Malware Analysis Techniques

By Dylan Barker
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Chapter 1: Creating and Maintaining your Detonation Environment

About this book

Malicious software poses a threat to every enterprise globally. Its growth is costing businesses millions of dollars due to currency theft as a result of ransomware and lost productivity. With this book, you'll learn how to quickly triage, identify, attribute, and remediate threats using proven analysis techniques.

Malware Analysis Techniques begins with an overview of the nature of malware, the current threat landscape, and its impact on businesses. Once you've covered the basics of malware, you'll move on to discover more about the technical nature of malicious software, including static characteristics and dynamic attack methods within the MITRE ATT&CK framework. You'll also find out how to perform practical malware analysis by applying all that you've learned to attribute the malware to a specific threat and weaponize the adversary's indicators of compromise (IOCs) and methodology against them to prevent them from attacking. Finally, you'll get to grips with common tooling utilized by professional malware analysts and understand the basics of reverse engineering with the NSA's Ghidra platform.

By the end of this malware analysis book, you’ll be able to perform in-depth static and dynamic analysis and automate key tasks for improved defense against attacks.

Publication date:
June 2021
Publisher
Packt
Pages
282
ISBN
9781839212277

 

Chapter 1: Creating and Maintaining your Detonation Environment

Malware can be slippery, difficult to dissect, and prone to escapism. As malware analysts, however, we frequently find ourselves in a position where it's necessary to be able to both examine the binaries and samples we come across, as well as actively run the samples and observe their behavior in a semi-live environment. Observing how the malware behaves within a real-world OS informs us as analysts how to better defend and remediate infections of the same kind we come across.

Such needs present several challenges:

  • How do we execute and study malicious code while ensuring our real environments remain safe and we do not assist the malware authors in propagating their code?
  • What tools do we require to ensure that we're able to adequately study the malware?
  • How do we achieve the two aforementioned goals in a repeatable fashion so that we do not have to rebuild our environment after every piece of malware we study?

In this chapter, we'll review how it's possible to set up a VM specifically for the purposes of analyzing adversarial code, while simultaneously ensuring that we remain on good terms with our friends in Systems Administration, and do not spread our samples across the network, thereby defeating the purposes of our analysis.

In this chapter, we'll cover the following topics:

  • Setting up VMware Workstation with Windows 10
  • Tooling installation – FLARE
  • Isolating your environment
  • Maintenance and snapshotting
 

Technical requirements

The following are the requirements for this chapter:

 

Setting up VirtualBox with Windows 10

An excellent tool, which is also free (as in beer), is Oracle's VirtualBox. We'll utilize this software package to create our malware analysis environment with a Windows 10 VM.

To begin, we'll navigate to the VirtualBox download page, which can be found at https://virtualbox.org/wiki/downloads. The page should look like the one shown in the following screenshot:

Figure 1.1 – Downloading VirtualBox for macOS, Windows, and Linux

Figure 1.1 – Downloading VirtualBox for macOS, Windows, and Linux

Let's now move on to downloading and installing VirtualBox.

Downloading and verifying VirtualBox

Here, we can select our host OS, with Linux, macOS, and Windows all supported platforms. In this instance, the process will be completed in macOS, but post-installation, the steps are largely the same, and generally platform-agnostic. Begin by selecting your host OS and downloading the latest package for VirtualBox.

As with downloading any binary or package from the internet, it is an excellent idea to ensure that the download is neither corrupt nor has been tampered with during transit.

