11.3 Malware Part 3 (FI)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video, we talked about the different components of male wearing a similar definitions. But you just want to understand all those terms for your exam
in this video, where to cover static versus dynamic analysis for malware. But I want to stress that this is gonna be a high level overview. We're not gonna deep dive into malware analysis in this particular module.
So basic static, static member analysis. So
as the name implies, you know, we're not executing the actual code. We're just taking a look at it. So, you know, first step is generally always, you know, scanning it with some type of tool we have, you know, like your mouth or by two So foes trend micro, you know, etcetera, etcetera. So whatever you decide to use or whatever your companies using, we just scan it with that first.
Then we can also take a hash for figure putting purposes.
So, for example, if we want to upload that hash to something like virus total to see if it's been found before, and so we get information about that particular malware and even see if it is malware, right? Um
or, you know, if if we don't find it on a site like that, then we have a hash that we can then report to them to say, Hey, you know, I found this new malware or whatever
searching strings, you know, So we could search, You know, any type of you are l connections, you know, doesn't copy files to a specific location, and then also, um, if the Mauer is packed. So if a packer was used, then generally we're going to see, like, few few strings showing
that could potentially indicate that the file is malicious.
So here's an example of, you know, just taking a look at, like, a string so
we can again, we're not diving into, like, actual mail where analysis are deep dive or anything. I just want to show you what we can might look for is an investigator. So you'll see, like things like V P three VW three, etcetera. This economy look like just kind of random character. So generally you could ignore those, right? The things you want to focus on. We see an I P address right there. That's definitely one.
Um, we also see. You know, get layout. GT one G I 32 dot dll set layout.
We also see, like, an air message back. So those are things we would want to focus on, right? So, um,
the get layout here and also set layout these air windows functions that are used by Windows graphics library. So these are meaningful, you know, things to look at right, Because, um, these air actual legitimate things in use, right? Not just some jump. Early characters, like, you know, the tea dollar sign at symbol or whatever.
Also, G I 30 huge idea. Well, that's because it's the name of a common Windows deal l that's used by graphic programs. So this thing this contains executed will code, right, that the power could be using in some capacity.
And then finally, you know that the air message, you know, oftentimes like when you're doing, like, static analysis, oftentimes, like their messages are valuable, very valuable, because they could show you different things. Right? So in this example, you know this this can show us that Hey, the malware probably does send messages, right, cause we see a mail system. Aaron Ascend, male heir
and then also
Ah, it may indicate to us that we wantto go ahead and, like, check, you know, email logs, right for suspicious traffic. So, chin, in this example that we can use as a forensic investigator again, I want to stress were not deep because you can actually have a whole course. Um, our analysis, you probably see out there,
um and so we're not taking a deep dive. I just want to show an example. Like static analysis is kind of very, very basic level.
So portable, executed all format P e is something that you just want to know for your exam. So just understand that the head of the P header can contain the code information the application type library functions that will be used part requirements of the Mauer.
So, uh, different files in there you might see, like the text file contains instructions at the CP you execute. So that's the execute a ble code. Information in the text file.
The our data contains import and export information dot data, as the name implies, but it contains global data, not local data, but the global data. So just keep that in mind for your exam,
and then our SRC contains the resource is used. So things like your icons are images or even menus that the hour is calling.
So linking libraries. You just want to be familiar with this. Specifically, you'll be want to be familiar with a tool called dependency Walker s O runtime, linking only when the function is needed. Static linking all of all, the library code is copied into the execute herbal.
And more commonly, the dynamic linking is probably the most common one that you see
out there. That's only when the program is loaded. Does it pull the information?
So the dependency walker tool that I mentioned you want to know for the exam that one list out dunnit dynamically linked function. So just know for the exam that dependency walker is used for static, mellower analysis.
You know eso eso We can use it for static malware analysis. Just keep that aspect of mine. I should I should correct myself there.
Eso basic static melon else has continued.
We can look, you know, uh, here in current version backward sash, run and that show is basically controls. Which programs are running? Start up and then we can also see, you know, registry strings commonly used by malware as well s o. So this one here, you may commonly see in the malware,
especially if you decide to unpack it or if you can,
one packet or honestly, if you could just see the code of it. If it's not, using a Packer is probably the easiest way.
So just a quick post assessment on question of static dynamic. Linking is generally the most common form of linking seenem our Is that true or false?
All right, so that was true. Ah, And again, that's the most common one that we see
So basic dynamic know our analysis.
The main difference here is we're actually executing the Mauer, right? We're trying to see, like, what's it doing when it runs? And so, you know, we want to do that inside of a virtual machine or sandbox s so to speak. We don't want to do that on your regular computer because you don't know exactly what that malware is going to do. So even if you look at it from a static standpoint,
you may not fully understand what all the code is gonna be doing.
So That's why you don't want to run it on your own machine.
So keep it in mind, though, that when we do like basic dynamic Mellor analysis, we may not understand we excuse me. We may not see you know, all the execution of them, our right cause Sometimes it may require user interaction so we may not be able to see you know what it's actually going to do now if we deep dive into, like, advanced
dynamic Miller analysis, were actually cracking open them our
and looking at the code of it and going through an understanding like, Okay, how does this particular line of code function, then? Sure right. We might be able to figure out exactly how it's functioning. But in this, in this case, for very, very basic diamond dynamic malware analysis, you may not understand fully
what the Mallory Mauer's gonna do. So that's why again, we want to make sure we run it
inside of a sandbox.
So things like, you know, the process monitor can be used for PdF dependency. Walker, as I mentioned, you know, again that could be used for static or dynamic to look at the linking registry shots So we basically copy the registry and then execute them our and compare the different registries to see if there was a change to the registry by the mount where
net cats So we could look at, like, you know what's open,
you know, like open sessions, that sort of stuff.
And then wire shark, You know, of course, we know that's for a packet capturing so we could potentially look at the look at the network traffic after we're actually getting the malware.
So just a quick post assessment question here. I mentioned it a few times, but you do not need to use a sandbox environment for basic nine dynamic, dynamic malware analysis. Is that true? Falls?
All right, so we know that's false, right? I mentioned a few times that if you're gonna do dynamic analysis, you definitely want to do inside of a sandbox. And I actually recommend static analysis any type of Mel where analysis for so static and dynamic do those inside of a sandbox environment.
So in this video, we distracted our discussion on now where we talked about static versus dynamic power analysis. Again, we just touched on a very, very high level
and the next budget. We're gonna go over email crimes will talk about, you know, things like the Canned Spam Act and analyzing different email files in the next module.
Up Next