Before we start with the analysis, let's explore our reporting tool Scrivener from Literature and Latte. This is quite a deep tool and you are recommended to visit their website at http://www.literatureandlatte.com/scrivener.php.

This amazing software is more popular with literary types (aka novelists and writers, many well-known names too) and academics, and not so much widespread within the computer security community. Some of the well-distributed tools for security research include MS Word, Notepad++, Ultra Edit, FreeMind, and Dradis among a slew of other text editors and such. However, it is strongly recommended that you use Scrivener for reasons that will become apparent the moment you start using it. Some of the useful features are a hierarchical note repository called Drafts managed in a Binder toward the extreme left which is a metaphor for a book binder with notes. You also have Research folder inside the Binder. The Drafts and Research components cannot be...

The malware sample of choice is called Dark Seoul. You can get the sample from http://contagiodump.blogspot.in/2013/03/darkseoul-jokra-mbr-wiper-samples.html.

This malware is chosen for this chapter as it is relevant enough to be featured in a number of news reports and advisories—http://blog.xecure-lab.com/2013/03/lets-gossip-what-happens-in-south-korea.html and http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/. It is also widely available and the features are quite interesting without being overly complex for the purpose of learning malware analysis. Since most books focus on concepts and techniques in isolation, getting an idea of top-to-bottom analysis can be daunting for beginners and even experienced IT folk who do not regularly deal with malware attacks. This chapter will help in consolidating many of the individual parts of an analysis session. Demystifying the process...

When you procure a malware sample from various sources such as honeypots, or online repositories, or an infected machine, your first task is to transport it to an environment where the malware can be observed in action without harming any real-world computer system and especially via network communication or propagation. This is normally called a sandbox or a malware lab and should be set up prior to analysis.

Dedicated computer hardware can certainly be used for this purpose, though a better solution would be to use virtualization or emulation. The dividends are rich and multivalent—you recoup on the price of real computer hardware and OS backup software while you capitalize on features such as snapshots, persistent disks, host only networking, kernel mode debugging over named pipes, and running multiple OS versions on the same hardware.

VMWare and VirtualBox are two virtualization software that can be leveraged in such a setup. For our purposes, this would...

Let us see the list of tools that we will be using or referring further.

Let us go about the steps to performing full analysis.

The shutdown function is executed as follows:

0040211F  /. 55    PUSH EBP
00402120  |. 8BEC  MOV EBP,ESP
00402122  |. 83EC >SUB ESP,10
00402125  |. 56    PUSH ESI
00402126  |. 8B75 >MOV ESI,DWORD PTR SS:[EBP+8]
00402129  |. 57    PUSH EDI
0040212A  |. 33FF  XOR EDI,EDI
0040212C  |. 57    PUSH EDI
0040212D  |. 8D86 >LEA EAX,DWORD PTR DS:[ESI+58E]
00402133  |. 50    PUSH EAX
00402134  |. FF96 >CALL DWORD PTR DS:[ESI+394]
;kernel32.WinExec

With parameters:

Nopping that part out (select the code area in the CPU window, press space, type nop in the dialog box, and then press Enter), so that it does not execute, we reach:

0040213A  |. 68 10>PUSH 2710
0040213F  |. FF96 >CALL DWORD PTR DS:[ESI+354]              ;
kernel32.Sleep

You can change the value in the stack just before the call to sleep is made to 0 to save time.

Call to LookupPrivilegeValue():

00402164  |. 8D86 >LEA EAX,DWORD PTR DS:[ESI+59F]
0040216A  |. 50    PUSH EAX
0040216B  |. 57    PUSH EDI
0040216C ...

Try to add executive summaries so that the technical management has something to talk about from your technical analysis. Ideally, do some intelligence news gathering from online sources or any of your own and give reasons as to why you infer that the malware sample is malicious (MO?) and to what level. Give a few highlights and end with the mitigation measures as recommended by your team or as per your company guidelines. The following paragraph is a simple first draft of what you could possibly note down in a more generic manner related to the details you got out of this particular analysis session. You must also supplement your debrief using graphs and statistics if applicable.

The preceding demonstration of the malware analysis process along with a running commentary is something that you will require to experience and do it on your own to imbibe anything from it. You learned what the prerequisites for analyzing malware are and how you can set up your own malware lab and perform static and dynamic analysis on a malware sample. You saw how the various features and actions of a malware are recorded with the relevant parts of data obtained from the analyst's toolkit and you also saw the process of how a report can be compiled. Building from the earlier chapters, by now you should have a strong understanding of the fundamentals of computing and bases, the assembly programming process and toolchain options, compiled data structures, and how they translate to assembly code from source code and back, static and dynamic analysis concepts, and the malware analysis process from fingerprinting a malware sample to performing static and dynamic analyses, and report...