MALWARE ANALYSIS CHEAT SHEET Ghidra for Static Code Analysis Edit data in memory or Select data or g instruction opcode instruction » Ctrl+e The analysis and reversing tips behind this reference Go to specific destination are covered in the SANS Institute course FOR610: Show references to selected Ctrl+Shift+f Extract API call Right-click in disassembler Reverse-Engineering Malware. references » Search for » Current instruction module » Intermodular calls Overview of the Malware Analysis Process Insert a comment ; 1. Use automated analysis sandbox tools for an Follow jump or call Enter Unpacking Malicious Code initial assessment of the suspicious file. Return to previous location Alt+Left Determine whether the specimen is packed by using 2. Set up a controlled, isolated laboratory in which Detect It Easy, Exeinfo PE, Bytehist, peframe, etc. Go to next location Alt+Right to examine the malware specimen. To try unpacking the specimen quickly, infect the lab Undo Ctrl+z system and dump from memory using Scylla. 3. Examine static properties and meta-data of the Define data type t specimen for triage and early theories. For more precision, find the Original Entry Point Add a bookmark Ctrl+d (OEP) in a debugger and dump with OllyDumpEx. 4. Perform behavioral analysis to examine the specimen’s interactions with its environment. Text search Ctrl+Shift+e To find the OEP, anticipate the condition close to the Add or edit a label l end of the unpacker and set the breakpoint. 5. Perform static code analysis to further understand the specimen’s inner-workings. Disassemble selected d Try setting a memory breakpoint on the stack in the values unpacker’s beginning to catch it during cleanup. 6. Perform dynamic code analysis to understand the more difficult aspects of the code. To get closer to the OEP, set breakpoints on APIs x64dbg/x32dbg for Dynamic Code Analysis such as LoadLibrary, VirtualAlloc, etc. 7. If necessary, unpack the specimen. F9 Run the code 8. Perform memory forensics of the infected lab To intercept process injection set breakpoints on Step into/over instruction F7 / F8 VirtualAllocEx, WriteProcessMemory, etc. system to supplement the other findings. Execute until selected instruction F4 If cannot dump cleanly, examine the packed 9. Repeat steps 4-8 above as necessary (the order may vary) until analysis objectives are met. Execute until the next return Ctrl+F9 specimen via dynamic code analysis while it runs. 10. Document findings, save analysis artifacts and Show previous/next executed instruction - / + Rebuild imports and other aspects of the dumped clean-up the laboratory for future analysis. * file using Scylla, Imports Fixer, UIF, pe_unmapper. Return to previous view Behavioral Analysis Go to specific expression Ctrl+g Bypassing Other Analysis Defenses Insert comment / label ; / : Decode obfuscated strings statically using FLARE, Be ready to revert to good state via virtualization xorsearch, Balbuzard, etc. snapshots, Clonezilla, dd, FOG, PXE booting, etc. Show current function as a graph g Decode data in a debugger by setting a breakpoint Monitor local interactions (Process Explorer, Process Find specific pattern Ctrl+b after the decoding function and examining results. Monitor, ProcDOT, Noriben). Select instruction Set software breakpoint » F2 Conceal x64dbg/x32dbg via the ScyllaHide plugin. Detect major local changes (RegShot, Autoruns). on specific instruction Monitor network interactions (Wireshark, Fiddler). To disable anti-analysis functionality, locate and Set software Go to Command prompt » SetBPX API Name patch the defensive code using a debugger. Redirect network traffic (fakedns, FakeNet-NG). breakpoint on API h » Click on Look out for tricky jumps via TLS, SEH, RET, CALL, etc. Activate services (INetSim or actual services) Highlight all occurrences of keyword when stepping through the code in a debugger. requested by malware and reinfect the system. the keyword in disassembler Select instruction If analyzing shellcode, use scdbg and jmp2it. Adjust the runtime environment for the specimen as Assemble instruction in it requests additional local or network resources. place of selected one » Spacebar Disable ASLR via setdllcharacteristics, CFF Explorer. Authored by Lenny Zeltser, who leads product management at Minerva and teaches at SANS Institute. You can find him at twitter.com/lennyzeltser and zeltser.com. Download this and other Lenny’s security cheat sheets from zeltser.com/cheat-sheets. Creative Commons v3 “Attribution” License for this cheat sheet version 2.1.