← Back Published on

Intro To Malware

***Caution***

Do not replicate this training or exercise on your primary host system. Always use safe malware analysis steps. Such as using a Virtual Machine, no saved private information, and using something you do not mind backing up to a pre-saved snapshot.

For this exercise, I personally used a VM inside of a Kali Linux VM to analyze the files, and I used my KaliLinux machine to scan the hash IDs on open-source malware analysis tools.

We will use a few malware files, but mostly the famous wannacry malware. So be safe when testing malware and make sure this does not happen to you!

Let's start with the basics, A file. Wannacry is a decent malware, let's take a look. I was able to use a Linux-based command line interface tool to look at the basic information and the Hash of the file. I personally used md5 and this gave me the md5Hash

This next tool is called pecheck. It gives me a very in-depth analysis of this malware file

It is even effective on obfuscated malware that is compressed and made hidden by malware writers as you can see in this example below

I also used a GUI version of PEtree to get a more user-friendly view. Great for reports or presentations to a team or organization

Let's move on to using an open-source scanning tool called VirusTotal.

I personally use VirusTotal on a daily basis to scan URL's, Files and more.

Notice how we are researching this malware without conducting the execution on the file. I am doing what is called Static Analysis. If I were to run and execute the file and start the process of the malware, it would be called dynamic testing. Those tests and results are also to come in a later article.

Let's take a closer look at some more Malware files WITHOUT execution

This is great info, Let's move onto a Sandbox! I am using hybrid analysis, but there are many great ones out there like, Cuckoo, CAPE, Any.run, and Intezer.

I grabbed the hash of the wannacry malware and simply scanned it into the known database. I could have uploaded it via their web portal. But I already have the hash and the malware is already known. So I did what is simple.

We have a few analysis reports already made, Great. Let's dig deeper.

This amazing tool gave me info on things like risk assessment, incident response, suspicious indicators, file details, file metadata and resources, network analysis, common HTTP traffic associated with it, extracted files with relation, and even screenshots of the malware!

Here are a few screenshots. I can not show it all in this small article

As you can see, it is very detailed. This is only scratching the surface of malware and there are many more articles to come. This is simply an idea to do Static analysis on the malware without compromising the host system of executing the file.