Malware Analysis Fundamentals

Cyber Threats Hunting

- Course -

Alexandru Antal
[email protected]

Alexandru IUGA
[email protected]
 Objectives
• Introduction to malware analysis
• Understanding the tactics, techniques, and
procedures used by the attackers
• How a targeted malware attack works
• Familiarization with the tools and techniques used
for host-forensics, and network-forensics

• *we will use malware analyst and reverse-engineer

interchangeably
 Set up the lab for the next
sessions
• Download Windows VM
• RAR archives can be used for VMware Workstation
• OVF for VirtualBox/Parallels/Fusion/KVM
• Tested only on VirtualBox
• If you have a Windows VM that you can use, install
the tools presented in the Handbook
• Download and run the REMnux machine

https://mega.nz/folder/e54VyLhT#zxIJiN1
3zOHGsu2ZdaJ6yA
What is malware analysis?
The main purpose of the teams is to strengthen the
overall security of the organization

*https://cdn2.hubspot.net/hubfs/99242/Blog_Images/red%20team%20vs%20blue%20team.png
 What is malware analysis?
• Process of understanding the
behavior and purpose of a file or
URL
• Part of Blue Team
• The output of the analysis is a key
component that aids:
• Security Analysts (Infrastructure
security)
• Digital Forensics and Incident
Response (DFIR)
• Thread hunting
• Malware Analysts need to
understand how to interact with
others
*https://cdn2.hubspot.net/hubfs/99242/Blog_Images/red%20team%20vs%20blue%20team.png
 Learn core malware analysis
techniques so you can…
• Organizations that discover malware in their
network don’t know how to examine it.
• Assess the nature of malware threats.
• Determine the scope of the incident.
• Eradicate malicious artifacts.
• Create rules in order to fortify system and network
defenses.
• Strengthen your ability to handle malware incidents.
 Why Malware Analysis?
• Malware analysis is a critical component of
information security
• You need to understand what malware does during
incident response.
• Uncover hidden indicators of compromise
(IOCs) that should be blocked
• Improve the efficacy of IOC alerts and
notifications
• Enrich context when threat hunting and
thread intelligence
 Malware Analysis or Reverse
Engineering?
• Malware Analysis can involve Reverse
Engineering, but it can be done also without
RE
• Reversing is the strongest weapon that is
available against creators of malware.
• Involves disassembling (or decompiling)
• Can become hard
 Input of a Malware Analyst
• Verbal reports
• Suspicious files
• File system image
• Memory image
• Network logs
• Anomaly observations

*https://cdn2.hubspot.net/hubfs/99242/Blog_Images/red%20team%20vs%20blue%20team.png
 Output of a Malware Analyst
• What malware does
• How to identify it
• Attacker’s profile
• Incident Response
recommendations
• Reports and Indicators of
Compromise (IOCs)
• Malware trends

