securedorg.github.io/malware.md

layout, permalink, title

layout	permalink	title
default	/RE101/section2/	Malware Techniques

Go Back to Reverse Engineering Malware 101

Section 2: Malware Techniques

Typical Attack Flow

Perimeter Recon	Infiltrate	Internal Recon	Entrench	Exfiltrate	Purge

Techniques Overview

• ##Compression
• ##Obfuscation
• ##Persistence
• ##Privilege Escalation
• ##Defense Evasion
• ##Credential Theft
• ##Reconnaissance
• ##Lateral Movement
• ##Execution
• ##Collection
• ##Exfiltration
• ##Command and Control

---

Compression

• Combining the compressed data with decompression code into a single executable
• Runtime packers
• Self extractive archives
• List of packers
  • Themida
  • Armadillo
  • ASPack
  • ASPR (ASProtect)
  • BoxedApp Packer
  • CExe
  • dotBundle
  • Enigma Protector
  • EXE Bundle
  • EXE Stealth
  • eXPressor
  • FSG
  • kkrunchy
  • MEW
  • MPRESS
  • Obsidium
  • PESpin
  • Petite
  • RLPack Basic
  • Smart Packer Pro
  • Themida
  • UPX
  • VMProtect
  • XComp/XPack

Goto Top^

---

Obfuscation

• Deliberate act of creating obfuscated code that is difficult for humans to understand
• Plain text strings will appear as base64 or Xor
• Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
  • Control-Flow Flattening
  • String Encryption

---

Persistence

• Once malware gains access to a system, it often looks to be there for a long time.
• If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.

---

Privilege Escalation

• Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
• Common Techniques:
  • Dll Search Order Hijacking
  • Dll injection
  • Exploiting a vulnerability
    • BufferOverflow
    • StackOverflow
    • Headspray
    • Return Orientated Programming (ROP)
  • Credential Theft
  • UAC Bypasses

Example: Dll Search Order Hijacking

---

Defense Evasion

• Evading detection or avoiding defenses.
• Common Techniques:
  • Killing AV
  • Deleting itself after a run
  • Timebombs/Timestomping
  • Stolen Certificates
  • Dll Side Loading
  • Masquerading
  • Process Hallowing

---

Credential Theft

• Going after password storage
• Keylogging passwords
• Screenshots

Example: Mimikatz credential theft

---

Reconnaissance

• Gain knowledge about the system and internal network.

---

Lateral Movement

• Enable an adversary to access and control remote systems on a network and could

---

Execution

• Techniques that result in execution of adversary-controlled code on a local or remote system
• scripts
• post-exploitation

---

Collection

• Identify and gather information, such as sensitive files, from a target network prior to exfiltration

---

Exfiltration

• Removing files and information

---

Command and Control

• Communicate with systems under their control

x86 Assembly <- Back | Next -> Section 3