Wednesday, June 12, 2013

Malware Analysis In Situ

Preface: I am by no means a "professional" malware analyst, and I'm sure there are easier ways  to analyze samples (including just throwing the following sample at a sandbox). This was more of a live-fire exercise.


Besides drive-by downloads, typically in the form of Exploit Kits, one of the most common vectors for delivery of malware is email. Last week I received a typical message promising to contain deposit slips in a .rar file. Instead of trashing it or uploading it to a public sandbox, I decided to take a peak into the sample's functionality using a variety of techniques. Some of these have been covered in previous articles (Malware Analysis 101 Part 1, Malware Analysis 101 Part 2, Malware Analysis 101 Part 3) while others will be somewhat more advanced. First we'll start with static analysis in dependencywalker and Ida Free. Then we'll move onto OllyDbg. Next up will be behavioral analysis within the analysis VM using Brian Baskins' Noriben.py (and fakenet to emulate a "real" internet connection). Finally, I'll share the final report from malwr.com to see what indicators we may have missed throughout the above process.