Thankfully, Oracle provides pre-computed SHA256 sums of their packages, and we can use sha256sum on either Linux or Mac to ascertain whether we have the correct package:

Figure 1.2 – The SHA256 sum of the downloaded file

Figure 1.2 – The SHA256 sum of the downloaded file

Once we have computed the SHA256 in our terminal, we can compare it to known hashes on the VirtualBox page found at https://www.virtualbox.org/download/hashes/6.1.12/SHA256SUMS. Here, we can see that we have a matching hash and can proceed with the installation:

Figure 1.3 – The list of known good hashes published for VirtualBox's installer packages

Figure 1.3 – The list of known good hashes published for VirtualBox's installer packages

Installing Windows 10

Once you have gone through the installation steps for VirtualBox on your platform and have run the application, you'll be presented with the following screen. We can now begin building our environment:

Figure 1.4 – The VirtualBox main screen

Figure 1.4 – The VirtualBox main screen

In order to create our malware analysis environment, it will be necessary to have a Windows 10 installation ISO. If you do not already have a Windows 10 ISO, one may be obtained from Microsoft at https://www.microsoft.com/en-us/software-download/windows10. You will be required to purchase a license key in order to activate your copy of Windows:

  1. To begin creating our VM, we'll click the New button in VirtualBox, as seen in the following screenshot:
    Figure 1.5 – Click New to begin creating your analysis VM

    Figure 1.5 – Click New to begin creating your analysis VM

  2. Clicking the New button will reveal a new pane requiring several selections. Here, we'll want to select Windows 10 (64-bit). The machine may be named anything of your choosing. Once these fields are filled in, click Continue:
    Figure 1.6 – Name your VM and select the proper OS configuration

    Figure 1.6 – Name your VM and select the proper OS configuration

    At this point, VirtualBox will guide you through several steps. Proceed with the defaults here – no additional customization is necessary for our use case, with one exception: if you have sufficient memory on your host machine, strongly consider changing the memory to 4,096 MB for a smoother experience (and to bypass some possible anti-analysis techniques! More on this later).

  3. Once done with the creation of the VM, we are dropped back at our initial screen with a VM available to us. However, it is necessary to specify the ISO file that the VM's OS should be installed from. For this, highlight the VM we've just created, and click Settings, as shown in the following screenshot:
    Figure 1.7 – Click the Settings button in VirtualBox's main pane

    Figure 1.7 – Click the Settings button in VirtualBox's main pane

  4. A new pane will be presented that outlines the many settings currently applied to the VM. Here, we'll select Storage, and then the compact disc icon in the tree. From here, we can click the browse icon and then select the applicable ISO for installation. Then, click OK:
    Figure 1.8 – Selecting the virtual optical disk file

    Figure 1.8 – Selecting the virtual optical disk file

  5. Once the applicable ISO has been loaded, it's time to boot the VM and begin installation of Windows. To do this, simply highlight the VM you have created and then select Start:
    Figure 1.9 – Clicking the Start button will launch our analysis VM

    Figure 1.9 – Clicking the Start button will launch our analysis VM

    If everything has been done correctly to this point, the VM will boot and a Windows 10 installation screen will appear! Here, we can click Next and then proceed as usual through our Windows 10 installation steps:

    Figure 1.10 – Select the appropriate language and keyboard layout for your region

    Figure 1.10 – Select the appropriate language and keyboard layout for your region

  6. We'll continue by creating a new partition and begin our installation as shown in the following screenshot:
    Figures 1.11 – Create a new partition by utilizing the New button

    Figures 1.11 – Create a new partition by utilizing the New button

    Once this is finished, a Windows installation screen will appear. Please wait for it to finish:

    Figure 1.12 – Installation of Windows 10

    Figure 1.12 – Installation of Windows 10

  7. Once the installation of Windows has completed, a screen will appear asking for a username to be utilized, along with a corresponding password:

    Analysis tip

    It is highly advisable to make the password entirely unique to the instance in which we are working. Malware often steals passwords for reuse in further campaigns or operations.

    Figure 1.13 – Choose a totally unique password for this VM

    Figure 1.13 – Choose a totally unique password for this VM

  8. Once the user has been created, Windows will prompt for a few more settings related to privacy – which you may answer how you choose:
Figure 1.14 – Windows 10's privacy settings

Figure 1.14 – Windows 10's privacy settings

Analysis tip

You may consider replicating the settings pictured here. While disabling Windows 10 telemetry isn't required, you may not want to deliver data to Microsoft over the internet if you're utilizing it to analyze sensitive samples.

