Malware Analysis and Reverse Engineering

Malware analysis is a key part of cyber security. Being able to pull apart a sample of malware and discern what it is doing underneath the hood is how our security at a machine and operating system level evolve. It requires a deep understanding of how your computer runs at the hardware level and is no easy task to get into the thick of things. However speaking quite honestly - it is quite fun.

Now I want to make it clear I am not a professional in the field of reverse engineering. I am very well at a hobbyist level. However in a few cases, it has given me some leverage in my professional life. Such as reverse engineering malicious Javascript on a phishing website. As well as a sample of malware we got a hold of where we jokingly said we'd rewrite to make it better where the dropper was not checking the architecture of the system, but rather looping through multiple downloads to see which malicious code actually executed properly.

As with anything, having the right tools for the job is key. So in this, I wanted to go over some of the tools I utilize when I'm diving into Malware Analysis and Reverse Engineering.

A Virtual Environment:

A virtual environment is the biggest factor. Doing malware analysis on a hardware setup is an absolute nightmare. With the aspect of having to reinstall everything, even with scripts or pxe boot is a pain. A simple snapshot and revert function is a life saver.

Whether you're using Virtualbox, XCP-NG, or VMware. Just make sure you are utilizing a virtual environment.

This also helps you with isolation. Spinning up a virtual firewall to keep malware isolated away from your every day environment can help you from accidentally exposing your devices to possible infection.

Operating Systems:

I've done reverse engineering on Ubuntu, Windows, REMnux, and even within a live boot environment. The two biggest ones I utilize are FlareVM and REMnux as they come pre-packaged with tools needed to perform all sorts of analysis, whether a .NET executable, a simple static analysis of a potentially malicious PDF. Certain malware may require internet to actually function correctly as it may not execute unless it's able to communicate to a C2 server. To make sure my home address isn't exposed, I suggest spinning up a Whonix Gateway to route all traffic through. Whonix routes all traffic over the Tor Network.

Tools:

Perhaps however, a C2 has been established on a compromised system, such as a webserver that blocks Tor Exit Nodes. In this case, you may want to utilize a Mullvad VPN. I suggest configuring your virtual firewall with a VPN to ensure no leakage may happen. Mullvad is not free, costing roughly $5 a month for up to 5 devices. Otherwise ProtonVPN still offers a free tier with an account. However your choice the last time I utilized it, was down to a handful of servers. None the less. Free is free and if you're on a budget, every penny counts.

One of my favorite tools to utilize, though admittedly I am still very much a novice with - Ghidra. Developed by the NSA, but privacy enthusiasts need not fret, it is free and open sourced with a big discussion happening on whether or not it was a backdoor. So far it has not been found to contain any. This suite allows for the disassembly and decompilation of machine executables into human readable Assembly and a C like language (typically referred to as Psuedo C Code)

Detect it Easy - A simple one click solution for identifying file types a crucial step for analysis. Providing signature and heuristic analysis on multiple supported files.

Wireshark - Do I even need to explain? Wireshark is utilized for capturing and inspecting traffic on a network or machine. This allows you to analyze packet data for anomalies as well as other malware communications such as communication with a C2 as a very basic example.

Process Hacker - This is your typical Windows Process viewer, on steroids. Providing a much more robust visual of running processes. This, paired up with Procmon (both included in FlareVM) are used to track system calls, registry changes, and file access on a system.

dnSpy - C#/.NET is becoming an increasingly signification cyber security threat as many of Microsoft native services and applications rely heavily on it. Being able to program malicious code to execute natively within the Windows environment meaning. For malware devs, this makes attack vectors easier to integrat and manage. dnSpy is a .NET debugger allowing for the decompilation of .NET based malware.

One tool that I did not mention above, is actually one I run locally in my home lab. That being CAPEv2. CAPEv2 automates the entire analysis process and provides you feedback and reports. Though I will admit, this was not a simple process to setup as it took me about a week going through and figuring out what I was missing. Even then, it's a very bare bones system with one Windows 10 VM and no network access. However, it's no less worth a mention.

Online Tools:

Virus Total | Joes Sandbox | Malware Bazaar

Sometimes, you just need a quick drag and drop solution. Perhaps you just aren't sure where to start with analyzing malware. Utilizing a 3rd party solution can provide you an in depth break down to view the malware executing in a controlled environment. These are great in a pinch and to help guide you into what to look for as you develop your own reverse engineering tools. A great exercise is to try running potentially malicious files or executables within these environments review the generated reports, and then replicate the process in your own isolated lab. Comparing automated reports with your own findings. Improving your own analysis documentation, and your skills in analyzing malware. A word of warning: Do not upload sensitive documents to these sites, as anything uploaded to them are pubically accessible.

CyberChef - Though CyberChef is included within Flare and REMnux, I've decided to include it here under online tools to showcase the free online version available. CyberChef was developed by the UK's version of the NSA - GCHQ. Offering a wide range of functions such as encoding and decoding as well as data extraction and regex. It's been a life saver in transforming obfuscation into more readable and manageable syntax.

Deobfuscate.io - I've seen all too many times in the real world, where malicious javascript has been obfuscated using simple online tools. Including this one here - Deobfuscate.io. Malware devs often wish to hide the actual functions and format of a program, and will do so by obfuscating it in a way that it may turn out to look like pure gibberish. (That's the whole point) We see malicious javascript executing in many web based campaigns such as phishing or session hijackings.

Conclusion:

While this may not be a one to one guide on setting up your own malware analysis suite. Nor is it a complete list, as there are many tools I missed, such as Volatility, FakeNet, Burpsuite, IDA, Yara Rulesets, Strings, Exiftool and much, MUCH more. It does give you enough of a basis to go out and start building your own lab environment. "You have to respect your enemy. Never, ever underestimate them. Be smart about them. Respect their abilities." With that being said, as a Security Engineer, I do have a certain respect for malware devs, as being able to program a powerful malicious executable takes a great deal of understanding of how computers work. From the hardware level, to a networking, flow and function. Like I said, a certain level of respect.

~Kevin (macros)~