A discussion of Zeltser's "Malware Analysis Essentials for Incident Responders" video

Today, I brushed up on my malware analysis and found a fantastic resource for those wanting to learn about malware analysis. Like many things in information security, malware analysis is a culmination of many skillsets. Due to the requirement of all these skills, the topic seems a little unapproachable.

Luckily one of the excellent instructors over at SANs institute, Lenny Zeltser, gave a talk last year at RSA titled “Practical Malware Analysis Essentials for Incident Responders.” 

This post will summarise the video content with a little input from my own experiences but, I encourage you to follow the link to the video for a fantastic primer on malware analysis by the always entertaining Lenny Zeltser.

Summary of the content

Throughout the video, Zeltser walks through a typical process for analyzing malware samples. Obviously, analysis can get much more involved with debuggers and decompilers, but from my personal experience, these steps will get you to actionable information quickly, perfect for the budding SOC analysts.

The steps listed below can be swapped around in most places, so don’t feel that this is a rigid process. As you become more comfortable with malware analysis, you will find that specific steps should be prioritized based on the initial sample information.

Steps to malware analysis, as stated by Lenny:

1. VirusTotal
2. PE Studio – Strings
   1. There should be a significant amount of readable strings. Few indicate a packed file.
3. PE Studio – Libraries
   1. There should be a significant number of libraries. Few indicate a packed file.
4. PE Studio – Imports
   1. There should be a significant number of imports. Few indicate a packed file.
5. As your self, should I go further at this point?
6. Process Hacker
   1. Watch running processes
   2. View strings in the running process
7. Process Monitor
   1. Record local system interactions
8. ProcDOT
   1. Visualize Process Monitor data
9. Wireshark(run on another system in virtual network)
   1. Analyze network activities
10. Look at malicious process’ properties and look for mutant handles
11. Note Indicators of compromise
12. Pivot searches on IOCs (VirusTotal/totalhash)
13. Fake network for network connections (RemNUX)
    1. # httpd start
    2. # accept-all-ips start
14. Look for IP or hostname on blacklist(ipvoid)
15. FakeDNS (REMnux)

VirusTotal

VirusTotal is a great place to look up indicators of compromise (IoCs). For those unfamiliar with the term, these are attributes describing a subject of interest. Whether this is a piece of malware, IP, or hostname, all have attributes that describe them.

A few of the more useful IOCs for malware are hashes, filenames, and strings.
This site is a staple for all analysts across the Blue spectrum. You should be using this as a regular tool in your bag for analysis.

PE Studio

This tool is built into FlareVM and is available to download for free. PEStudio is used to extract artifacts from a file to aid in an investigation.

Sections of high interest are libraries, imports, exports, and strings.
​
I would say this is also a staple for all malware analysis of executables and one of the first steps you should take to get initial information about a sample.

Process Hacker

Another free tool that gives you more insight into your running process. Allows you to view handles, DLLs, and network connections utilized by a process. You will pretty much only use this in your malware lab.

Process Monitor

A free tool from Microsoft’s kind heart(always so kind 😉). As noted by Zeltser, this tool has a verbose output. Actually, more than you can reasonably go through. When using the tool, make sure to send the output over to ProcDOT to visualize the output. Using your malicious process as a starting point, ProcDOT ignores everything that doesn't matter and focuses on events around your malicious executable.
​
As a note, I have actually never used this in practice, but now that I have seen it in action, the next time I get a binary sample, I will be using it.

WireShark

A free tool for PCAP capture and analysis. If you are doing any PCAP captures where you work, you need to become familiar with this tool.
​
WireShark has many built-in features to help you navigate the often verbose network traffic. Learn them and use them to become a more efficient blue teamer.

FakeDNS

A tool that tricks a system into thinking a network resource is available. I think this does great 90% of the time for everything but sophisticated malware. The important thing is that you will get network data to support your other behavioral and static analysis.
​
The tool is super easy to set up if you have REMnux running on the same virtual host-only network. Depending on the sample, you may be able to trick it into providing more data by providing something for the malware to connect to. I would start by putting a NetCat listener up to catch the callback to see the response.

What are IOCs?

Before I end this blog, I wanted to fill in some areas of confusion that readers may have. One of the terms that is often off-putting to newcomers is “IOC”. These are simply attributes of a threat that you can use to hunt across an environment. The word “IOC” can apply to malware, a malicious webpage, an APT, etc.

To associate this with a metaphor, IOCs are like describing a car. It has wheels, a motor, probably a driver. But the more specific you can get, the better an IOC is. It has P235/45R18 tires with 18” diameter and 8.5” width wheels. The car weighs approximately 3,552 lbs. The motor is dual and all wheel drive. It can also accelerate from 0 to 60 in 3.2 seconds. See if you can figure out what type of car I am talking about.
​
The same applies to threats. Hashes, process names, registry keys, IP Addresses, and domains are all attributes that set a sample apart. The more specifics you have, the more likely you will find research applicable to your sample, and the higher fidelity your search for similar activity will be across an environment.

Free VMs

bit.ly/windowsvm
flarevm.info


Hope this was helpful!