Once all the selections have been completed, Windows will perform a number of final initialization steps for the OS and drop you at the desktop!

 

Installing the FLARE VM package

Before the critical step of isolating our VM from the outside world can be undertaken, tools that require the internet to be downloaded must first be loaded on the VM. Our brand-new VM would be largely useless to us without the requisite tools utilized by malware analysts to glean information, of which there are a multitude.

Thankfully, the folks at FireEye have created a wonderful installation package called FLARE VM, a PowerShell script that can automatically download and install nearly every tool a malware analyst would need. The script is publicly available on GitHub at the following address: https://github.com/fireeye/flare-vm. This script will save a great deal of tedium and allow us to instantly install the necessary tooling:

Figure 1.15 – Downloading the FLARE VM package from GitHub

Figure 1.15 – Downloading the FLARE VM package from GitHub

Once you have downloaded the ZIP file containing the repository for FLARE VM, right-click the ZIP archive and extract it. Once extracted, you'll be presented with a directory containing several files, including a .ps1 script. From here, we can begin the tooling installation process.

To begin the tooling installation process, it is first necessary that we obtain an administrative console in PowerShell. To do so, we can utilize WinKey + X, which presents the option to open a Windows PowerShell prompt as an administrator:

Figure 1.16 – Administrative PowerShell option in the Start menu

Figure 1.16 – Administrative PowerShell option in the Start menu

Once the administrative shell has been obtained, starting the installation is a matter of two commands issued in a single line:

cd C:\Users\$Your_Username\Downloads\flare-vm-master\flare-vm-master; powershell.exe -ExecutionPolicy Bypass -File .\Install.ps1

With these commands issued, FLARE's Chocolatey-based installer will take over and prompt for credentials stored as secure strings. Once these credentials are entered, the installation will proceed, rebooting the VM several times, and logging in automatically following each reboot. No further action is required on our part during the installation:

Figure 1.17 – FLARE's install.ps1 prompting for credentials

Figure 1.17 – FLARE's install.ps1 prompting for credentials

Analysis tip

FLARE installs a lot of tools. It may take quite a while to install, depending on the speed of your internet connection. It would be wise to utilize this time to make a sandwich, relax, or catch up on your favorite TV show.

Once the entire process has been completed, you'll be presented with the following desktop:

Figure 1.18 – The FLARE VM desktop

Figure 1.18 – The FLARE VM desktop

Several changes are apparent here. First, we have a FLARE folder, which is chock full of great malware analysis and dissection tools.

Additionally, you have the official FLARE VM wallpaper. Our malware analysis workstation is now set up and very nearly ready to go!

 

Isolating your environment

With our tooling installed, we no longer require internet access for most malware analysis. Analysis with a VM connected to the internet can pose several risks and should be avoided unless absolutely necessary. Risks associated with exposing your VM to the internet include the following:

  • Allowing attackers to directly interact with the target machine via command and control
  • Assisting in the wider propagation of worming malware to your network or others
  • Accidentally participating in illegal activities such as DDoS as a zombie, being utilized as a proxy for further hacking of targets, and more

For these reasons, it's important that we set our VM to be isolated by default and only expose it to the internet if absolutely necessary in order to further understand our malware. And even in instances such as these, take proper precautions.

Isolating your VM is a simple process, and only requires a few clicks. As before, we'll highlight our VM in VirtualBox, and then click the Settings icon as shown in the following screenshot:

Figure 1.19 – VirtualBox's Settings button will take you to the Settings pane

Figure 1.19 – VirtualBox's Settings button will take you to the Settings pane

With the Settings pane open, navigate to the Network pane. Here, we can select Host-only Adapter. This will limit the VM's network communication to just the host and prevent the spread of malware via the network to more sensitive endpoints.