*https://cdn2.hubspot.net/hubfs/99242/Blog_Images/red%20team%20vs%20blue%20team.png
 IOCs
• Indicators of Compromise (IOCs) are pieces of
forensic data that uniquely identify potentially
malicious activity on a system or network
• They include:
• Hashes of malware samples (MD5/SHA1/SHA256/etc.)
• Domains or IPs (used for data exfiltration)
• Rules (like Yara, or Snort, or others)
• Unusual DNS lookups
• Suspicious files, applications, and processes
• Data transfer over rarely used ports
 A few words about IOCs
• Different IOC sources, it is important to choose wisely
depending on reliability and expiry dates (IPs)
• Different formats, using a framework (like MISP) might
help ingesting them
• Please keep in mind that quantity != quality. Actually
too many “useless” IOCs might kill your systems
• Also keep in mind that lack of context might be a
problem
• It is a good idea to set policies when dealing with IOCs’
lifecycle
 IOC sources examples
• OTX AlienVault
• https://otx.alienvault.com/browse/global/indicators?inc
lude_inactive=0&sort=-modified&page=1
 IOC sources examples
• ThreatConnect Exchange
• https://app.threatconnect.com/
 IOC sources examples
• Twitter
• Security researchers provide valuable data to the
community
• https://twitter.com/hashtag/Lokibot?src=hashtag_click
 MISP
• MISP - Malware Information Sharing Platform
• The MISP project is a free sharing platform and
open source software helping information sharing
of threat intelligence including IOCs
• MISP comes as both as a project and as a VM
• https://www.misp-project.org
• Developed by
• CIRCL (Computer Incident Response Center
Luxembourg)
• Belgian Defense
• NATO / NCIRC (Computer Incident Response Center)
MISP interface
 Why MISP?
• You can store your IOCs in a structured manner,
• Use automatic correlation
• automated exports for IDS, or SIEM, in
Snort/Suricata/Bro/Zeek IDS rules, STIX, OpenIOC, text
or csv exports
• synchronize to other MISPs (different networks and
organizations)
• In other works, MISP can help in saving IOCs once
and export them in all formats for different security
products to be consumed
• Share the IOCs
 MISP User Manual
• MISP User manual can be found online:
• https://www.circl.lu/doc/misp
• Also, it can be downloaded as a book:
• https://www.circl.lu/doc/misp/book.pdf
• Free Workshops by CIRCL
• https://www.circl.lu/services/misp-training-materials/
 Malware analysis part of Incident
Response

*cyber attack kill chain https://www.kaspersky.com/content/en-global/images/enterprise/products/malware-analysis-2.jpg

Types of malware samples
 Attack Vectors
• Phishing or Spear Phishing (phishing emails)
• Malware links or attachments
• Vulnerability exploits
• Common Vulnerability Exposure (CVE)
• Apps and Network devices (routers, switches, firewalls)
• 0-days
• Third-party compromise (services suppliers) to gain
access to a client network
• SolarWinds Orion – 2021
• ASUS drivers (ShadowHammer) – 2019
• CCleaner – 2017
 Attack Vectors - (Spear)phishing

https://www.memphis.edu/its/security/phishing-examples.php
 Attack Vectors - (Spear)phishing

https://dnsc.ro/citeste/alerta-phishing-impersonare-banca-transilvania
Attack Vectors -(Spear)phishing
 Types of malware samples
• There are a number of types of malware samples
• Each name assigned to it typically explains what it
does
Types of malware samples
 Types of malware samples
Rootkit Masks its existence in the Operating System
Enables a remote attacker to have access to or send
Backdoor
commands to a compromised computer
Remote Access Trojan, similar to a backdoor, and
RAT
includes file manipulation (backdoor++)
Steals victims information, passwords, or other
Info Stealer personal data (passwords, sessions, cookies,
desktop screenshots, etc.)
Admin tools or programs that may be used by
HackTool hackers to attack computer systems and networks.
These programs are not generally malicious
 Types of malware samples
Designed to “install” or download some sort of
Dropper/Downloader
malware
Automatically renders advertisements in order to
Adware
generate revenue for its author.
Potentially Unwanted Program, sometimes added to
PUP/PUA
a system without the user’s knowledge or approval
 What kind of software does the
malware uses?
• Malware can be developed in everything possible
software languages
• C/C++, C#, Java, Android, Golang, Rust, Javascript,
Webassembly, ASP(X), PHP, VBA, Perl, Python,
Powershell, bash, bat, AutoIT, etc.
• Intel x32, x64, MIPS, ARM, etc.
• MIPS or ARM are used for IoT and routers (malware example:
Mirai)
• Yes, even server side (webshells, file-uploaders, etc)
• Shellcode (x64, x32) – only the code that can be
executed
• A malware downloads the shellcode, and move the execution
flow to it
 Example: Mirai
• IoT devices form a Botnet
• Each device is used to:
• attach a certain target
• make the botnet
bigger
• Bruteforce accounts
• DDoS (Distributed
Denial of Service)

https://www.fortinet.com/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-
servers/_jcr_content/root/responsivegrid/image.img.png/1519435991468/mirai-bot-0.png
 What kind of software does the
malware uses?
• Do I need to know all of them?

