Malware Analyser V3.0 ? A Static Dynamic Malware Analysis Tool ^NEW^
Malware has become a huge threat to organizations across the globe. Something as simple as opening an email attachment can end up costing a company millions of dollars if the appropriate controls are not in place. Thankfully, there are a plethora of malware analysis tools to help curb these cyber threats.
Malware Analyser v3.0 – A Static Dynamic Malware Analysis Tool
There are a number of tools that can help security analysts reverse engineer malware samples. The good news is that all the malware analysis tools I use are completely free and open source. In this article, I cover my top 11 favorite malware analysis tools (in no particular order) and what they are used for:
Once I have pulled out as much information as I can from my static tools and techniques, I then detonate the malware in a virtual machine specially built for running and analyzing malware.
While the malware is running I use a number of tools to record its activity, this is known as dynamic analysis. When dynamically analyzing a sample I look for any unique characteristics that I can attribute to this piece of malware. This may include looking for files created, changes to the registry which may be indicative of the malware building some persistence. or looking at network traffic to see what command and control (C2) infrastructure the malware calls out to.
My first port of call for analyzing a Windows executable is always PeStudio. This is an excellent tool for conducting an initial triage of a malware sample and allows me to quickly pull out any suspicious artifacts.
This tool is also useful for pulling information from the memory of a process. This means that if a piece of malware is detonated then Process Hacker can be used to inspect the memory for strings, the strings found in memory will often return useful information such as IP addresses, domains, and user agents that are being used by the malware.
Autoruns is another Microsoft tool that will display any installed software on a device that is set to launch when a machine is powered on. Malware can hide but ultimately it has to run and in order to survive a reboot a piece of malware must create a persistence mechanism.
There are a few techniques that can be employed to achieve this objective such as creating a scheduled task or creating specific run keys within the registry. After running a piece of malware in a VM running Autoruns will detect and highlight any new persistent software and the technique it has implemented making it ideal for malware analysis.
Malware will often use HTTP/HTTPS to contact its C2 servers and download additional malware or exfiltrate data. Using a tool such as Fiddler which acts as a web proxy allows this traffic to be captured and analyzed. This can prove useful when analysing a malicious document which incorporates macros to download a malicious payload, running fiddler allows a malware analyst to identify the domains that are hardcoded into the document and will be used to download the hosted malware.
Wireshark is the de facto tool for capturing and analysing network traffic. Whereas a web proxy such as Fiddler is focused on HTTP/HTTPS traffic, Wireshark allows deep packet inspection of multiple protocols at multiple layers. While analysing packet captures in Wireshark it is even possible to extract files from the pcap that have been downloaded by the malware.
The tools we have discussed so far can all be used by beginners making their first foray into the world of malware analysis. x64dbg is where the learning curve for malware analysis takes a steep incline.
This tool is for manually debugging and reverse engineering malware samples, you need to have an understanding of assembly code to use this tool however once that learning curve has plateaued it allows a malware analyst to manually unpack and take apart malware samples like a surgeon with a scalpel.
A Cuckoo Sandbox is a tool for automating malware analysis. The Cuckoo Sandboxes I have built in the past have all been built on a Ubuntu host that runs the main Cuckoo application. Within the host is a Windows 7 VM which is nested within Virtualbox. The VM has a Cuckoo agent installed which allows it to feed data back to the Ubuntu host running Cuckoo. The malware is submitted to the VM and the Cuckoo agent records the activity of the malware, once the analysis is complete a detailed report of the malware is generated.
A Cuckoo Sandbox is a great tool to have within an organization when you have an incident that involves malware, I will often run the malware through Cuckoo while I am performing my own analysis as this allows me to gather as much information as possible from a malware sample.
If you are interested in learning more about malware analysis then be sure to read the following articles from Varonis which cover the techniques employed by fileless malware and also some great content that will teach you some malware coding on how to write a keylogger.
Understand and respond to threats faster. Take advantage of Secure Malware Analytics's robust search capabilities, correlations, and detailed static and dynamic analyses. Use tools like Glovebox to safely interact with samples and observe malware behavior directly.
OPSWAT malware analysis solutions provide fast, accurate detection of malware before it impacts your critical infrastructure. By leveraging your investment in existing tools and providing the right detection technology in the right place, OPSWAT Malware Analysis Solutions mitigate your cyber risk and reduce your total cost of ownership (TCO).
OPSWAT malware analysis solutions provide comprehensive cloud and on-premises malware analysis capabilities encompassing all the necessary components to manage, investigate, and deduct insights from a single source.
MetaDefender Cloud API provides cloud-based advanced threat prevention and malware analysis for enterprise malware researchers, incident response teams, and technology providers. More about MetaDefender Cloud.
VMRay is stepping into the breach. With VMRay Analyzer Version 3.0 and recent enhancements in Version 3.1, we added macOS dynamic analysis and detection to our well-established platform. Leveraging deep expertise and years of experience protecting Windows environments, Version 3.1 addresses the unique challenges of macOS, enabling researchers and DFIR teams to dynamically analyze and detect malware at scale.
Dynamic malware analysis is challenging in many ways, and VMRay is one of the rare providers who has mastered those challenges. Underlying the macOS-specific capabilities of VMRay Analyzer are three core traits that are OS-independent:
With the different levels of abstraction provided by system APIs, malware can interact with the OS at any level (see Figure 7). A dynamic analysis sandbox needs to monitor all potential sources of misbehavior, from direct syscalls to high-level API calls. Otherwise, it will miss detecting malware that may cause significant harm.
For dynamic analysis to be bulletproof, malware samples need to run in an isolated environment, allowing potentially malicious behavior to be monitored and executed, without impacting production systems or corrupting the sandbox itself. In addition, the analysis process should be undetectable to the malware, which might otherwise hide its behavior to thwart scrutiny and insight.
To meet both goals and still maintain full visibility, the analysis process needs to run on a higher privilege level than any of the malware samples being analyzed. VMRay achieves this by placing the sandbox in the hypervisor layer (see Figure 8). This means that no agents or other telltale modifications to the operating system are necessary, and malware cannot detect that it is being analyzed, even from the kernel.
For the first time, security teams benefit from full visibility into macOS malware behavior and the means to defeat evasion-resistant macOS malware strains. Furthermore, efficiency and automation features empower security teams to handle larger analysis volumes, speed up detection and improve the productivity and efficiency of security personnel and infrastructure.
FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.
The VM configuration and the included tools were either developed or carefully selected by the members of the FLARE team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade. All of the tools are organized in the directory structure shown in Figure 4.
As part of the malware analysis process, we could continue digging deeper by loading the sample in a disassembler and performing further analysis inside a debugger. However, I would not want to spoil this fun for our Malware Analysis Crash Course students by sharing all the answers here. That said all of the relevant tools to perform such analysis are already included in the distribution such as IDA Pro and Binary Ninja disassemblers, a nice collection of debuggers and several plugins, and many others to make your reverse engineering tasks as convenient as possible.
I hope you enjoy this new free tool and will adopt it as another trusted resource to perform reverse engineering and malware analysis tasks. Next time you need to set up a new malware analysis environment, try out FLARE VM!
Computer Security Incident Response Teams (CSIRT) are typically engaged in mitigating malware incidents. The identification and mitigation of these incidents is often complex, and requires a variety of skills, including anomaly detection, dynamic analysis, static analysis, prioritization and clustering. In addition, mitigations and responses can be very diverse, from the simple removal of a file, over the wiping of an individual machine, through the rebuild and migration of a network area or enterprise network. 350c69d7ab