containing:
   - PEStudio analysis screenshots
   - IDA disassembly screenshots
   - Detect It Easy results
   - Dependency Walker results

## Evaluation Criteria

- **Completeness:** Did you analyze all three samples?
- **Technical Depth:** Did you use all the required tools?
- **IOC Quality:** Are your IOCs accurate and comprehensive?
- **Documentation:** Is your report well-organized and detailed?
- **YARA Rules:** Do your YARA rules correctly detect the malware?

## Additional Challenges (Optional)

1. **Unpack a packed sample** using manual unpacking techniques
2. **Create a Suricata rule** to detect the network traffic
3. **Write a Python script** to automate hash calculation and VirusTotal lookups
4. **Analyze the PE sections** and identify code vs. data sections
5. **Extract and analyze the Import Address Table (IAT)**

## Safety Reminders

- **NEVER** execute malware on your host machine
- **ALWAYS** work in an isolated VM
- **TAKE SNAPSHOTS** before and after analysis
- **DISCONNECT** the network adapter
- **REVERT** to clean snapshot after completing the lab

## References

- [Practical Malware Analysis Book](https://nostarch.com/malware)
- [PEStudio Documentation](https://www.winitor.com/)
- [IDA Pro Documentation](https://hex-rays.com/ida-pro/)
- [FLOSS Documentation](https://github.com/mandiant/flare-floss)
- [YARA Documentation](https://yara.readthedocs.io/)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)

## Next Steps

After completing this lab, you will move on to **Week 15 Lab D: Dynamic Malware Analysis**, where you will execute these samples in a controlled environment and observe their runtime behavior.

**Remember:** Static analysis tells you what the malware *can* do. Dynamic analysis tells you what it *actually* does.