• Google is your friend when in doubt

• Think that the code works most of the time
 What can a malware do on OS?
• All file operations (read, write, edit, delete)
• ransomware
• Running commands
• Persistence
• Techniques used to maintain access across restarts
• Both Software and Hardware (across operating system
installs – LoJax malware)
• Network connections
• Many other things
Threat actors
https://cyber.gc.ca/en/guidance/cyber-threat-and-cyber-threat-actors
 How does it affects us?
• It can provide a major shortage to end users, even
panic, besides the company loses

https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html
https://www.france24.com/en/live-news/20210512-panic-buying-shuts-down-us-gas-stations-after-pipeline-hack
How does it affects us?
 Advanced Persistent Threats
(APTs)
• A particular type of attacks are called Advanced
Persistent Threats (APTs)
• Refers to a threat actor, typically a nation state or
state-sponsored group, which gains unauthorized
access to a computer network and remains
undetected for an extended period of time.
• They often use all the previous enumerated types
of malware to achieve their goals
 Advanced Persistent Threats
(APTs)
• The purpose is to gain ongoing access to systems in
a network:
• Stage One: Gain Access
• Stage Two: Establish a Foothold
• Malware, backdoors, tunnes
• Stage Three: Deepen Access
• Gain access as Administrator (usually password cracking)
• Stage Four: Move Laterally
• Move around the network using administrator rights.
• Stage Five: Look, Learn, and Remain
• Persistence on other systems
• Gain access to other accounts
 APTs

https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/
 Advanced Persistent Threats
(APTs)
• Often they go on the next level to gain a foothold
on a network (example: Orion SolarWinds)

https://img2.helpnetsecurity.com/posts2020/solarwinds-supply-chain-attack.jpg
 Advanced Persistent Threats
(APTs)
• Sunburst – the malware that changed the update in
the Orion SolarWinds attack
• Changed the source code when the compile button was
pressed
• Changed the source code back to original after
compilation was ready
• Developers never knew their presence there
• https://www.crowdstrike.com/blog/sunspot-
malware-technical-analysis/
 Once a Target, Always a Target

https://twitter.com/campuscodi/status/1453525999115804672
Online resources
 Online resources
• Malware repositories: VirusTotal, bazaar.abuse.ch
• Multi-engine Antivirus: VirusTotal,
Metadefender
• File Reputation: Malware Hash Registry
• Automated Sandboxes: VirusTotal (limited),
Joe Sandbox, Falcon, Tria.ge, Any.run
• Threat Intelligence: OTX AlienVault, URLhaus
Database, Malpedia

* This is just a sampling of free tools

 Example: OSINT investigation
• OSINT (Open-source intelligence) is the
information collected from public data sources
• Consider the following scenario:
• An employee from your organization received an email
with a suspicious attachment
• You search the hash of the attachment on VirusTotal
 Example: OSINT investigation

Sample hash:
63ff4ab6e291cbbee220b4d184856258529935445474fddbbb94fa9382fde7da
 Example: OSINT investigation
• VirusTotal shows many antivirus technologies that
consider the sample malware
• The names assigned to it include
Trojan, Downloader/Dropper, VBA
• Extra details shows a downloaded
sample
 Example: OSINT investigation
• Automatic submissions to sandboxes generates
more data on the sample
 Example: OSINT investigation
• Which reveals a lot of information

Image from Joe Sandbox

 Example: OSINT investigation
• Looking at the downloaded sample, we see
different types of signatures, all generic
 Example: OSINT investigation
• Searching for the sample on other OSINT Sandbox,
retrieves the snakekeylogger tag
 Example: OSINT investigation
• Also, the config of the sample
• SnakeKeylogger exfiltrates data and sends them over
SMTP (mail) using the following credentials:
 Example: OSINT investigation
• You have confirmed that the file is malicious,
gathered IOCs, and identified the nature of the
infection
• Malware often seeks to communicate with the
adversary for data exfiltration and Command and
Control (C2)
• Although you managed to find what malware
does, sometimes it might be a bad idea to
upload a sensitive file to a third party.
 Example: OSINT investigation
• If in doubt, it's best to search the sites for file
hashes or other IOCs without actually
uploading your artifacts.

