How Malware Analysis Help SOC Analysts:

US and Israel have created STUXNET (Malware) to disrupt Iran’s Nuclear plant. Propagation thru USB drive and had 4 Zero day vulnerabilities.

Steps involved in disruption:

1. Infection –> thur USB stick
2. Search –> Stuxnet will search whether the machine is part of targeted control systems made by Siemens.
3. Update –> If the target system is having a Siemens control system, will search and update the recent version of itself.
4. Compromise –> Via Zero day vulnerabilities.
5. Control –> Spies the operations of Nuclear plants to control the centrifuges.
6. Deceive and Destroy –> Once the required info is received, Stuxnet starts to provide false command to destroy the powerplant.

• Stuxnet had 4 Zero day vulnerabilities
• Stuxnet targetted Siemens company control systems
• Attack happened on 2010. Malware Definition and it types:

Malware = Malicious Software

Types of Malwares:

1. Backdoor: By opening a network port connected to the shell, it enables the attacker to connect to the system through this port.
2. Virus: Self replicate and persistence by infecting other files.
3. Keylogger: Record the key typed by the user.
4. Adware: Flood the ads some time it may change the default search engine of the web browser.
5. Worm: Malware spread from infected device - Eg: Wannacry
6. Rootkit: Malware that will provide high level access.
7. RAT: Remote Access Trojan - Full control over the device by threat actor
8. Banking malware: Malware focussing banking softwares and sites.
9. Ransomware: Demanding the money by encrypting the files. ** Name of first Worm in the internet –> Morris ** Vunerability code of Wannacry –> ms17-010 ** What is the name of the malware that was detected in December 2021, distributed through the Solarwinds Orion product and caused the hacking of many organizations such as FireEye? –> Sunburst

What Should a Malware Analyst Know

1. Operating systems Fundamentals: Malware often taking advantages from the Operating systems features by increasing privelages, making discovery and ensuring persistence.

In Windows, Malware use features such as registry, task scheduler and services to ensure persistence.

1. Assembly Language and Programming: Machines are only understand 0s and 1s, the program that we are writing to create an application will be converted into assembly level language by means of assembler. Assembly level language will then converted into Zeros and ones by compiler ( Machines are only understand 0s and 1s)

Process Flow:

Start

Preprocesser –> MyApp.c Compiler –> MyApp.i Assembler –> MyApp.s Executable –> MyApp.exe

Software that translates the Machine codes to Assembly codes are called as Dissemblers.

1. Network protocols and fundamentals: Cryptography — Ransomware

** What encryption is used by randsomware –> Assymetric

Which Approach Should You Choose When Analyzing Malware?

2 Approaches:

1. Static Malware Analysis Analyzing Malicious software by reverse engineering methods withour RUNNNING them. Decompile/ Decemble to analyse the each step / process inorder to understand the nature / behaviour of Malware.

Your device will not be infected as you do not run malicious software in static analysis. (However, we do not recommend performing static analysis on your host device, it will be more proper to do your analysis in a virtual operating system.)

The information examined during the static analysis is as follows.

P.E. (Portable Executable) Headers Imported DLL’s Exported DLL’s Strings in binary CPU Instructions

1. Dynamic Malware Analysis Examining the malware behaviour while running. While doing dynamic analysis, you should carefully examine the following events.

Network Connections File Events Process Events Registry Event

Static Vs Dynamic analysis:

“DYNAMIC ANALYSIS EXAMPLE”

ANYRUN: Interactive Sandbox environment to perform Malware Analysis dynamically.

https://bazaar.abuse.ch/sample/708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089/

Exact Analysis:

https://app.any.run/tasks/e4979ab7-3145-4121-a042-ea91d7e2c86b

To find the Email address associated with the Malware & Password used:

1. Go to the Threats Tab in Any.run.
2. Click on a message to open Threat Details pop-up.
3. Open the Stream Data Tab and switch the view from Hex to Text.
4. You’ll find the Base64 string “TzhrI1B6NHNrOndf”. Decode the string to reveal the password. 29 Addresses to Analyze Malware Faster We constantly spend time analyzing malware. We have listed 29 addresses that can be useful for blue team members to use time more effectively:

Anlyz Any.run Comodo Valkyrie Cuckoo Hybrid Analysis Intezer Analyze SecondWrite Malware Deepview Jevereg IObit Cloud BinaryGuard BitBlaze SandDroid Joe Sandbox AMAaaS IRIS-H Gatewatcher Intelligence Hatching Triage InQuest Labs Manalyzer SandBlast Analysis SNDBOX firmware opswat virusade virustotal malware config malware hunter team virscan jotti