Scribd
Upload
15 views4 pages

Module 2 Chatgpt

Uploaded by

ishandhakad56
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views4 pages

Module 2 Chatgpt

Uploaded by

ishandhakad56
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Module 2

1. Static Analysis
 What it is: Examining malware binaries without executing them.
 Purpose: Get early information about malware (origin, indicators, possible risks) without infecting the
system.
 Goal: Identify suspicious code or malicious patterns and decide where to focus deeper analysis.
 Why important: Safe, quick, and first step before doing dynamic analysis (where malware is run in a
controlled environment).

2. Benefits of Static Analysis


1. Early Detection
o Detect threats before execution. Example: Antivirus detects wannacry.exe using signature without
running it.
2. Compliance
o Many industries (Banking, Healthcare) need to scan software for malware before use (GDPR,
HIPAA, PCI DSS).
3. Risk Assessment
o Helps decide: Is this file high-risk ransomware or a simple adware?
4. Improved Security Posture
o By seeing malware trends, companies strengthen defenses. Example: If malware uses PowerShell,
defenders may block risky PowerShell scripts.

3. Challenges & Limitations


 Evasion Techniques
o Packing: Malware compressed with UPX to hide code.
o Obfuscation: Code made unreadable (e.g., variable a1, a2, a3).
o Polymorphism: Same malware, different code every time.
 Misleading Results
o Sometimes malware looks harmless (no strings), but at runtime it decrypts real payload.
o Can lead to false negatives (miss threat) or false positives (mark safe file as virus).

4. File Signature Analysis


 Every file has a unique signature (magic number) at the beginning.
 Like a fingerprint for humans → unique, easy to identify.
 Examples:
o PDF → %PDF
o EXE (Windows PE) → MZ
o JPG → FF D8 FF
 How it helps:
o If a file named photo.jpg doesn’t start with FF D8 FF, it’s fake → maybe malware disguised as
image.
 Advanced techniques:
o Hashing: Compare file hash with malware database.
o Fuzzy Hashing: Even if malware changes slightly, fuzzy hash can detect similarity.
o YARA Rules: Custom rules like
o rule Trojan {
o strings: $a = "malicious_function"
o condition: $a
o }

5. Identifying File Dependencies


Malware is rarely a single file → it’s a set of files working together.
 DLLs (Dynamic Link Libraries)
o Shared libraries used by many programs.
o Malware often calls Windows APIs through DLLs.
o Example: Keylogger using user32.dll → GetAsyncKeyState().
 Configuration Files
o Contain attacker’s commands, IPs, payload settings.
o Example: Botnet uses config.ini with C2=192.168.0.10:4444.
 Dropper Files
o First-stage installer. Looks normal (invoice.exe), but secretly installs ransomware.
 Payload Files
o The real malware that steals data/encrypts files.
o Example: Stage2 ransomware.
 Temporary Files
o Used for logs, stolen passwords, unpacking m alware.
o Example: C:\Temp\pass123.tmp before sending to hacker.
➡️Real Scenario:
1. User opens invoice.pdf.exe (dropper).
2. Dropper creates svchost_update.exe (payload).
3. Payload uses crypto.dll (encrypt data).
4. Creates config.dat (C2 details).
5. Temporary log files save stolen keystrokes.

6. Database of File Hashes


 Hash = unique fingerprint of a file.
 Example:
o hello.txt hash → 5d41402abc4b2a76b9719d911017c592
o Change 1 letter → totally different hash.
 Why used?
o Malware Detection → Compare with VirusTotal hash DB.
o Forensics → Verify evidence file hasn’t changed.
o Version Control → Ensure software wasn’t tampered.
o Deduplication → Remove duplicate files in storage.

7. String Analysis
 Extract readable text from malware.
 Malware may store:
o IP addresses, domains (192.168.1.100, badsite.com).
o Commands like DeleteAllFiles, EncryptDrive.
o API calls (CreateProcessA, InternetOpenUrl).
 Static Strings → Extract directly with strings.exe.
 Dynamic Strings → Run malware in sandbox to extract hidden strings (after decryption).
 Regex Example:
o Find IP: [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.
 Use Case: Extracted IPs checked in VirusTotal/ThreatIntel → confirm attacker identity.

8. Malware Sandboxing
Local Sandbox
 Setup on VMware, VirtualBox.
 Analyst can:
o Watch network traffic (Wireshark).
o Track file modifications.
o Log API calls.
 Pros → Full control, private.
 Cons → Requires strong PC, setup time.
Online Sandbox
 Services: ANY.RUN, VirusTotal, Hybrid Analysis.
 Upload malware → Get instant report.
 Pros → Easy, quick, collaborative.
 Cons → Limited control, sample may be shared with others.

9. Levels of Abstraction
Malware works across levels:
1. Hardware → CPU, RAM. Example: Spectre malware exploiting CPU.
2. Microcode → CPU instruction translation.
3. Machine Code → Binary 0s and 1s.
4. Low-Level Language (Assembly) → Human-readable machine code.
5. High-Level Language (C/C++) → Malware mostly written here.
6. Interpreted Languages (Python, JS) → Script-based malware, easy to modify.

10. x86 Architecture Basics


 Von Neumann model → CPU, RAM, I/O.
 CPU:
o Registers (EAX, EBX).
o ALU (performs operations).
o Control Unit (fetch instructions).
 RAM Layout:
o Data → global vars.
o Code → program instructions.
o Heap → dynamic memory.
o Stack → local variables, function calls.
11. Instructions, Opcodes, Operands
 Instruction = Mnemonic (mov, add) + Operand.
 Opcode = machine code (B8 04 00 00 00 = mov eax,4).
 Operands:
o Immediate (fixed value: mov eax, 5).
o Register (mov eax, ebx).
o Memory (mov eax, [ebx]).

12. x86 vs x64 Assembly


 x86 (32-bit):
o Max 4GB RAM.
o Registers: EAX, EBX, etc.
o Slower, old systems.
 x64 (64-bit):
o Supports TBs of RAM.
o More registers (RAX, RBX, R8-R15).
o Faster, modern systems.
 In Malware Analysis:
o Reverse engineers disassemble malware into x86/x64 assembly.
o Helps understand exact malicious operations.

13. Static Analysis Tools


🔹 PEiD
 Detects packers, cryptors in Windows executables.
 Example: Finds UPX → tells analyst file is packed.
 Modes: Normal, Deep, Hardcore scan.
🔹 Dependency Walker
 Shows all DLLs a file needs.
 Detects missing/malicious DLLs.
 Useful when malware loads hidden DLLs dynamically.
🔹 Resource Hacker
 View/modify hidden resources inside executables.
 Example: Malware may hide another EXE inside program icons.
 Analyst extracts payload from resources.

You might also like