• Fully automated tools don't offer the level of

control and insight you can get in your own lab
(if you know what you're doing).
 MaaS (Malware-as-a-Service)
• The previous example used SnakeKeylogger
malware
• SnakeKeylogger is similar with Agent Tesla
• C# malware, that can be configured using a panel
• Bad guys pays for the panel and buys samples as-a-
service
 MaaS (Malware-as-a-Service)

https://3.bp.blogspot.com/-bJWpLuNYfVc/WcHBQBlQzuI/AAAAAAAAA-
k/JXnACVSnG5sGoOIAqBbtQAGn4ik9maOcQCLcBGAs/s1600/XNQmsun.gif
Malware Analysis Lab
 Malware Analysis Lab
• Using OSINT information is good and helps, but in
many cases, you need to keep the investigation
under control
• The lab needs to be isolated from other networks
• So you don’t infect or attack others on your network, or
on the Internet
• So you can replay some aspects of the malware
• Also called as RE Lab (Reverse Engineering
Lab)
 Set-up a new Laboratory
• There are many virtualization platforms on the
market, such as VirtualBox, Parallels, Microsoft
Virtual PC, VMware, Microsoft Hyper-V and Xen

• The laboratory part of the course is made based on

the Windows VMware
 Set-up a new Laboratory
• Virtual Machines:
• https://github.com/mandiant/flare-vm
• https://remnux.org/

• Lab:
• Windows 10 with a minimal set of tools
• Remnux
 Set-up a new Laboratory
• For VMWare, please download the resources at
• https://mega.nz/folder/e54VyLhT#zxIJiN13zOHGsu2Zda
J6yA

• For other virtualization environments, please

download the resources and import it into your
favorite virtualization environment
New RE lab
Malware Analysis Lab – Connectivity
Full Network connectivity
• Pros:
• real behavior of the sample
• Can download additional modules

• Cons:
• make you participate in malware actions
• inform the attackers that they are discovered
Malware Analysis Lab – Connectivity
Isolated Lab
• Pros:
• Own pace analysis
• Can’t be detected by the attackers
• Can’t make malware activities

• Cons:
• Extra-steps for reproducing network connectivity
• More difficult to control the laboratory dependencies

• This is the recommended way

 New RE lab – configuring LAN
• Right click on a VM machine -> Settings -> Network Adapter
-> Select LAN segment -> Click on LAN Segments
 New RE lab – configuring LAN
• Click Add -> Rename the LAN (if you want) -> click
OK
 New RE lab – configuring LAN
• Select the LAN Segment from the dropdown
 New RE lab – configuring LAN
• Complete the same steps for the REMnux machine
• Make sure you select the same LAN between the
two machines
• Now you have two machines in the same LAN
• Need to assign IPs to both workstations
 New RE lab
On REMnux

On Windows
 Testing the connectivity
• ping between the REMnux and Windows machine
should be successfully
• if not, check Firewall and other network
connectivity
 Malware Analysis Lab
• Pay attention to your lab isolation measures
• Malware could escape your VM by exploiting the
hypervisor, or a misconfigured feature
• You may infect your host by accident, or your USB
drive with a worm, while examining the sample
• Take measures to minimize the risk:
• Update the host with the security patches
• Disconnect the lab from other networks
• Don’t use folder sharing with the VM
 Malware Analysis Lab
• Use snapshots to restore the state of a system
(restore the VM to a “clean” state)
 Malware Analysis Lab (sandbox)
• If you have hardware resources, you can install a
local version of Sandbox to quickly analyse samples
(without submitting them to third-party vendors)
• Cuckoo Sandbox (not maintained):
https://cuckoosandbox.org/
• Cape Sandbox: https://capesandbox.com/
• DRAKVUF Sandbox: https://github.com/CERT-
Polska/drakvuf-sandbox
 Malware Analysis Lab
These tools are already
installed in the Lab VM
• Static analysis
• Dynamic analysis
• Finding anomalies and
Monitoring events
 Malware Analysis Lab – Golden
Rules
• Don’t use your private data or accounts in the
infected machine (mail, passwords, etc.)
• Use a special, controlled network segment, and DO
NOT use your day-to-day network connection.
• Do not use your regular computer (prefer virtual
machines)
• Consider non-Windows host, mind your AV-suit
• Adjust firewalls (e.g. block port 25 to avoid
spamming)
• Take snapshot before infection for re-start
Complexity of Malware Analysis
 Complexity of Malware Analysis

