Perhaps the malware generates a random filename on each device it infects, a potential use case could be to investigate how these names are generated. From the initial dynamic analysis, there may be some behavior that the malware is exhibiting that you want to investigate further. Unpacking malware is a great skill to have in your arsenal however once the binary is unpacked where do we start with our analysis? First of all, you don’t want to analyze every line of code from start to finish, it’s simply too time-consuming. The good news is that a common use case for 圆4dbg is being able to manually unpack malware, the unpacked file can then be reloaded into 圆4dbg and the actual analysis of the malware can begin! Packed malware is essentially ‘wrapped’ with a layer of code, this additional layer hides the code the malware author has written and it’s this obfuscation technique that is known as malware ‘packing’. Malware is often packed so that the code written by the malware author is obfuscated, the bad guys have taken time to write some malicious code and don’t want it to be an easy task for somebody to take a quick look at the malware and in a short space of time identify what it does and how to stop it. Another issue is that if I haven’t performed some basic analysis I might be stepping through packed code and won’t actually get to analyze anything of interest. Without performing this initial gathering of evidence I would be reluctant to open the malware in 圆4dbg and start blindly stepping through assembly code.
I can also get a rough idea of what the malware author’s goals may be in writing a malicious program, perhaps it’s financially motivated such as Ransomware, alternatively, it could be a RAT (Remote Access Trojan) that provides the bad guys with backdoor access to a network. From this, I can determine some key indicators of compromise (IOC’s) such as network traffic, files written to disk, and persistence mechanisms. This initial triage gives me an understanding of what the malware does when it compromises a device. When I use a tool such as 圆4dbg to reverse engineer malware I first make sure I have done some behavioral analysis of the binary first using some freely available tools.
Reloading unwrapped malware into 圆4dbg.In this series, we’ll cover these 圆4dbg use cases: This article will serve as an 圆4dbg tutorial in which I will cover the methodology I use when reverse engineering malware and demonstrate how to use the tool to unpack a malware sample. In a previous blog post, I explained what 圆4dbg is and also broke down some of the features of the tool and why they are useful for malware analysis.
0 kommentar(er)
