Malware-Analysis/README.md

# Malware Analysis
A curated list of awesome malware analysis tools and resources

<img src="malware.png" width="250px" />

### Types of Malware Attacks
<table id="tablepress-2">
<thead>
<tr>
<th><center>Type</center></th>
<th><center>What It Does</center></th>
<th><center>Real-World Example</center></th>
</tr>
</thead>
<tbody>
<tr>
<td><center>Ransomware</center></td>
<td><center>disables victim's access to data until ransom is paid</center></td>
<td><center>RYUK</center></td>
</tr>
<tr>
<td><center>Fileless Malware</center></td>
<td><center>makes changes to files that are native to the OS</center></td>
<td><center>Astaroth</center></td>
</tr>
<tr>
<td><center>Spyware</center></td>
<td><center>collects user activity data without their knowledge</center></td>
<td><center>DarkHotel</center></td>
</tr>
<tr>
<td><center>Adware</center></td>
<td><center>serves unwanted advertisements</center></td>
<td><center>Fireball</center></td>
</tr>
<tr>
<td><center>Trojans</center></td>
<td><center>disguises itself as desirable code</center></td>
<td><center>Emotet</center></td>
</tr>
<tr>
<td><center>Worms</center></td>
<td><center>spreads through a network by replicating itself</center></td>
<td><center>Stuxnet</center></td>
</tr>
<tr>
<td><center>Rootkits</center></td>
<td><center>gives hackers remote control of a victim's device</center></td>
<td><center>Zacinlo</center></td>
</tr>
<tr>
<td><center>Keyloggers</center></td>
<td><center>monitors users' keystrokes</center></td>
<td><center>Olympic Vision</center></td>
</tr>
<tr>
<td><center>Bots</center></td>
<td><center>launches a broad flood of attacks</center></td>
<td><center>Echobot</center></td>
</tr>
<tr>
<td><center>Mobile Malware</center></td>
<td><center>infects mobile devices</center></td>
<td><center>Triada</center></td>
</tr>
</tbody>
</table>



### Malware Analysis Proccess
* Static Analysis
  * Static Analysis can be done by checking physical states of file. In our case , we used executable file as static samples and to check the physical states of windows executable file Windows provide Portable Executable Format (PE Format) which describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) files.

* Dynamic Analysis
  * Behaviour Analysis is similar to Dynamic Analysis therefore we created sandbox to find the behaviour of our malicious and good samples and these behaviour includes Registry Operations , Files Operations , Api's Calls , Dll loaded , Mutex Information etc

* Code Analysis
  * reversing code with debugger tools
  * Debugging and Reverse Engineering ,Disassemblers, decompiler


* Memory Analysis
  * we dumping whole memory and checking for process and handler.
  * we can find Rootkit and Ransomware Encryption key and find hidden process !


### Tools
* Static Analysis
  * [pestudio](https://www.winitor.com/download/) - Perform static analysis of Windows executables.
  * [CFF Explorer](http://www.ntcore.com/exsuite.php) - is a suite of tools for portable executable (PE) checking import directory , export directory and section headers for finding packer [packer use for change pe table schema this UPX]



* Dynamic Analysis
  * [Process Hacker](https://processhacker.sourceforge.io/) - Tool that monitors system resources.
  * [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) - Advanced monitoring tool for Windows programs.
  * [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots.
  * [ProcDot](http://www.procdot.com/) - A graphical malware analysis tool kit.




* Code Analysis
  * Disassembler
    * [IDA](https://www.hex-rays.com/products/ida/index.shtml) 
  * Decompiler
    * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml)
  * debuggers
    * [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
    * [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system
 


* Memory Forensics
  * memory acquisition
    * [Comae-Toolkit](https://github.com/Crypt2Shell/Comae-Toolkit) _ use DumpIt.exe for sump whole memory
  * memory analysis
    * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework.


* Online Scanners and Sandboxes
  * [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted sandbox and automated analysis system.
  * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs
  * [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  * [intezer analyzer](https://analyze.intezer.com/) - Create MITRE ATT&CK Technique Detection table


* Network
  * [Wireshark](https://www.wireshark.org/) - The network traffic analysis tool.
 
* Android
  * [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) – Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

* service emulation
  * [INetSim](http://www.inetsim.org/) - Network service emulation, useful when building a malware lab.
  * [FakeNet](https://sourceforge.net/projects/fakenet/) - Windows Network Simulation tool for Malware Analysis

 


### Useful Language for learn
* Python
* C++
* Assembly


### Useful Tools
* [yara](https://github.com/VirusTotal/yara)
* [Python 3.8.0](https://www.python.org/downloads/release/python-380/) - for ret-sync & ida module
* [yara-python](https://pypi.org/project/yara-python/) - require for ida module 
* [ret-sync](https://github.com/bootleg/ret-sync) - ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA/Ghidra/Binary Ninja disassemblers.



### malicious Windows API
* malware tye
  * downloader
    * urldownloadtofile
    * shellexec 
  * dropper
    * findresource
    * loadresource
    * lockresource
    * sizeofresource 
  * keylogger
    * getkeystate
    * getasynckeystate
    * setwindowshook 
  * c2 server 
    * internetopenurla
    * socket 


### Tips
* every .exe file can hav some import dll or aeport dll or string
* new malware dos not use import dll and never call dll, and they are hard to hunt!
* use ida->view->subvie->string to see all sting
* ransomware encrpt data with symetric algoritm like sha256 and then send key to c2, they encrypt key with asymetric algoritm like RSA bublic key
* some malware hade digital signature, an attacker stole sign key from valid company
* for obfuscate pe file use packer
* Fuzzy Hashing tools like ssdeep can help hunter to find similarity between two malware with different md5 key
* Winexex in one of export function from kernel32.dll and can be malicious
* we can bypass all static analysis with rewrite import dll, with call function with address in memory
* we can create shellcode with FASM tools in assembly
* the best future of ida is create basic block for application analysis
* export procmon to csv and send to procdot for create png of malware behaviour
* almost ransomeware are 32 bit, because they can run on 32 bit and 64 bit architect
* some ransomware work when we have complex network, we use FakeNet tools for create all network service
* with FakeNet tools and vmware host only, we can see all network connection with c2 server, because 127.0.0.1 set for all dns query
* in windows 8 and upper, ther is patchgaurd mechanism that every 30m check critical section and if detedct some app remove linker and DKOM attack happen make bluescrean ! with this role most rootkit lose
* we can use psscan command in volatility for finding rootkit and hidden process
* .pdb file is so important for detection function name and indexing of system dll that use in malware
* in vmware we can suspend vm and copy .vmem for memory analysis. the file size is equal to whole memory size
* in ida pro use [tab] key to decompile code, use [x] key to find how many time item called in pe file
* in x64dbg with [F9] key we jumping to entrypoint of program, main function, work with F7,F8 for jumping code



### Books
* [Practical Malware Analysis](https://www.amazon.co.uk/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/)
* [Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation](https://www.amazon.co.uk/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315)


### reference
* [A COMPLETE PRACTICAL APPROACH TO MALWARE ANALYSIS AND MEMORY FORENSICS - 2021 EDITION](https://www.blackhat.com/eu-21/training/schedule/#a-complete-practical-approach-to-malware-analysis-and-memory-forensics----edition-24217)
* [Awesome Malware Analysis](https://github.com/rshipp/awesome-malware-analysis)
* [Malware-analysis-and-Reverse-engineering](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering)


### Thanks
[Taha Tavakoli](https://twitter.com/Decoder0x01) My Dear master in Malware Analysis Course