Guidelines Malware Analysis Rules

Discussion in 'Malware Analysis' started by LabZero, Aug 2, 2016.

Thread Status:
Not open for further replies.
  1. LabZero

    LabZero Guest

    We would like to improve and make more professional our Malware Analysis forum and then establish the rules for proper and safe conduct of the analysis.

    Of course these rules are applied only to static and dynamic analysis threads.

    About: help, questions, and more, our general rules are already in place.


    We can post these analysis modes:


    - Static: the sample is analysed, without running it, studying the code and functions that determine its behavior.

    - Dynamic: it allows to study the malware in live mode: by running its functions and routines.

    - Static + Dynamic: if you find executable strings during the static analysis, it is not certain that they are carried out and it is possible to start the malware as second step.




    MALWARE ANALYSIS RULES

    To be approved a malware analysis thread must follow these rules.

    It is required:


    • Online automatic analysis link of analyzed sample: Malwr or Hybrid Analysis.
    • VirusTotal link: post the most recent VT analysis.
    • Indicate the type of analysis: static, dynamic or static + dynamic.
    • Host operating system.
    • Guest operating system.
    • Containment: VM, Shadow Defender.
    • Used analysis tools.
    • Protect your confidential and personal data: VM is created specifically for the analysis of the malware and it must not contain personal data. Shadow Defender virtualizes the current session and the data that it contains : they are still present and accessible to a possible malware, dynamically analyzed, that could share them via the internet. In this case, it is necessary to encrypt or move the personal data.
    • Switch off your internet connection if you are doing a static analysis.
    • In the case of dynamic analysis the internet connection must be active to monitor for any malware connection.
    • We consider that the analysis of malware code must be performed without active Antivirus, so specifically, IP address assigned to the VM that is on the NAT is translated into the IP address assigned to the physical network adapter when NAT needs tocommunicate with the internet. In short, VM under NAT usually uses real physical IP and It's the same with Shadow Defender.
    • Then, it is necessary to use a outbond firewall on interactive mode to stop and analyse any malware connections, some of them triggering spam and botnets, causing our IP blacklist or privacy problems.
    • Firewall report and screenshots are mandatory only in the dynamic analysis in the case of malware connections but It must be active also in static one because of possible not voluntary malware activations.
    • Some malware can recognize the virtual machine, for example bychecking the presence of VM specific drivers or certain registry keys, or by using mechanisms of communication guest-host / host-guest, privileged instructions, or return values of some instructions. In this case, the malware doesn't start ifself and the dynamic test is failed.
     
    daljeet, f1r3cr4ck3r, giulia and 14 others like this.
Loading...
Similar Threads Forum Date
Setting VM network for malware analysis Technology News Nov 2, 2017
Malware Analysis Code injection identification [Malware Analysis] Malware Analysis Sep 20, 2017
Malware Analysis Petya ransomware [Malware Analysis] Malware Analysis Sep 16, 2017