Karten 18 Karten
Lernende 1 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 19.06.2019 / 01.07.2021
Lizenzierung Keine Angabe
0 Exakte Antworten 18 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

Why does the manual malware analysis not scale well, what can be doen?

Malware analysis can be very time consuming and expensive. Shortage of skilled analysts and an abundant number of malware samples does not scale well


Solution: Analysis automation

AV vendors and threat intelligence companies automatically process and analyze feeds of 100'000s of malware samples per day to generate, better av signatures IOCs or threat intelligence.

Fenster schliessen

What are malware sandboxes and what are they used for?

Malware sandboxes automate malware (binaries, documents, URLs) analysis, and typically allow to quickly:

  • Determin whether a sampe is malicious
  • Determine IOCs
  • Determine the malware family (in some cases), e.g. based on correlation of IOCs or using Yara rules

Malsware sandboxes are dynamic analysis systems:

  • Samples submitted to a sandox are executed for a couple of minutes
  • Then an analysis report is presented to the user.
  • Analysis reports can often be read by less skillec analysts for triage purposes
Fenster schliessen

How can dynamic analysis techniques be defeated by malware (Anti analysis)

  • Detection of the instruments being used
    • Detection of debuggers, or prevent attaching debuggers
  • Detecting virtual machines
    • Malware sleeps for a couple of minutes to defeat sandboxes
    • Malware tries to figure out whether it is on a real machine or running in a Sandbox:
      • No user interaction
      • Small memory of analysis machine
      • Only one CPU
      • etc...
  • Once an analysis environmment is detected, malware will exit, or show non-malicious behavior
Fenster schliessen

what is the differnce of PE files on disk vs. in memory, and what are the implications of that?

In general it is impossible to recontruct the original PE file from memory since some modifications cannot be undone:

  • IAT
  • Relocations
  • Some pages may be missing from memory

Don't expect the recovered PE files to be runnable

Recovered PE files are sufficent for analysis with IDA Pro or to upload to Virustotal.

Malware sometimes modifies /destructs the PE header in memory to make reconstruction hard/impossible

PE files in memory contains more information than PE files on disk:

  • DLLs used by PE file
  • Dynamic data such as heap and stack
Fenster schliessen

What is packing and why is it done by malware?

Lizenzierung: Keine Angabe

Packing is an ovfuscation technique used by malware, with two goals:

  • Evading AV signatures
  • Prevent or slow down static analysis
Fenster schliessen

How can you unpack malware?

To unpack malware it is often sufficient to dump memory of the unpacked process, recieving memory injections.

Fenster schliessen

What volatility commands can be used for memory extraction?

PE rebuild

  • prcdump
  • dlldump


  • vaddump
  • memdump
  • malfind ... ./dumps-malfind

General limitation: Memory that is paged out cannot be dumped, which can result in corruption when dumping PE files

Fenster schliessen

What can virustotal be used for?


we can upload dll and executables that we extracted with dlldump and procdump to malfind for automatic analysis.