Thankfully, other host isolation features such as Shared Folders and Shared Clipboard access are off by default in VirtualBox and do not require further configuration for VM isolation:

Figure 1.20 – Setting up Host-only Adapter

Figure 1.20 – Setting up Host-only Adapter

A word on executing with network activity

Occasionally, when examining malware samples, it is impossible to proceed without having an internet-connected VM. Droppers responsible for writing malware to disk often reach out to staging servers on the internet to download secondary stages, as opposed to writing them directly to disk from memory.

This can pose a challenge to an isolated VM and prevent an analyst from fully studying the execution of malware within an environment. Fortunately, it's possible to determine whether this access is required with a number of tools prior to enabling network access for your VM. These tools will be covered further in Chapter 3, Dynamic Analysis – Techniques and Tooling.

While VirtualBox does not necessarily have built-in mechanisms for safely executing in this manner, it's highly recommended that a separate network be set up, either physically or via a VLAN, for any dynamic malware analysis that requires network connectivity in order to function properly.

 

Maintenance and snapshotting

Now that the basis for the malware analysis VM has been set up, the tools installed, and everything is ready to go, it is important to ensure that the work does not have to be repeated each time we would like to dynamically analyze a new piece of malware.

If we simply detonated each piece of malware on top of the previous samples, it would confuse our indicators of compromise (IOCs), and we would likely be unable to tell what the result of a previous piece of malware was, what the result of the piece we were analyzing was, and what was just normal system activity.

VirtualBox has a built-in feature that has us covered – Snapshots. A snapshot is exactly as it sounds – a moment-in-time representation of how the VM's filesystem, registry, and other features existed precisely when that snapshot was taken. It allows an analyst to revert a VM to a time before it was purposely infected with malware.

To take a golden-image snapshot of our newly created malware analysis VM, we'll navigate to VirtualBox's main menu, click the hamburger button just to the right of our VM name, and then click Snapshots:

Figure 1.21 – The Snapshots pane to take, manage, and delete any snapshot taken of your VM

Figure 1.21 – The Snapshots pane to take, manage, and delete any snapshot taken of your VM

Once clicked, the snapshot pane opens, presenting us with the option to take a current snapshot and name it:

Analysis tip

It's best to have highly descriptive snapshot names so that you aren't left guessing and restoring snapshots blindly in an attempt to find the correct one.

Figure 1.22 – Taking our first snapshot

Figure 1.22 – Taking our first snapshot

When OK is clicked, the VM will pause for a few moments to take an image of the moment-in-time configuration and save it for later restoration. Once complete, we'll be able to see our snapshot in the list of available restore points in VirtualBox, as shown in the following screenshot:

Figure 1.23 – The snapshots panel in VirtualBox

Figure 1.23 – The snapshots panel in VirtualBox

Congratulations! You've created your malware analysis VM and ensured that we can continue to use it even after we detonate malware in it several times, returning it to its previous state with the click of a button.

Welcome to your home for the next 10 chapters.

Analysis tip

Snapshots aren't only great for keeping your VM clean! Initial vectors of malware (such as droppers) no longer work after a given period of time. If you have an infected instance of your VM that you think you'd like to study in the future and are unsure whether you'd be able to re-infect it, take a snapshot!

 

Summary

In this chapter, we've performed a basic setup of our malware analysis environment and built the foundation of what we will utilize to inspect adversarial software over the course of the book.

During this chapter, we have completed the construction of our analysis environment, including the downloading and installation of VirtualBox, the isolation of our host, and the installation of critical tools for our analysis via the FLARE VM package. With this built, we can now move on to the next chapter, where we will be inspecting and understanding live malware samples!

About the Author

  • Dylan Barker

    Dylan Barker is a technology professional with 10 years' experience in the information security space, in industries ranging from K12 and telecom to financial services. He has held many distinct roles, from security infrastructure engineering to vulnerability management. In the past, he has spoken at BSides events and has written articles for CrowdStrike, where he is currently employed as a senior analyst.

    Browse publications by this author
Malware Analysis Techniques
Unlock this book and the full library for $5 a month*
Start now