https://sectigostore.com/blog/malware-analysis-what-it-is-how-it-works/
 Fully Automated Analysis
• Relies on reports generated by sandboxes (free or
commercial)
• Previous OSINT investigation relied on it
• The fastest, but not the most reliable (we will se
and example on the laboratory)
• Might not generate a valid output if the malware
has anti-vm capabilities (not covered in the course)
• can be bypassed using the most complex types of malware
analysis
 Static Properties Analysis
• All the info you can gather, without executing the
malware
• Filename, metadata (exif data)
• Hashes
• Strings in the file
• Imports/Exports
• Other IOCs
• End up having an idea about what malware
does
 Static Analysis
• This step might not be that useful when the sample
is obfuscated:
• Difficult to read
• Hides functionalities
• Not always malware (it can be used to protect
intellectual property)

https://ars.els-cdn.com/content/image/3-s2.0-B9780128053959000149-f14-03-9780128053959.jpg
 Static Analysis
• This step might not be that useful when the sample
is packed:
• Compression
• Encryption
• A packer is a new binary
that decrypts and executes
the original one

https://kindredsec.files.wordpress.com/2020/01/packing_dia1.png?w=431&h=345
 Interactive Behavior Analysis
(Dynamic Analysis)
• The sample is executed in the laboratory (not the
sandbox)
• The events are observed using specific tools. Red
flags events:
• Adding or modifying new or existing files,
• Installing new services or processes, and
• Modifying the registry or changing system settings.
• Making UDP/TCP connections
• Here the snapshots are useful (you can revert the
state of the VM prior to infecting it)
 Manual Code Reversing
• This is the most complex part
• Need to look inside the sample and explore the
code (assembly or actual code)
• Shed some light on the logic and algorithms the
malware uses
• Expose hidden capabilities and exploitation techniques
the malware uses, and
• Provide insights about the communication protocol
between the client and the server on the command and
control side.
• Debuggers and disassemblers (Time-consuming)
 Tooling (static)
• Hashes: HashMyFiles, md5sum
• Malware classification: Yara, Virustotal.com
• Strings from the sample: Strings, Grep, BinText
• Obfuscation/Packing: PEiD, Exeinfo PE, RDG Packer,
D4dot
• Binary analysis: PEview, CFF Explorer, Resource Hacker
• Disassemblers/Decompilers: IDA Freeware and IDA Pro
(paid), Ghidra, Cutter and Radare, Hopper, Binary
Ninja, JD-GUI (java), dnSpy (C#)
• Multi-tools: CyberChef
 Tooling (dynamic)
• Debuggers: OllyDbg, x64dbg, WinDbg, dnSpy
• Process monitor: Process Monitor, Sysinternals
• Process management: Process Explorer, Process
Hacker
• Windows registry management: WRR, Regshot
• Windows Event Log: Event Log Explorer
• Memory forensics (RAM): Volatility Framework
• Internet Simulation: InetSim (part of REMnux)
Macros in Office documents
 Microsoft Office Macro
• Macro – VBA code ((Visual Basic for Application)
• Malware macros typically run automatically after the
user opens the document and clicks the Enable Content
button, allowing the macro to execute
 Microsoft Office Macro
• Once the VBA code runs:
• Download files, save and execute them
• Run Windows commands
• Drop files on disk
• VBA can be obfuscated
• Junk code
• code that initialize variables that aren’t used anymore
• Comments
• Useless function calls
• Hard to read variables
• String concatenation and obfuscation
(encryption/encoding)
 Microsoft Office Macro
• Office use the OLE files to store streams of data.
• An OLE file can be seen as a mini file system or
a Zip archive:
• It contains streams of data that look like files
embedded within the OLE file.
• Each stream has a name.
• For example, the main stream of a MS Word
document containing its text is named
“WordDocument”.
 Microsoft Office Macro
• Extracting the macro from OLE streams
• There are multiple tools for extracting the Macro
• For the lab we will use oledump
(https://blog.didierstevens.com/programs/oledum
p-py/)
• M – macro code

