You're reading from Malware Analysis Techniques Tricks for the triage of adversarial software

Product type Paperback

Published in Jun 2021

Publisher Packt

ISBN-13 9781839212277

Length 282 pages

Edition 1st Edition

Languages

Python

Tools

VMware Server

Concepts

Malware Analysis

Author (1):

Dylan Barker

View More author details

Table of Contents (17) Chapters

Preface

1. Section 1: Basic Techniques

2. Chapter 1: Creating and Maintaining your Detonation Environment FREE CHAPTER

3. Chapter 2: Static Analysis – Techniques and Tooling

4. Chapter 3: Dynamic Analysis – Techniques and Tooling

5. Chapter 4: A Word on Automated Sandboxing

6. Section 2: Debugging and Anti-Analysis – Going Deep

7. Chapter 5: Advanced Static Analysis – Out of the White Noise

8. Chapter 6: Advanced Dynamic Analysis – Looking at Explosions

9. Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill

10. Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube

11. Section 3: Reporting and Weaponizing Your Findings

12. Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense

13. Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK

14. Section 4: Challenge Solutions

15. Chapter 11: Challenge Solutions

16. Other Books You May Enjoy

Getting fuzzy

In the constant arms race of malware authoring and Digital Forensics and Incident Response (DFIR) analysts attempting to find solutions to common obfuscation techniques, hashbusting has also been addressed in the form of fuzzy hashing.

ssdeep is a fuzzy hashing algorithm that utilizes a similarity digest in order to create and output representations of files in the following format:

chunksize:chunk:double_chunk

While it is not necessary to understand the technical aspects of ssdeep for most analysts, a few key points should be understood that differentiate ssdeep and fuzzy hashing from standard cryptographic hashing methods such as MD5 and SHA256: changing small portions of a file will not significantly change the ssdeep hash of the file, whereas changing one bit will entirely change the cryptographic hash.

With this in mind, let's take a ssdeep hash of our 8888888.png sample. Unfortunately, ssdeep is not installed by default in FLARE VM, so we will require...