You're reading from Malware Analysis Techniques Tricks for the triage of adversarial software

Product type Paperback

Published in Jun 2021

Publisher Packt

ISBN-13 9781839212277

Length 282 pages

Edition 1st Edition

Languages

Python

Tools

VMware Server

Concepts

Malware Analysis

Author (1):

Dylan Barker

View More author details

Table of Contents (17) Chapters

Preface

1. Section 1: Basic Techniques

2. Chapter 1: Creating and Maintaining your Detonation Environment FREE CHAPTER

3. Chapter 2: Static Analysis – Techniques and Tooling

4. Chapter 3: Dynamic Analysis – Techniques and Tooling

5. Chapter 4: A Word on Automated Sandboxing

6. Section 2: Debugging and Anti-Analysis – Going Deep

7. Chapter 5: Advanced Static Analysis – Out of the White Noise

8. Chapter 6: Advanced Dynamic Analysis – Looking at Explosions

9. Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill

10. Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube

11. Section 3: Reporting and Weaponizing Your Findings

12. Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense

13. Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK

14. Section 4: Challenge Solutions

15. Chapter 11: Challenge Solutions

16. Other Books You May Enjoy

Case study – TrickBot

Let's take a look now at some real-world examples of malware that we can analyze and observe performing malicious activity, performing network requests and process injection, and being naughty in general.

TrickBot is a banking Trojan from a threat actor tracked as WIZARD SPIDER. TrickBot has many core functionalities, one of which is to utilize process hollowing to masquerade within the environment.

Let's grab a sample and run it within our VM. First, we'll utilize Regshot, ProcMon, and ProcWatch to identify file information and registry key changes, as follows:

First, we'll take our baseline snapshot. This will serve as the comparison point, as we've previously discussed in the Regshot section. The following screenshot illustrates this:
Figure 6.32 – The results of our first TrickBot shot
After taking our baseline shot, we'll go ahead and execute the malicious document containing the TrickBot downloader...