Malware Analysis: The Dissection and Detection
We will be going through the methodology to dissect a Malware and create a detection mechanism for it.
The objective of this blog is to shed some light on the Malware Analysis methodology and create a YARA rule to detect its presence.
Tools Used:
- CFF Explorer
- ExeinfoPE
- PEStudio
- YARA
The sample of the malware is from the Locky Ransomware family and can be downloaded from here.
The first step of analyzing a malware is to find out if the file in question is a PE or not (otherwise why bother?). PE stands for a Portable Executable and as the name suggests it is a file that can be executed on a Windows based system. We can use a tool called CFFExplorer to confirm the presence of a PE. (And yeah, this cannot be done just by looking at the extension of the file because it can be easily manipulated and I am paranoid about it)
CFFExplorer finds out the header of the file. For a typical PE, the header is MZ (4D 5A in hex). This header tells the underlying OS on how to handle the file.
Once we are sure that the file in question is a PE, we can analyze the type of obfuscation it has. To hide the underlying code of a PE, authors obfuscate the code. This process is called packing. To analyze a malware we need to make sure that it is in an upacked state. To check the type of packing, we can use a tool called ExeInfoPE.
For some reason, the malware was found to be already unpacked. If there had been a packing, ExeinfoPE would have shown us a hint about the tool to unpack the PE.
Since, it is already unpacked we can move to the next phase of analysis.
I use PEStudio to analyze the malware because it provides a very comprehensive view of all the import / export functions, resources, strings, manifest file and other details about the file in question.
In the imports section of PEStudio, we can see a huge list of suspicious import functions that were called by the file in question. This raises the suspicion and proves that the file in question is definitely a malware.
In the strings section, we see a huge list of readable strings that were found in the file in question. We will leverage the presence of unique strings in this file to create a detection rule.
On scrolling, a list of IPs were found. These IPs could be the C2 server of the malware. A C2 (Command and Control) server is like the mothership of this malware where it’s creators reside and give commands to the malware.
Now we create the YARA rule.
rule rule1 {
meta:
description = "A simple but effective YARA rule"
strings:
$a = "185.46.11.239 31.184.233.106"
$b = "185.22.67.27 31.184.197.119 91.219.29.55"
condition:
($a and $b)
}A YARA rule is a pattern-matching expression used to identify and classify files or processes based on their characteristics. YARA rules are used by guys like us (paranoid security researchers) to detect and respond to malware and other malicious activities on computer systems.
A typical YARA rule consists of a set of strings or regular expressions that define specific attributes of a file or process, such as its file name, size, or code structure.
When a file or process matches a YARA rule, it triggers an alert, allowing security teams to quickly respond and prevent further harm. YARA is a very popular tool for malware detection and analysis, and is widely used in both commercial and open-source security products.
Now we run the YARA rule.
Command: .\yara64.exe .\rule-1.yara .\<file-in-question>
Output: rule1 .\<file-in-question>
Now we conclude the blog.
Conclusion
In conclusion, malwares have become a significant threat to computer systems, and detecting it has become increasingly challenging. However, with the use of YARA, analysts can now detect and analyze malware with greater precision and speed. YARA enables researchers to create customized rules for identifying specific patterns and behavior associated with malwares, making it a necessity for any security researcher. With continued development and refinement, YARA promises to remain a powerful tool for malware detection and analysis in the ever-evolving cyber space. By leveraging the capabilities of YARA, researchers can stay one step ahead of cybercriminals and better protect computer systems from malicious attacks.
Lets get in touch: Add me on Linkedin, or Instagram works too.
