Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Few questions regarding malware analysis lab - how to do it properly?
Message
<blockquote data-quote="hunter44" data-source="post: 983902" data-attributes="member: 94311"><p>Hi, it's me again. Come back to you with some questions regarding malware analysis. Got some knowledge since last 2 months - read few books, reversed my own programs and also done all Labs from Practical Malware Analysis book, which gave me very good basics (I know book is old, but it still has very good basics to learn). Understand a lot more, but still not enough <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" />.</p><p>I want to go futher, so I decided to ask about few things again.</p><p></p><p>1. What is a common or best approach to start analysing when you run real sample? I tried to run many samples and most of them do nothing. They just start and that's all. No CPU usage, procmon shows nothing, same autoruns. I'm wondering why? I have a separated VM (windows do to run samples and linux to monitoring newtork, both with isolated, private network and fake dns) with all needed tools and would like to do some basic dynamic analysis first, but often it is impossible, because I do not get any results. </p><p>For example this sample - <a href="https://bazaar.abuse.ch/sample/00a5d3a64510cd32a452ab596e74aa5d700f90878ae24c07cd833464cf0d39ad/" target="_blank">MalwareBazaar | Browse malware samples</a> </p><p>It doesn't seem to have anti-analysis stuff and when I ran it, it only started and nothing more - no internal registry usage, no network etc. Wondering why?</p><p></p><p>2. Anti-analysing techniques - do you have some advices regarding this? Articles or some stuff which could help to remove it from code and work on "clear" malware without any anti-analysing things? How do you fight with anti-analysis issues, how do you prepare your sample to run and to work with? I see I have big recognition problem what is a "good" code and what is junk and anti-analysing code. How could I fight with it?</p><p></p><p>3. Static analysing with IDA - what is your approach to analyze code statically? I see that I often fall into rabbit hole, want to analyze everything step by step and in the end I know nothing about analyzed code. I think, I'm doing something wrong but it is difficult to find out what would be better, that's why I'm asking - how to miss unnecessary stuff during analyze and focus only on important parts? What are those important parts? For example, my first tactic is always to check strings, check general info about file, run it on VM and observe behaviour. Then I look on some specific parts in IDA, like registry creation, network connections (or other internet stuff), file creation/modification, etc. But a lot of samples have a very huge codebase, so it is difficult to focus only on one part and often I am lost in it.</p><p></p><p>4. Samples - are there any "easier" or better malware families to analyze for beginner? I know that in general all malware is lottery, but maybe some types are better to start with than others?</p><p>Do you advise to filter samples somehow?</p><p></p><p>5. Could you elaborate (e.g. step-by-step) your own tactics and approaches when you start analysing samples? How do you start? What are you looking for first? When you are ready to go deeper, etc.? It would be great to have general overview, because I may understand more and create my own path then.</p><p></p><p>Hope you find some time to answer, maybe they are stupid questions, but I would like to understand fundamentals well.</p></blockquote><p></p>
[QUOTE="hunter44, post: 983902, member: 94311"] Hi, it's me again. Come back to you with some questions regarding malware analysis. Got some knowledge since last 2 months - read few books, reversed my own programs and also done all Labs from Practical Malware Analysis book, which gave me very good basics (I know book is old, but it still has very good basics to learn). Understand a lot more, but still not enough ;). I want to go futher, so I decided to ask about few things again. 1. What is a common or best approach to start analysing when you run real sample? I tried to run many samples and most of them do nothing. They just start and that's all. No CPU usage, procmon shows nothing, same autoruns. I'm wondering why? I have a separated VM (windows do to run samples and linux to monitoring newtork, both with isolated, private network and fake dns) with all needed tools and would like to do some basic dynamic analysis first, but often it is impossible, because I do not get any results. For example this sample - [URL="https://bazaar.abuse.ch/sample/00a5d3a64510cd32a452ab596e74aa5d700f90878ae24c07cd833464cf0d39ad/"]MalwareBazaar | Browse malware samples[/URL] It doesn't seem to have anti-analysis stuff and when I ran it, it only started and nothing more - no internal registry usage, no network etc. Wondering why? 2. Anti-analysing techniques - do you have some advices regarding this? Articles or some stuff which could help to remove it from code and work on "clear" malware without any anti-analysing things? How do you fight with anti-analysis issues, how do you prepare your sample to run and to work with? I see I have big recognition problem what is a "good" code and what is junk and anti-analysing code. How could I fight with it? 3. Static analysing with IDA - what is your approach to analyze code statically? I see that I often fall into rabbit hole, want to analyze everything step by step and in the end I know nothing about analyzed code. I think, I'm doing something wrong but it is difficult to find out what would be better, that's why I'm asking - how to miss unnecessary stuff during analyze and focus only on important parts? What are those important parts? For example, my first tactic is always to check strings, check general info about file, run it on VM and observe behaviour. Then I look on some specific parts in IDA, like registry creation, network connections (or other internet stuff), file creation/modification, etc. But a lot of samples have a very huge codebase, so it is difficult to focus only on one part and often I am lost in it. 4. Samples - are there any "easier" or better malware families to analyze for beginner? I know that in general all malware is lottery, but maybe some types are better to start with than others? Do you advise to filter samples somehow? 5. Could you elaborate (e.g. step-by-step) your own tactics and approaches when you start analysing samples? How do you start? What are you looking for first? When you are ready to go deeper, etc.? It would be great to have general overview, because I may understand more and create my own path then. Hope you find some time to answer, maybe they are stupid questions, but I would like to understand fundamentals well. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
