securedorg.github.io/malware.md

layout, permalink, title

layout	permalink	title
default	/RE101/section2/	Malware Techniques

Go Back to Reverse Engineering Malware 101

Section 2: Malware Techniques

Typical Attack Flow

Perimeter Recon	Infiltrate	Internal Recon	Entrench	Exfiltrate	Purge

Malware Classes

Class	Description
Virus	code that propagates (replicates) across systems with user intervention
Worm	code that self-propagates/replicates across systems without requiring user intervention
Bot	automated process that interacts with other network services
Trojan	malware that is often disguised as legitimate software
Ransomware	malware that holds the victim's data hostage by cryptography or other means
Rootkit	masks its existence or the existence of other software
Backdoor	enables a remote attacker to have access to or send commands to a compromised computer
RAT	Remote Access Trojan, similar to a backdoor
Info Stealer	steals victims information, passwords, or other personal data
HackTool	admin tools or programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious
Hoax	program may deliver a false warning about a computer virus or install a fake AV
Dropper/Downloader	designed to "install" or download some sort of malware
Adware	automatically renders advertisements in order to generate revenue for its author.
PUP/PUA	Potentially Unwanted Program, sometimes added to a system without the user's knowledge or approval

Techniques Overview

• Compression
• Obfuscation
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Theft
• Reconnaissance
• Lateral Movement
• Execution
• Collection
• Exfiltration
• Command and Control

---

Compression

• Combining the compressed data with decompression code into a single executable
• Runtime packers
• Self extractive archives
• List of packers
  • Themida
  • Armadillo
  • ASPack
  • ASPR (ASProtect)
  • BoxedApp Packer
  • CExe
  • dotBundle
  • Enigma Protector
  • EXE Bundle
  • EXE Stealth
  • eXPressor
  • FSG
  • kkrunchy
  • MEW
  • MPRESS
  • Obsidium
  • PESpin
  • Petite
  • RLPack Basic
  • Smart Packer Pro
  • Themida
  • UPX
  • VMProtect
  • XComp/XPack

Goto Top^

---

Obfuscation

• Deliberate act of creating obfuscated code that is difficult for humans to understand
• Plain text strings will appear as base64 or Xor
• Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
  • Control-Flow Flattening
  • String Encryption

Example Malware

Name	Hash	Link
EXTRAC32.EXE	f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051	virustotal

Goto Top^

---

Persistence

• Once malware gains access to a system, it often looks to be there for a long time.
• If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.

Example Malware

Name	Hash	Link
Banker Trojan	cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff	virustotal

Goto Top^

---

Privilege Escalation

• Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
• Common Techniques:
  • Dll Search Order Hijacking
  • Dll injection
  • Exploiting a vulnerability
    • BufferOverflow
    • StackOverflow
    • Headspray
    • Return Orientated Programming (ROP)
  • Credential Theft
  • UAC Bypasses

Example: Dll Search Order Hijacking

Goto Top^

---

Defense Evasion

• Evading detection or avoiding defenses.
• Common Techniques:
  • Killing AV
  • Deleting itself after a run
  • Timebombs/Timestomping
  • Stolen Certificates
  • Dll Side Loading
  • Masquerading
  • Process Hallowing
  • Code Injection

Example Malware

Name	Hash	Link
darkcomet backdoor	1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee	virustotal

Goto Top^

---

Credential Theft

• Going after password storage
• Keylogging passwords
• Screenshots

Example: Mimikatz Credential theft

Example Malware

Name	Hash	Link
mimikatz	b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25	virustotal

Goto Top^

---

Reconnaissance

• Gain knowledge about the system and internal network.

Goto Top^

---

Lateral Movement

• Enable an adversary to access and control remote systems on a network and could

Example Malware

Name	Hash	Link
winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe	c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb	virustotal

Goto Top^

---

Execution

• Techniques that result in execution of adversary-controlled code on a local or remote system
• scripts
• post-exploitation

Goto Top^

---

Collection

• Identify and gather information, such as sensitive files, from a target network prior to exfiltration

Example Malware

Name	Hash	Link
keylogger	5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa	virustotal

Goto Top^

---

Exfiltration

• Removing files and information

Goto Top^

---

Command and Control

• Communicate with systems under their control

Example Malware

Name	Hash	Link
backdoor	02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76	virustotal

Goto Top^

x86 Assembly <- Back | Next -> Section 3