Antivirus scanning

• A good first step is to run the malware through multiple antivirus programs.

• Malware authors can easily bypass antivirus databases by simply changing their code to change the malware signature to one the antivirus cannot detect.

• A helpful site is VirusTotal.com. This site uses multiple antivirus engines to generate a report that provides the total number of engines that marked the file as malicious, malware name, and additional info on the malware if available.

• Rare malware often goes undetected, simply because it is not in an antivirus database.

Hashing

• Hashing is a common method used to uniquely identify malware.

• The MD5 hash function is most commonly used, but SHA-1 is also popular.

• If you go to winmd5.com, you can install a lightweight MD5 hash calculator that will instantly calculate the hash of a given file.

Here is the winMD5 program that I had calculate a hash for discord

• With this hash, you can use it as a label, share it with other analyst, or search for the hash online to see if it has already been identified as malicious.

Finding Strings

• You can install the strings program, and this will allow you to search an executable for strings.

• Strings are typically stored in ASCII or Unicode format. I found this site that has a chart that maps ASCII characters to their corresponding decimal, hex, and binary values.

• Sometimes the strings program will not detect actual strings, but rather a random sequence of numbers and letters that is typically meaningless; it may just be a memory address or something of the like.

• Some meaningful things that the strings program could pull are windows function names, a .DLL file type, an error message, or even IP addresses.

• Analyzing these clues in strings is like solving a puzzle and is an important part of malware analysis.

• Be aware that malware often uses legitimate libraries like DLLs to further its goals.

Packed and Obfuscated Malware

• Obfuscated=Malware author is trying to hide the execution of the program.

• Packed=Subset of obfuscated programs in which it is compressed and cannot be analyzed.

• Legit programs usually have lots of strings, where as packed or obfuscated malware will contain very few strings. This is an easy sign that you may be dealing with malware.

• If the program is packed or obfuscated, static analysis will not be enough.

• You must unpack a program to perform static analysis!

• You can detect packed files with a program called PEiD. This will detect the type of packer or compiler used on the file.

Dependency Walker and DLLs

• Dependency walker is a program that list the dynamically linked functions in an executable.

• This is useful because when we are able to see the functions used in a program, we can speculate what the program is doing.

• A programs DLLs can tell you a lot about it's functionality.

• Windows functions that contain the Ex suffix, like CreateWindowEx, just means that it is the updated version of the function, but windows still supports the old one.

• Dependency walker will also show a list of all exported functions, which can be useful as well, but malware authors typically write confusing names for exported functions, and can be hard to understand what they do. On the bright side, exported functions are not very common.

• The PE file header will include information on functions used by the program, giving us good insight into what the program does.

Examining PE files

• PEview is a tool that can browse information on a PE file header and sections. See example below.

• The time date stamp gives us information on when the program was compiled, which is helpful because if it is an old compile then antivirus programs may have signatures for it, but if the compile time is very recent, then there may not be signatures for it.

• Virtual Size is the amount of space that is allocated for that section in memory.

• Size of raw data shows how big the section is on the disk.

• If the virtual size is much greater than size of raw data in the code section, then the program is likely packed.

Viewing the resource section

• Using a free tool called Resource Hacker, we can examine the .rsrc (resources) section of a file.

• This tool gives a lot of useful information on the resources that a given program uses, which is very useful for static analysis.

• The menu section for example, shows the names of all the menus used in the program as well as the text used in each. The menu names should give a good idea of their functionality.

• As shown above, the dialogue section shows what the user would see, and opens a preview window of the actual program. If we knew nothing else about this program, we could infer what it does by simply viewing the dialogue section.

• Another useful thing to know is that programs or drivers are often imbedded in the resource section in order to hide them.

• This tool allows us to extract these imbedded programs/drivers for individual analysis.

PE Header Summary

• Here is a helpful chart from Practical Malware Analysis By Michael Sikorski and Andrew Honig that depicts helpful information that is revealed by the PE file header.

Miscellaneous notes

• The function SetWindowsHookEx is commonly used in spyware and is the most popular way that keyloggers get keyboard inputs.

• The registry key Software\Microsoft\Windows\CurrentVersion\Run is common in malware and it controls which programs are automatically run when windows starts up.

• The PE file header contains helpful metadata on the file itself.

• Static analysis is typically only the first step, and further analysis such as dynamic analysis is usually necessary.

I learned that the purpose of malware analysis is typically to provide information needed to respond to a network intrusion. It is described as a game of cat and mouse, like solving a puzzle. This really interests me because I love understanding how things work and why, and solving problems, especially ones that can lead to impactful solutions.

Another interesting thing is that malware analysis can be used to create host-based and network-based signatures and help prevent any future intrusions, thus making an organization’s security posture stronger.

Malware indicators focus on what the malware does to a system, not on the characteristics of the malware itself, so that malware that changes its form can be detected.

Network signatures can be created without Malware Analysis, but signatures created with the help of malware analysis are far more effective.

There are two main approaches to malware analysis: Static and Dynamic. Static analysis involves examining the malware and its contents without running it, while dynamic analysis involves actually running the malware in a sandboxed environment and examining its behavior.

I have realized that malware analysis is essential to having a strong security posture in an organization.

A big reason I am attracted to this niche of cybersecurity is that it is a very sought-after and in-demand skill, yet there are not many people who are skilled in malware analysis and reverse engineering. This inspires me to be one of those few skilled professionals in this very unique and fascinating corner of cybersecurity.

In my current job in the Air Force, I do cybersecurity, but it is a less technical side of cybersecurity where I am an information systems security officer (ISSO). This is one reason why I wanted to pursue the technical side of cybersecurity, so that I can experience both sides. When I become a leader in this field, such as a cybersecurity manager or the like, I want to be able to lead by example and actually have an underlying knowledge of the technical stuff. So that is why i want to understand the technical side of things, and also simply because malware analysis interest me and I have a passion for it.

This blog is my way of tracking my journey; what I learn, what I build, and what challenges I run into along the way. It’s not just a portfolio. It’s a living journal that reflects how I grow in this field.

I’m currently active duty in the Air Force working in cybersecurity, and while I’m gaining valuable experience, I also want to begin laying the groundwork for what comes next. I want to pursue more in-depth knowledge in topics that I am interested in, mainly ethical hacking and reverse engineering. I don’t get to deal with these topics at work, so I decided to take things into my own hands. My goal is to break into a federal role or the private sector after my service, ideally with a mission-driven agency like CISA or a Cybersecurity firm, where I can make a real and lasting impact in Cybersecurity. I am also a big advocate for K-12 Cybersecurity education and will get more into that in future articles.

Future posts will cover things like:

• Concepts I’m learning in my cybersecurity degree

• Interesting problems I encounter at work

• Personal projects and home lab experiments

• Thoughts on the evolving cyber threat landscape and current events

• Thoughts on Cybersecurity education and awareness, mainly in K-12 schools

Whether you’re someone just starting out, already deep in the industry, or a potential employer looking to see how I think, I hope this blog gives you something worth reading.

Thanks for stopping by. Let’s see where this goes.