...a malware analysis roadmap.

Winter Soldier · Mar 15, 2017

Hello

I'm considering to implement a VM for malware testing and I was thinking of a roadmap to face a serious study.
Indeed, once you have finished the analysis of a sample, you have an amount of information that need a well structured order.

Important is the technical analysis of the code, but structuring the obtained information is a great goal.
So let’s consider what are the most important questions to be answered.

- How many variants of the same malcode?

- What is the used algorithm to pack the core, if packed ?

- Could this tell us anything about how's skilled the malcoder behind it ?

- Where does this connect out to ?

- How sophisticated this malware is ?

Answering to these question will tell us: what are the involved servers, involved people and what kind of criminal activity is.

Difficult challenge? Maybe.

cheburash · Apr 14, 2017

Are you talking about a known malware sampke or an unknown sample that you want to analyze?

erreale · Apr 14, 2017

interesting thread! if developed properly it will become important to learn several things.

Winter Soldier · Apr 15, 2017

cheburash said:
Are you talking about a known malware sampke or an unknown sample that you want to analyze?

Well, it is an idea I would like to implement, basing on my old knowledge about assembly, C # and something of C ++. Simply taking a random malware sample and analyze it by dissecting it and understanding how the malcoder was skilled, but above all investigate on what I said above, trying to figure out what really this code want to do on our system.

Amelith Nargothrond · Apr 15, 2017

Winter Soldier said:
Well, it is an idea I would like to implement, basing on my old knowledge about assembly, C # and something of C ++. Simply taking a sample and analyze it by dissecting it and understanding how the malcoder was skilled, but above all investigate on what I said above, trying to figure out what really this code want to do on our system.

Reverse engineering is a pretty nasty business. But awesome in the end

I will also follow this.

If I may, there's a free tool you can begin with: pestudio

Winter Soldier · Apr 15, 2017

Amelith Nargothrond said:
Reverse engineering is a pretty nasty business. But awesome in the end I will also follow this.

If I may, there's a free tool you can begin with: pestudio

Thank you, yes I use it and also ILSpy is very useful to decompile non obfuscated .net samples

cheburash · Apr 16, 2017

If I can suggest, first question is where do you get your samples from?
How do you know they are malicious?
If you are getting known malicious samples they probably already have been described.
If you are getting some unknown files, then again, you probably don't know if they are malicious or good...

Winter Soldier · May 4, 2017

cheburash said:
If I can suggest, first question is where do you get your samples from?
How do you know they are malicious?
If you are getting known malicious samples they probably already have been described.
If you are getting some unknown files, then again, you probably don't know if they are malicious or good...

You can download malware samples from online malware analysis services, but usually you have to create an account.
Are they malicious or not? This is the point.
If you just look at online analysis report, you have to subjectively interpret the results: there are common indicators which are related to malware and clean files at the same time.
This indicators should be read in a specific context and it is for this reason, you have to analyze the code.

.NET non-obfuscated samples can be inspected with ILSpy and you have access to the code, reading tons of information that suggest to you how the malware works, for example URL connections, access to user's documents, encryption functions, etc.
Malware written in C/C++, at compile time for the generation of the executable file, the source code is translated into machine language.
With decompilers, you can go back to the assembly code...but no more.
In this case, other tools can show functions and methods very useful to understand how malware works.

I assure you that by inspecting the
code or the functions of the sample, you have a good chance of understanding whether the file is malicious or not, how much the malcoder was skilled and, most importantly, what the code wants to do in the system.
That is what I would like to do.

WinXPert · May 4, 2017

Winter Soldier said:
Hello

I'm considering to implement a VM for malware testing and I was thinking of a roadmap to face a serious study.
Indeed, once you have finished the analysis of a sample, you have an amount of information that need a well structured order.

Important is the technical analysis of the code, but structuring the obtained information is a great goal.
So let’s consider what are the most important questions to be answered.

- How many variants of the same malcode?

- What is the used algorithm to pack the core, if packed ?

- Could this tell us anything about how's skilled the malcoder behind it ?

- Where does this connect out to ?

- How sophisticated this malware is ?

Answering to these question will tell us: what are the involved servers, involved people and what kind of criminal activity is.

Difficult challenge? Maybe.

Interesting but beyond my coding abilities.

frogboy · May 4, 2017

WinXPert said:
Interesting but beyond my coding abilities.

I am the same,interested but it is well beyond my capabilities.

Search

...a malware analysis roadmap.

Winter Soldier

Level 25

cheburash

Level 1

erreale

Level 9

Winter Soldier

Level 25

Amelith Nargothrond

Level 12

Winter Soldier

Level 25

cheburash

Level 1

Winter Soldier

Level 25

WinXPert

Level 25

frogboy

In memoriam 1961-2018

Similar threads