Malware Analysis
文章目录
- Malware Analysis
- **History of Malware**
- MAL:Malware Introductory
- Task1 What is the Purpose of Malware Analysis?
- Task2 Understanding Malware Campaigns
- Task3 Identifying if a Malware Attack has Happened
- Task4 Static Vs. Dynamic Analysis
- Task5 Discussion of Provided Tools & Their Uses
- Task6 Connecting to the Windows Analysis Environment (Deploy)
- Task7 Obtaining MD5 Checksums of Provided Files
- Task8 Now lets see if the MD5 Checksums have been analysed before
- Task9 Identifying if the Executables are obfuscated / packed
- Task10 What is Obfuscation / Packing?
- Task11 Visualising the Differences Between Packed & Non-Packed Code
- Task12 Introduction to Strings
- Task13 Introduction to Imports
- Task14 Practical Summary
- Basic Malware RE
History of Malware
task1 Introduction
Read the above.
task2 The Creeper Program
1.Read the above.
2.Who re-designed the Creeper Virus?
Ray Tomlinson
3.How is data transferred through a network?
Packet Switching
4.Who created the first concept of a virus?
John von Neumann
5.What text did the Creeper program print to the screen?
I’m the creeper, catch me if you can!
6.What does ARPANET stand for?
The Advanced Research Projects Agency Network
7.Which team created the network control program?
Network Working Group
8.What is the first virus commonly known as?
Creeper
task3 Reaper
1.Read the above.
2.Who created Reaper?
Ray Tomlinson
3.What type of malware may Reaper be known as?
nematode
4.What was the first ever anti-virus program known as?
Reaper
5.What was Bob Thomas’ main project to develop?
resource-sharing capability
6.Research: What does API stand for?
Application Programming Interface
task4 Wabbit
1.Read the information.
2.What is a modern day fork bomb also known as?
denial of service attack
3.Was Rabbit one of the first malicious programs? (Y/N)
Y
4.What did the name “Wabbit” derive from?
looney tunes cartoons
task5 ANIMAL
1.Read the above.
2.When was PERVADE added to ANIMAL?
1975
3.Did John think this was a good idea? (Y/N)
Y
4.What computers did the program spread across?
UNIVACs
5.What type of malware is ANIMAL also known as?
Trojan
6.Who built the wooden horse?
the Greeks
task6 Elk Cloner
1.Read the above.
2.Which US Military regiment caught the virus?
US Navy
3.How many lines long is the Elk Cloner poem?
7
4.When was Elk Cloner written?
1982
5.Is a boot sector virus more or less common in modern technology?
less
6.How long did it take Richard to write the program?
2 weeks
7.Which Operating System was affected?
Apple II
task7 The Morris Internet Worm
1.Read the above.
2.What commands were a very big way that allowed Morris to access the computers?
Berkeley r-commands
3.Who was one the first person prosecuted for the computer misuse act?
Robert Tappan Morris
4.What type of attack is a “Fork Bomb”?
denial of service
5.When was this worm released?
1988
6.How many computers did it infect within 15 hours?
2000
7.What does rsh mean?
remote shell
8.Under which act was Morris arrested for?
1988 Computer Fraud and Abuse act
task8 Cascade
1.Read the above.
2.What was the name of this virus?
Cascade
3.What file extensions would this virus infect?
.COM
4.How many variants of there virus were possibly found?
40
5.What operating system would the virus run on?
DOS
6.Which Operating System/Frame Work would Cascade try to avoid?
IBM
7.How many bytes would be added onto your file if it got infected?
1704
task9 Thanks for reading!
Thanks!
MAL:Malware Introductory
Task1 What is the Purpose of Malware Analysis?
Ah, now I kinda understand…
恶意软件关注点
- Point of Entry入口点
- 运行条件
- 执行过程
- 预防与检测
Task2 Understanding Malware Campaigns
1.What is the famous example of a targeted attack-esque Malware that targeted Iran?
Stuxnet
Stuxnet(震网)病毒 蠕虫病毒,定向攻击基础设施
2.What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?
