12 Dec 2022
Malware Analysis Forensic McBlue to the REVscueMalware has typical patterns allowing easier identification and providing insight for defenses.
ALWAYS CONSIDER PRECAUTIONS WHEN ANALYSING IT! With live malware:
Sandboxes can also provide automated analysis so the Security Analyst can determine if a binary requires further manual investigation.
Use FlareVM for the steps of the task.
Static Analysis is analyzing without without execution. Focuses on profiling the binary with readble information (properties, flow, and strings). Sometime insufficient.
Dynamic Analysis focuses on understanding through execution in a safe environment. See malware in action, its exact behavior, how it infects the environment.
Static tools used:
Provides information like architecture, significant headers, packer used, and strings.
Packing malware is common technique to compress, obfuscate, or encrypt the binary. Prevents signifacant strings and headers from being shown immediately.
Detects capabilities in executable files. I.e. installation of service, opening network connections, registry mods, etc. CLI utility. Since CAPA confirms being packed and DIE provided packer, unpack and reanalyze. CAPA caches results in filename.viv, so del filename.viv before rerunning CAPA. Reveals nice listing of all sorts of info, including ATT&CK notes.
Dynamic tools used:
Shows real-time registry, file-system, and process/thread activity. Set filter by process name and execute malware. Filter log by buttons at top right:
In this case start with registry mods. Right-click line to exclude similar lines to focus on creating keys and setting values.
Something isn’t right because I’m not getting the same results as the video. I guess the post will be finished tomorrow.
Update: It appears restarting the VM solved the problem. Instead of the program blipping a cmd window and disappearing right away it stayed active and I could find all the details the video showed should be there.
Progressing through the rest, the filtering process is the same when looking at file manipulations, network connections, etc.
Gain all the details of the malware sample from last task.
After two attempts all info was gathered.