aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2025-12-21 16:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b863e8a0ac1d4b71ddd0bbb9c7c3f7b51aa61e79
securedorg.github.io/malware2.md
Amanda Rousseau a634e12d35 headspray
2017-03-27 14:08:42 -07:00

243 lines
7.1 KiB
Markdown
Raw Blame History

---
layout: default
permalink: /RE101/section2.1/
title: Malware Techniques
---
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
# Section 2.1: Malware Techniques #
The malware classes may exhibit one or more of the following techniques. [Mitre Att&ck](https://attack.mitre.org/wiki/Main_Page) framework provides a great reference for many of these techniques.
## Techniques Overview
* [Compression](#compression)
* [Obfuscation](#obfuscation)
* [Persistence](#persistence)
* [Privilege Escalation](#privilege-escalation)
* [Defense Evasion](#defense-evasion)
* [Credential Theft](#credential-theft)
* [Reconnaissance](#recon)
* [Lateral Movement](#lateral-movement)
* [Execution](#execution)
* [Collection](#collection)
* [Exfiltration](#exfiltration)
* [Command and Control](#command-and-control)
---
## Compression
* Combining the compressed data with decompression code into a single executable
* Runtime packers
* Self extractive archives
* List of packers
* [Themida](http://www.oreans.com/themida.php)
* [Armadillo](http://www.siliconrealms.com/armadillo.php)
* [ASPack](http://www.aspack.com/aspack.html)
* [ASPR (ASProtect)](http://www.aspack.com/asprotect32.html)
* [BoxedApp Packer](http://www.boxedapp.com/boxedapppacker)
* [CExe](http://www.scottlu.com/Content/CExe.html)
* [dotBundle](http://www.dotbundle.com)
* [Enigma Protector](http://www.enigmaprotector.com)
* [EXE Bundle](http://www.webtoolmaster.com/exebundle.htm)
* [EXE Stealth](http://www.webtoolmaster.com/exestealth.htm)
* [eXPressor](http://www.cgsoftlabs.ro/express.html)
* [FSG](http://xtreeme.prv.pl/)
* [kkrunchy](http://www.farbrausch.de/~fg/kkrunchy/)
* [MEW](https://web.archive.org/web/20070831063728/http://northfox.uw.hu/index.php?lang=eng&id=dev)
* [MPRESS](http://www.matcode.com/mpress.htm)
* [Obsidium](http://www.obsidium.de)
* [PESpin](http://pespin.w.interia.pl)
* [Petite](http://www.un4seen.com/petite)
* [RLPack Basic](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/RLPack-Basic-Edition.shtml)
* [Smart Packer Pro](http://www.smartpacker.nl)
* [Themida](http://www.oreans.com/themida.php)
* [UPX](https://upx.github.io/)
* [VMProtect](http://vmpsoft.com/products/vmprotect)
* [XComp/XPack](http://soft-lab.de/JoKo)
[Goto Top^](#techniques-overview)
---
## Obfuscation
* Deliberate act of creating obfuscated code that is difficult for humans to understand
* Plain text strings will appear as base64 or Xor
* Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
* Control-Flow Flattening
* String Encryption
![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation")
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| EXTRAC32.EXE | f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051 | [virustotal](https://www.virustotal.com/en/file/f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051/analysis/) |
[Goto Top^](#techniques-overview)
---
## Persistence
* Once malware gains access to a system, it often looks to be there for a long time.
* If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.
![alt text](https://securedorg.github.io/images/Persistence.png "Persistence")
Example: Dll Search Order Hijacking
![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading")
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| Banker Trojan| cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff | [virustotal](https://www.virustotal.com/en/file/cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff/analysis/) |
[Goto Top^](#techniques-overview)
---
## Privilege Escalation
* Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
* Common Techniques:
* Dll Search Order Hijacking
* Dll injection
* Exploiting a vulnerability
* BufferOverflow
* StackOverflow
* Heapspray
* Return Orientated Programming (ROP)
* Credential Theft
* UAC Bypasses
[Goto Top^](#techniques-overview)
---
## Defense Evasion
* Evading detection or avoiding defenses.
* Common Techniques:
* Killing AV
* Deleting itself after a run
* Timebombs/Timestomping
* Stolen Certificates
* Dll Side Loading
* Masquerading
* Process Hallowing
* Code Injection
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| darkcomet backdoor | 1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee | [virustotal](https://www.virustotal.com/en/file/1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee/analysis/) |
[Goto Top^](#techniques-overview)
---
## Credential Theft
* Going after password storage
* Keylogging passwords
* Screenshots
Example: Mimikatz
Credential theft
![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating")
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| mimikatz | b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25 | [virustotal](https://www.virustotal.com/en/file/b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25/analysis/) |
[Goto Top^](#techniques-overview)
---
## Reconnaissance
* Gain knowledge about the system and internal network.
[Goto Top^](#techniques-overview)
---
## Lateral Movement
* Enable an adversary to access and control remote systems on a network and could
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe | c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb | [virustotal](https://www.virustotal.com/en/file/c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb/analysis/) |
[Goto Top^](#techniques-overview)
---
## Execution
* Techniques that result in execution of adversary-controlled code on a local or remote system
* scripts
* post-exploitation
[Goto Top^](#techniques-overview)
---
## Collection
* Identify and gather information, such as sensitive files, from a target network prior to exfiltration
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| keylogger | 5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa | [virustotal](https://www.virustotal.com/en/file/5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa/analysis/) |
[Goto Top^](#techniques-overview)
---
## Exfiltration
* Removing files and information
[Goto Top^](#techniques-overview)
---
## Command and Control
* Communicate with systems under their control
### Example Malware
| Name | Hash | Link |
| --- | --- | --- |
| backdoor | 02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76 | [virustotal](https://www.virustotal.com/en/file/02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76/analysis/) |
[Goto Top^](#techniques-overview)
[Malware Classes <- Back](https://securedorg.github.io/RE101/section2) | [Next -> Section 3](https://securedorg.github.io/RE101/section3)
Reference in New Issue View Git Blame Copy Permalink