Quick Malware Triage

By TJ Nelson, Sat 08 July 2017, modified Sat 08 July 2017, in category Malware

malware, triage

The Methodology

If you are in any I.T. Security position you will inevitably encounter malware, sweet... sweet... malware. Most of the time it is not nessesary to do deep dive analysis or reverse engineering to get actionable information. Typically, you can get most of the nessesary information from a quick triage session. In most cases you will want to identify the malware type and it's functionality. Below we will go over quick triage tasks to get this information leveraging open source resources.

Start easy: scan with anti-virus software

This may seem obvious but the first thing you should do when looking at a sample would be to scan it with anti-virus software. This will give you an idea of the rarity of the malware sample, if anti-virus detects it, your sample could be common. Knowing how common of a sample you are dealing with can greatly change the way you will look at the malware.

Scan the malware with two different anti-virus clients and see if they detect the sample. If one or both clients detect this sample you will usually see a malware type of family name the sample can be associated with. Below are examples family names you might see:

Trojan.Zbot Backdoor:W32/Pushbot.gen!A Trojan-Downloader:W32/Mebroot.gen!B Trojan:W32/Daonol.gen!C VBS:Agent-BRE

You can take this family name or malware type and search for it online, which will usually get you additional information. Start with the anti-virus vendors site then google it to see what comes up.

Get the skinny: capture basic static data

You will want to collect some baseline information about the sample to help you identify it's type and possible functionality.

Get the static info

Calculate file checksum

File checksums (also called hashes) are like fingerprints for files, they are mostly used for file verfication and integrity. Every bit (literally, the 1's and 0's) of a file are entered in an algorithm (hash function) to create the checksum. Checksums come many flavors but MD5, SHA1 and SHA256 are the most common. Many tools are available online to calculate a checksum for a specific file. These are examples of checksums: a2f019aa45f59786bd2676bcd726dfa0 (MD5) b5acd6d87789e129fdc08a63014a98e4d8a8c36f (SHA1) * 19442752400b14225610858b2c18aef563dab03b0fd493f14955fbf1119cb900 (SHA256)

All of these checksums were calculated from the same file. Because the same data is entered into different hash functions you end up with different values.

Look at the plaintext strings

Often malware samples contain plain text strings embedded in its data sections for values used by the malware sample. In this you can typically find things like: URLs IP Addresses Filenames Email Addresses Commands Window Dialogs

Using the linux command strings -a <filename> you can output the strings of a file. On Windows you can use a variety of tools to view strings such as BinText or PEStudio. Use these found string values to gain context about the malware sample.

Scan with Yara

Yara is a tool used to help classify malware samples. With YARA you can create descriptions (signatures) of malware families (or whatever you want to describe) based on textual or binary patterns. The great thing is that there are many signatures already created that you can use. One good source of these signature sets (called Yara rules) is https://github.com/Yara-Rules/rules. Running this tool with a ruleset against your malware sample will help you identify the family and type.

Ask the community: search for OSINT

Search MD5/SHA1/SHA256

You can take the checksum of the sample and do simple google searches to see if it turns up anywhere. With common samples you will find a ton of links with information about the sample you are analyzing which can include but is not limited to: Sandbox executions (Links to Malwr, Hybrid Analysis and other online malware analyzers. See Run It! section) Reputation information from VirusTotal, Threat Expert and other sites Blog posts about the sample References in forums and mailing lists

Take a look at these sources but remember all information is not created equal so depending on the source the information you get might be wrong or slightly off.

Upload to Virustotal

If you dont get alot of information back from searching the checksums you could also upload the sample to virustotal (www.virustotal.com) to check it against a large set of anti-virus products. This often gives you an idea of the type of malware you are dealing with. In addition to the anti-virus output you get static analysis information at your disposal.

Run it!: Submit to a Sandbox

Lastly one of my favorite tools in the toolbox for malware analysis is the sandbox. Running the sample in a safe and isolated environment to observe its behavior is the best way to figure out how it works. Although there can be many challenges to getting a sample to run to correctly in a sandbox (ironically enough). When it does run the information you get is extremely helpful. Below are some of the online sandbox tools that are free to use for analysis.

DISCLAIMER: I should warn you once you upload the sample to a public sandbox, it is in public domain. So external parties can see the file you uploaded, this could be bad if you are uploading samples that may contain personal/company information. Caution should always be exercised when uploading anything malicious to the internet.

Malwr

Malwr (www.malwr.com) is a free service based on the people who developed Cuckoo, an open source sandboxing tool (it runs on Cuckoo). It also has an option to do private analysis, so the sample is not shared.

Hybrid Analysis

Hyrid Analysis (www.hybrid-analysis.com)is another option for free online sandbox analysis.

Others

There are other sandboxes that are available online that offer a variety of features and platform support. Check out this link for more options: https://zeltser.com/automated-malware-analysis/ for a good list of places to checkout. You can also run your own locally (Cuckoo) which could offer the most privacy in regards to your data.

Send the PCAPs back through

Sandbox tools often provide output like dropped files, memory dumps and PCaps. You can run PCaps you get from sandboxing against an IDS such as snort or suricata to see what alerts fire. Sometimes you will get alerts that help identify the malware family of the sample. Example of this would look like: * ETPRO TROJAN Win32/Gamarue.C Checkin 4 (A Network Trojan was Detected) [2806085]

Conclusion

This is a good starting point for analysis of a malware sample, the tasks dont need to be executed in a specific order. You will find that over time you will get a feel of what tasks will produce the most information. Good Luck!