Practical Malware Analysis Notes

Interesting Things

• In the stack, local variables are below EDP (subtractions), while function parameters are above (additions)
• Check in the PE header the “VirtualSize” and “SizeOfRawData” for missmatch
• In x86, rep opcodes repeat an instruction (on EDI and ESI, which both increase at each step) unitl ECX is 0

Basic Static

The main checklist of things to do:

1. Hash things and check if they match
2. Multivendor AV Scan (VirusTotal)
3. Check Strings, UNICODE and ASCII
4. Check Dependencies. DLLs, imports, exports [Dependency Walker]
5. Check PE header
6. Check Resources [ResourceHacker]

Basic Dynamic

First get a VM and secure it, then run the program (if DLL, use rundll32.exe)

1. Use Sandbox and get reports
2. Monitors [Procmon, Filemon, Regmon]
3. Check what is what. Verify for process replacement and check if documents launch processes [ProcessExplorer]
4. Check Dependencies (again). [DependencyWalker]
5. Check Registry [RegShot]
6. Network basics [ApateDNS, NetCat, WireShark, INetSim]