Malware Analysis Articles (22)

Know Your Malware: Classification is Key to Understanding Purpose and Function

What are the different types of malware? A Guide to Malware Classification.

The Working Environment of Popular Debuggers and Disassemblers

In a previous article we discussed the basic concepts of debuggers and disassemblers. We will now take a look at the working environment of popular debugging and dissassembling applications. In addition to code disassembly, debuggers enable the reverser to execute the target program in a controlled manner, i.e., rather than executing the entire binary, the reverser can execute a specific instruction or function. While a program is running, you can view and modify its execution flow to gain insight into its functionality. Let’s take a closer look at the working environment of popular debuggers…

Introduction to Debuggers and Disassemblers

Reverse Engineering (RE) has been the leading technique for understanding the structure and operation of malicious programs and what they’re programmed to do for a very long time.

Tools to get you Started in Malware Analysis

In this blog post, we will discuss a few additional extremely useful analysis tools. Please note that this is not an exhaustive list of the best available tools, but rather a starting point.

Identifying Malware Persistance

This article will discuss the most prevalent persistent techniques employed by malware.

Fileless Malware: a New Type of Malware That Doesn't Rely on Executable Files

Fileless malware is a type of malware that does not rely on traditional executable files to infect a system. Instead, fileless malware uses existing system files and resources to infect a system and carry out its malicious activity. Fileless malware typically uses scripting languages like PowerShell or VBScript to execute malicious code. The malware code is injected directly into system memory, evading detection by traditional security solutions that focus on scanning files on disk.

Malware Injection Techniques: API hooking techniques

The API hooking technique (which is based on process injection) is utilized by adversaries in order to modify the input or output of Windows API calls. Use cases include stealing passwords, preventing the loading of security tools, hijacking network connections, logging keystrokes, and hiding processes and files.

Malware Injection Techniques: AtomBombing, EWMI, NtTestAlert

AtomBombing is a malware injection technique that inserts malicious code into legitimate process threads. This technique is often used by attackers to gain persistence on a system or to elevate privileges. The code that is injected into the thread can be executed when the thread is scheduled, which allows the attacker to execute their code without needing to create a new process.

Malware Injection Techniques: APC injection

APC injection is a type of malware that inserts code into a process by using the system’s asynchronous procedure call (APC) queue. This type of malware is difficult to detect because it doesn’t create any new processes or files. Instead, it modifies existing ones. APC injection can be used to install other types of malware, such as keyloggers and remote access tools. It can also be used to disable security features, such as antivirus software.

Malware Injection Techniques: Thread Execution Hijacking and SetWindowsHookEx

We continue to review the various methods of code injection!

Malware Injection Techniques: Process Hollowing

Process hollowing is a process of running a new process in the address space of a preexisting process. Process hollowing has been used by malware to masquerade their code as legitimate processes. When the legitimate process is hollowed, the malware code is injected into the new process and executed. The malware can then use the existing process’ permissions to perform malicious actions on the system.

Malware Injection Techniques: Introduction

Malware use process injection as an evasion method. It includes executing custom code within the address space of another process to achieve stealth and, in certain situations, persistence. Process injection can be performed using a variety of methods. In this article, we will discuss the most prevalent injection strategies, how they operate, and the methods employed by each.

Windows Internals: Processes

Before we begin anything connected to malware execution, let’s delve into the Windows System Internals and grasp the basic components of a process and the system on which we will conduct our investigations and analyses. Understanding how to trace and monitor suspicious processes in your restricted environment is crucial.

Introduction to Behavior Analysis Techniques

In this series of blog posts, we will examine several aspects of dynamic malware analysis. We will examine the behavior of malware and why it must be dynamically analyzed, the various dynamic analysis methodologies, and their advantages and cons. and negative aspects of each method, technique, and tool.

Fuzzy Hashing, Import Hashing and Section Hashing

In a previous post, we looked at a variety of methods for tracking and recognizing malware samples, including hashes, fuzzy hashes, and even developing YARA rules. However, threat actors are constantly changing their signatures, making it difficult for us to recognize their approaches and tactics.

YARA: A powerful Malware Analysis Tool for Detecting IOC's - Part 2

In a previous article we discussed YARA rules, syntax and IOC’s. Let’s continue our acquaintance with YARA rules!

YARA: A powerful Malware Analysis Tool for Detecting IOC's - Part 1

There has been a lot of research done over the years to increase detection skills, and researchers have managed to come up with a lot of novel detection methods and methodologies. Each one has its own set of advantages and disadvantages. As a result, we can’t claim that we’ll choose one over the other when it comes to detection. Some are better suited to one task but not to another. In many businesses, a hybrid solution will be implemented in this manner.

Don't be Fooled by Malware in Disguise - Identifying Obfuscated Malware

The use of “obfuscation” is one of the strategies used by threat actors to hide their malware, avoid detection, and prevent investigation. The goal is to change the code in such a way that it becomes more difficult to understand while maintaining the program’s functioning. The structure, the way the code is written, or the use of encoding/encryption are all examples of modifications. This article will solely cover the fundamentals and methods for determining whether or not the sample we’re evaluating has been obfuscated in some way. So relax, we’ve got you covered; this is just a warm-up.

Reverse Engineering Portable Executables (PE) - Part 2

The PE file format is a data structure that is used by Microsoft Windows programs. It is a container for all the information that is needed by the program. This includes the code, data, and resources. The file format is also used by other operating systems, but the Windows version is the most common. For example, the Portable Executable (PE) file format is used for executables and dynamic-link libraries (DLLs).

Reverse Engineering Portable Executables (PE) - Part 1

While contemplating malware investigation, one of the most significant subjects to find out more about is understanding the Portable Executable (PE) file design.

Reverse Engineer Malware Without the Risk of Infection

Static code analysis is the process of analyzing a program’s source code without executing it. This can be useful for malware reverse engineering, because it can help to identify malicious code without running it and potentially infecting the analyst’s system. Static code analysis can be performed manually or using automated tools.

Becoming a Malware Analyst

You have been using the free trial version of a tool called My Photo Editor for your image editing activities. However, the trial period has ended and a licence has to be purchased from the website to continue using the software. There is another third-party website that claims to provide the full version of My Photo Editor for free. All you need to do is click on a link to download the setup file. Soon after installing the setup, you notice that your computer is behaving strangely. Text files are being created and deleted from the desktop without your involvement, the Command Prompt application is running even though you did not start it and the computer seems to be running at a slow pace overall.