https://didierstevens.files.wordpress.com/2014/12/20141216-223150.png
 Microsoft Office Macro

https://www.decalage.info/files/img/oledump_screenshot1.png
Manual Code Reversing
- intro -
 Manual Code Reversing
• Probably the hardest part of a malware analysis is
understanding the disassembly while reversing a
binary
• We can analyse the decompiled code from a .NET binary
or a Java jar file (easier)
• We can analyse the assembly from a C binary (harder)
 Manual Code
Reversing
• How a C program is
compiled into a binary
and ran in memory

https://www.tutorialspoint.com/compiler_design/compiler_design_overview.htm
 PE Format
• The Portable Executable (PE) format is a file format
for executables, and DLLs (Dynamic Link Libraries)
• Used in 32-bit and 64-bit versions of Windows
operating systems.
• Windows binaries starts with the DOS header
(MZ header)
 PE Data Structure
• Defines the way the binary is loaded by the
operating system:
• Necessary DLLs
• API Export
• Import Tables
• Export Tables
• Resource management data
• Thread-Local Storage

https://www.trustwave.com/images/slblog-03-02-2018-10-57-10/spiderlabs/85e5a55d-2522-4483-
836a-1726932dec1f.png?v=0.0.1
 PE Data Structure
- Key information -
• Imports – Functions from other DLLs used by malware
• Exports – Functions in the malware that are called by
other programs (the malware works as a DLL for
example)
• Time Date Stamps – Time when the program was
compiled
• Sections – Name of sections in the file and their sizes
• Subsystem – command-line or GUI application
• Resources – strings, icons, menus, other data
 PE Data Structure
- Key information -
• Tools that can read the PE Data Structure
(pestudio)
 Windows Binaries
• Windows binaries starts with the DOS header
(MZ header)
 Other formats?
• Yes, almost each file has it’s own signature.
• Open it with a hex editor and see the header
• RAR archives have the Rar! header:

• DOC files have the 0xD0CF11E0 header (can be read as

DOCFILE header)

Other file signatures:

• https://www.garykessler.net/library/file_sigs.html
 Other formats?
• DOCX/XLSX/PPTX have the PK header

• As well as ZIP files

 PPTX as Zip?
• Yes, just change the extension to ZIP and read the
contents
• Slides as xml
• Pictures
• Comments
• All of them
 How does the OS know how to
load a file?
• Linux looks at the header of the file (the file
command)

• Windows looks at the extension in order to select

the app to load the file
• Change the extension -> different app opens the same
file
 How does the OS know how to
load a file?
• Windows stores the pair extension:app in registry
• Namely the HKEY_CLASSES_ROOT
How does the OS know how to
load a file?
 Manual Code Reversing
• For .NET or Java binaries, a similar-level
pseudocode with the source code can be obtained
• Need to know the basic programming language flows
and paradigms
 Manual Code Reversing
• For C binaries (or similar), we can analyse the
assembly code using IDA Freeware
• A powerful disassembler that excels at static code
analysis
• Other similar tools are Ghidra, Cutter and Radare,
Hopper and Binary Ninja
• IDA saves the data in a database-like format
• it can be shared
• It does not contain the binary
 Manual Code Reversing
• Ghidra comes with a free decompiler build-in
• Not covered in this course
 Manual Code Reversing
• Pay attention to cracked tools!
• There was a cracked version of IDA PRO 7.5 on the loose
• It was a trojanized version

