securedorg.github.io/malware.md

layout, permalink, title

layout	permalink	title
default	/RE101/section2/	Malware Techniques

Go Back to Reverse Engineering Malware 101

Section 2: Malware Techniques

Typical Attack Flow

Perimeter Recon	Infiltrate	Internal Recon	Entrench	Exfiltrate	Purge

Techniques Overview

• Compression
• Obfuscation
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Theft
• Reconnaissance
• Lateral Movement
• Execution
• Collection
• Exfiltration
• Command and Control

---

Compression

• Combining the compressed data with decompression code into a single executable
• Runtime packers
• Self extractive archives
• List of packers
  • Themida
  • Armadillo
  • ASPack
  • ASPR (ASProtect)
  • BoxedApp Packer
  • CExe
  • dotBundle
  • Enigma Protector
  • EXE Bundle
  • EXE Stealth
  • eXPressor
  • FSG
  • kkrunchy
  • MEW
  • MPRESS
  • Obsidium
  • PESpin
  • Petite
  • RLPack Basic
  • Smart Packer Pro
  • Themida
  • UPX
  • VMProtect
  • XComp/XPack

Goto Top^

---

Obfuscation

• Deliberate act of creating obfuscated code that is difficult for humans to understand
• Plain text strings will appear as base64 or Xor
• Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
  • Control-Flow Flattening
  • String Encryption

Example Malware

Name	Hash	Link
EXTRAC32.EXE	f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051	virustotal

Goto Top^

---

Persistence

• Once malware gains access to a system, it often looks to be there for a long time.
• If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.

Example Malware

Name	Hash	Link
Banker Trojan	cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff	virustotal

Goto Top^

---

Privilege Escalation

• Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
• Common Techniques:
  • Dll Search Order Hijacking
  • Dll injection
  • Exploiting a vulnerability
    • BufferOverflow
    • StackOverflow
    • Headspray
    • Return Orientated Programming (ROP)
  • Credential Theft
  • UAC Bypasses

Example: Dll Search Order Hijacking

Goto Top^

---

Defense Evasion

• Evading detection or avoiding defenses.
• Common Techniques:
  • Killing AV
  • Deleting itself after a run
  • Timebombs/Timestomping
  • Stolen Certificates
  • Dll Side Loading
  • Masquerading
  • Process Hallowing

Example Malware

Name	Hash	Link
mimikatz	b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25	virustotal

Goto Top^

---

Credential Theft

• Going after password storage
• Keylogging passwords
• Screenshots

Example: Mimikatz Credential theft

Example Malware

Name	Hash	Link
mimikatz	b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25	virustotal

Goto Top^

---

Reconnaissance

• Gain knowledge about the system and internal network.

Goto Top^

---

Lateral Movement

• Enable an adversary to access and control remote systems on a network and could

Goto Top^

---

Execution

• Techniques that result in execution of adversary-controlled code on a local or remote system
• scripts
• post-exploitation

Goto Top^

---

Collection

• Identify and gather information, such as sensitive files, from a target network prior to exfiltration

Goto Top^

---

Exfiltration

• Removing files and information

Goto Top^

---

Command and Control

• Communicate with systems under their control

Goto Top^

x86 Assembly <- Back | Next -> Section 3