Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Few questions regarding malware analysis lab - how to do it properly?
Message
<blockquote data-quote="hunter44" data-source="post: 984114" data-attributes="member: 94311"><p>Thank you for answers.</p><p></p><p></p><p>Understand. I ran it with x64dbg and indeed, it fell into some Thread sleep loop. But you probably right, if I have fake dns and redirecting it would never reach C&C server.</p><p></p><p></p><p>Yes, I know this article, already read it and have it at hand all the time. I will look on this VM detections, because it probably cause more problems for me, because I cannot find out often where to find anti-VM code in the sample. </p><p>And yes, I create some small C/C++ programs and disassmble them to look for specific structures, behaviours or patterns. It is helpful, but it also is very different than malware code from real samples.</p><p></p><p></p><p>Yes, I'm trying. I also find new sample which is much better to analyze and as I see I can recognize many fields and understand what it is doing and how it works. Also, function graphs in IDA are amazing, because I can choose some interesting path at the beginning and anlyze it part by part. </p><p>I also started this book and trying to apply those methods to my work. What I find out in working with IDA is that I often do not know where e.g. given var or parameter is set and what value is there. It is hard for me. But, I also tried to solve it by running example in debugger and watch all values set in given function. </p><p></p><p>This is my common approach when I looking for new samples - before I even download sample, I read articles, malpedia, other reports regarding specific type of malware. If I have all theoretical stuff, I start to analyze sample. </p><p></p><p> </p><p></p><p></p><p>That's good to know. Keyloggers and stealers as I see are commonly recommended for beginners. I also find new sample - Ardamax, keylogger <a href="https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Keylogger.Ardamax" target="_blank">theZoo/malware/Binaries/Keylogger.Ardamax at master · ytisf/theZoo</a> and as I said above, I find it pretty friendly to analyze. It runs, do something, was packed, but I unpacked it with debugger and it seems to be good one for start.</p><p></p><p>I also tried to run some ransomwares in my isolated env (GrandGrab or WannaCry), but when I looked at the code in IDA it was quite big and difficult. Hope to come back to these samples in the future. I'm also focused only on C/C++ PE samples, so all Delphis or NET one need to wait now.</p><p></p><p>I thought so. Everything depends on specific example and every approach would be different. </p><p>Regarding obfuscated programs - is there any common techniques/programs or some good books to learn how to deobfuscate strings? As I know it is often a simple XOR or base64 used for this, but maybe there are more spohisticated algorithms which are more difficult to solve? 99% of samples I see have obfuscation so it owuld be nice to know how to fight with it.</p><p></p><p>Regarding videos, I watch OALabs and cybercdh mostly. Sometimes John Hammond channel, but it is not striclty related to malware analysis.</p></blockquote><p></p>
[QUOTE="hunter44, post: 984114, member: 94311"] Thank you for answers. Understand. I ran it with x64dbg and indeed, it fell into some Thread sleep loop. But you probably right, if I have fake dns and redirecting it would never reach C&C server. Yes, I know this article, already read it and have it at hand all the time. I will look on this VM detections, because it probably cause more problems for me, because I cannot find out often where to find anti-VM code in the sample. And yes, I create some small C/C++ programs and disassmble them to look for specific structures, behaviours or patterns. It is helpful, but it also is very different than malware code from real samples. Yes, I'm trying. I also find new sample which is much better to analyze and as I see I can recognize many fields and understand what it is doing and how it works. Also, function graphs in IDA are amazing, because I can choose some interesting path at the beginning and anlyze it part by part. I also started this book and trying to apply those methods to my work. What I find out in working with IDA is that I often do not know where e.g. given var or parameter is set and what value is there. It is hard for me. But, I also tried to solve it by running example in debugger and watch all values set in given function. This is my common approach when I looking for new samples - before I even download sample, I read articles, malpedia, other reports regarding specific type of malware. If I have all theoretical stuff, I start to analyze sample. That's good to know. Keyloggers and stealers as I see are commonly recommended for beginners. I also find new sample - Ardamax, keylogger [URL="https://github.com/ytisf/theZoo/tree/master/malware/Binaries/Keylogger.Ardamax"]theZoo/malware/Binaries/Keylogger.Ardamax at master · ytisf/theZoo[/URL] and as I said above, I find it pretty friendly to analyze. It runs, do something, was packed, but I unpacked it with debugger and it seems to be good one for start. I also tried to run some ransomwares in my isolated env (GrandGrab or WannaCry), but when I looked at the code in IDA it was quite big and difficult. Hope to come back to these samples in the future. I'm also focused only on C/C++ PE samples, so all Delphis or NET one need to wait now. I thought so. Everything depends on specific example and every approach would be different. Regarding obfuscated programs - is there any common techniques/programs or some good books to learn how to deobfuscate strings? As I know it is often a simple XOR or base64 used for this, but maybe there are more spohisticated algorithms which are more difficult to solve? 99% of samples I see have obfuscation so it owuld be nice to know how to fight with it. Regarding videos, I watch OALabs and cybercdh mostly. Sometimes John Hammond channel, but it is not striclty related to malware analysis. [/QUOTE]
Insert quotes…
Verification
Post reply
Top