https://twitter.com/ESETresearch/status/1458438155149922312
x86 architecture
 x86 architecture (32-bit)
• The x86 architecture uses the following general-
purpose registers to hold code and data.
• EAX – Accumulator register
• EBX – Base register
• ECX – Count register
• EDX – Data register
• ESI – Source index
• EDI – Destination index
• ESP – Stack pointer
• EBP – Base pointer
• + R8-R15 – 64bit registers
 x86 architecture
• Special registers:
• EIP – Points to the next instruction to execute
• EFLAGS – represent the outcome of computations, and
they control CPU operation
• Segment registers include:
• CS – Code Segment
• DS – Data Segment
• ES – Extra Segment
• FS – Extra Data Segment
• GS – Extra Data Segment
• SS – Stack Segment
 Basic assembly operands
• MOV – move value – mov eax, 0x34
• PUSH – push onto stack – push eax
• POP – pop from stack – pop ebx
• CALL – call subfunction – call 0xBADC0F33
• RET, RETN, LEAVE – return to caller – ret
• JMP – go to memory address – jmp esp
• JZ, JNZ, JE – conditional jump – je 0xDEADB33F
• XOR, AND, OR – logical XOR/AND/OR – xor eax,eax
• NOP – no operation – nop
• INC – increase by one – inc ecx
• ADD, SUB, DIV, MUL – mathematical operations – add eax, 0x4

Cheat sheet at https://www.cs.uaf.edu/2005/fall/cs301/support/x86/nasm.html

 Reading assembly
xor eax, eax a=0

xor ebx, ebx b=0

mov eax, 0xC a = 0xC

mov ebx, 0x2 b = 0x2

add ebx, eax a = a+2

cmp eax, 0xF If a == 0xF

je 0xC0FEBABE it_is_equal()

call it_is_equal() :0xC0FEBABE

0xC0FEBABE: call exit exit()
Branch instructions
• The code is linear (downwards) until a branching
instruction is reaches.
• Then, the EIP (which holds the Instruction Pointer)
is updated and execution is transferred to another
location in memory
• This creates basically “code blocks”
Branch instructions
• Branching includes:
• Conditional: jz (jump zero), jne (jump not equal), jge
(jump greater than), etc.
• Unconditional: jmp, call, ret
• For conditional jumps a specific condition must be
evaluated first
• and, or, test, cmp
• EFLAGS holds the condition result
Reading assembly
Yara
 What is Yara?
• Help identify and classify malware
• Create descriptions of malware families (using text or
binary patterns)
• Use description and condition to create a rule

https://github.com/VirusTotal/yara
 Who is using Yara?

https://github.com/VirusTotal/yara
 Make your own scanner
• Loki is a tool that uses Yara
• https://github.com/Neo23x0/Loki
• https://github.com/Neo23x0/signature-base
• Create custom Yara rules
• Add to your own repository
• Scan your network for malware
Final remarks
 Online Resources
• https://ccdcoe.org/uploads/2020/07/Malware_Reverse_Engineering_Hand
book.pdf
• https://techanarchy.net/blog/installing-and-configuring-inetsim
• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious
Software (Andrew Honig and Michael Sikorski)
• Learning Malware Analysis (Monnappa K.)
• OALabs - https://www.youtube.com/channel/UC--DwaiMV-jtO-
6EvmKOnqg
• MalwareAnalysisForHedgehogs -
https://www.youtube.com/c/MalwareAnalysisForHedgehogs
• Payed courses
• SANS 610 GREM - Reverse-Engineering Malware: Malware Analysis Tools and
Techniques
 Samples resources
• VX-Underground (https://vx-underground.org/)
• VirusShare(https://virusshare.com/)
• Malware Bazaar (https://bazaar.abuse.ch/)
• MalShare(https://malshare.com/)
• Sandboxes:
• https://tria.ge/dashboard
• https://www.joesandbox.com/#windows
• https://www.hybrid-analysis.com/
• https://any.run/
Questions?