💻

Practical Malware Analysis and Triage Lecture Notes

Jul 12, 2024

Practical Malware Analysis and Triage - Lecture by Matt Kiley (Husky Hacks)

Who is Husky Hacks?

  • Real name: Matt Kiley
  • Online alias: Husky Hacks
  • Cat dad to Cosmo
  • Mountaineer, summited Mount Kilimanjaro
  • Marine Corps veteran
  • Former lead cybersecurity analyst at MIT Lincoln Laboratory
  • Education: BSc in IT from Northeastern University, Graduate Certificate in Cybersecurity from RIT
  • Ex-Red Team operator at a large financial institution
  • Content creator on Twitter: @huskyhacksmk

Course Overview

  • Purpose: Practical introduction to malware analysis, triage, and light reverse engineering
  • Focus: Malware common to the Windows operating system
  • Lab-Centered: 20+ malware samples provided
  • Learning Outcomes:
    • Build a malware analysis lab safely
    • Analyze and handle malware
    • Techniques and methodologies of malware analysis
    • Report writing and publishing insights

Course Content Breakdown

  1. Initial Setup and Safety
    • Building a malware analysis lab
    • Safe practices and habits for malware handling
  2. Four Foundations of Malware Analysis
    • Basic static analysis
    • Basic dynamic analysis
    • Advanced static analysis
    • Advanced dynamic analysis
    • Challenge binaries for practice
  3. Specialty Malware Classes
    • Phishing malware (e.g., Microsoft Word Remote Template Injection, Excel Macros)
    • Shell code analysis
    • Scripted malware (PowerShell, VBS)
    • C# assemblies
    • GO malware
    • Android malware in mobile applications
  4. Capstone Challenge
    • Analyze real-world malware specimen
    • Automate with Jupyter notebooks and malware sandboxes
    • Writing Yara rules
  5. Final Projects and Reports
    • Clear and organized triage reports
    • Further reading and resources

Important Points and Safety

  • Crucial: Safe malware handling is emphasized from the beginning
  • Risks: Understand configurations, avoid putting the host OS at risk
  • Tools Recommended: Oracle VirtualBox for VM management due to its snapshot capabilities
  • Installation Process: Step-by-step guide to installing VirtualBox and setting up Windows 10 and Remnux
    • Pro Tip: Always take snapshots for a clean state to revert back to

Working with Malware Samples

  • Hands-on Practice: 7-zip for extracting malware samples, password typically 'infected'
  • Initial Activity:
    • Online resources (VirusTotal, GitHub repositories like The Zoo, VX Underground)
    • Goal: Pull MD5 and SHA-256 hashes, submit to VirusTotal
    • Example: Wannacry - analyze famous malware with known indicators

Advanced Malware Analysis

  • Tools: Focus on Cutter for decompilation and IDA Pro
  • Decompilation Insights: Understand compiled vs. source code; analyze the program’s logical flow
  • API Calls and Import Table: Identify common Windows API calls (e.g., Create Remote Thread) used in malicious functions
  • Static vs. Dynamic Analysis: Combine both for comprehensive understanding
  • Debugging: Utilize tools like Process Hacker for insights during dynamic analysis

Practical Scenario and Exercise

  • Hands-On Activity: Analyze samples step-by-step, revert to snapshots as needed
  • Key Point: Always cross-reference findings from different tools (e.g., wireshark for network indicators, procmon for host-based indicators)
  • Final Exercise: Reports and formulating insights with concrete, detailed examples

Resources and Follow-Up

  • Contact: Email or DM on Twitter for further questions
  • Further Learning: Lists of books, articles, and online courses to expand knowledge

Summary

  • Takeaways: Safety, detailed note-taking, comprehensive use of tools
  • End Goal: Build rigorous habits in malware analysis methodology

Full transcript