Wannacry
Wannacry(永恒之蓝)病毒 利用漏洞MS17-010
Task3 Identifying if a Malware Attack has Happened
恶意软件传播过程
1.Delivery 攻击
2.Execution 感染
3.Maintaining persistence
4.Persistence 持久化
5.Propagation 传播
1.Name the first essential step of a Malware Attack?
Delivery
2.Now name the second essential step of a Malware Attack?
Execution
3.What type of signature is used to classify remnants of infection on a host?
Host-Based Signature
4.What is the name of the other classification of signature used after a Malware attack?
Network-Based Signature
攻击指纹
-Host-Based Signature
-Network-Based Signature
Task4 Static Vs. Dynamic Analysis
I understand the two broad categories employed when analysing potential malware!
Task5 Discussion of Provided Tools & Their Uses
Lets proceed
- Dependency Walker (depends)
- PeID
- PE Explorer
- PEview
- ResourceHacke
- IDA Freeware
- WinDbg
Task6 Connecting to the Windows Analysis Environment (Deploy)
Username: Analysis
Password: Tryhackme123!
I’ve logged in!
Task7 Obtaining MD5 Checksums of Provided Files
windows计算文件MD5值
CMD下
certutil -hashfile 文件名 MD5/SHA1/SHA256
1.The MD5 Checksum of aws.exe
d2778164ef643ba8f44cc202ec7ef157
2.The MD5 Checksum of Netlogo.exe
59cb421172a89e1e16c11a428326952c
3.The MD5 Checksum of vlc.exe
5416be1b8b04b1681cb39cf0e2caad9f
Task8 Now lets see if the MD5 Checksums have been analysed before
1.Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay)
Nay
2.Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay)
Nay
3.Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay)
Nay
Task9 Identifying if the Executables are obfuscated / packed
1.What does PeID propose 1DE9176AD682FF.dll being packed with?
Microsoft Visual C++ 6.0
2.What does PeID propose AD29AA1B.bin being packed with?
Microsoft Visual C++ 6.0
Task10 What is Obfuscation / Packing?
What packer does PeID report file “6F431F46547DB2628” to be packed with?
FSG 1.0 dulek/xt
Task11 Visualising the Differences Between Packed & Non-Packed Code
Cursed obfuscation!
Task12 Introduction to Strings
1.What is the URL that is outputted after using “strings”
practicalmalwareanalysis.com
strings “Tasks\Task12\67844c01”
2.How many unique “Imports” are there?
5
Task13 Introduction to Imports
How many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe”
打开IDA,选择Task13/install.exe,选择pe64.dll格式打开;点击view-open subviews-Imports,即可看到9个参考msi文件
9
Task14 Practical Summary
1.What is the MD5 Checksum of the file?
f5bd8e6dc6782ed4dfa62b8215bdc429
2.Does Virustotal report this file as malicious? (Yay/Nay)
yay
3.Output the strings using Sysinternals “strings” tool.
What is the last string outputted?
d:h:
4.What is the output of PeID when trying to detect what packer is used by the file?
Nothing Found
Basic Malware RE
Password for the ZIP is MalwareTech
Task1 Introduction
Read the above
Task2 Strings :: Challenge 1
What is the flag of which that MD5 gets generated?
FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}
Task3 Strings :: Challenge 2
What is the flag of which that MD5 gets generated?
FLAG{STACK-STRINGS-ARE-BEST-STRINGS}
Task4 Strings 3 :: Challenge 3
What is the flag of which that MD5 gets generated?
FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}
IDA打开strings3.exe_,主要关注导入LoadStringA函数,有4个参数,uID参数指定导入字符串地址
- The instance handle (hInstance) is NULL.
- The identifier (uID) is set to the stack variable uID.
- The read buffer (lpBuffer) is set to the stack variable Buffer.
- The buffer size (cchBufferMax) is set to 1023 (0x3FF).
程序通过一系列计算得到值,赋予uID
mov eax, 1 ; eax = 1
shl eax, 8 ; eax = 1 << 8 = 256
xor edx, edx ; edx = 0
inc edx ; edx = 0 + 1 = 1
shl edx, 4 ; edx = 1 << 4 = 16
or eax, edx ; eax = 256 or 16 = 272
mov [ebp+uID], eax ; uID = 272
使用Resource Hacker打开Strings3.exe_,找到编号为272的字符串即为flag
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
