Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Malware Analysis Techniques
Malware Analysis Techniques

Malware Analysis Techniques: Tricks for the triage of adversarial software

eBook
€28.99 €32.99
Paperback
€41.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Redeem a companion digital copy on all Print orders
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Malware Analysis Techniques

Chapter 1: Creating and Maintaining your Detonation Environment

Malware can be slippery, difficult to dissect, and prone to escapism. As malware analysts, however, we frequently find ourselves in a position where it's necessary to be able to both examine the binaries and samples we come across, as well as actively run the samples and observe their behavior in a semi-live environment. Observing how the malware behaves within a real-world OS informs us as analysts how to better defend and remediate infections of the same kind we come across.

Such needs present several challenges:

  • How do we execute and study malicious code while ensuring our real environments remain safe and we do not assist the malware authors in propagating their code?
  • What tools do we require to ensure that we're able to adequately study the malware?
  • How do we achieve the two aforementioned goals in a repeatable fashion so that we do not have to rebuild our environment after every piece of malware we study?

In this chapter, we'll review how it's possible to set up a VM specifically for the purposes of analyzing adversarial code, while simultaneously ensuring that we remain on good terms with our friends in Systems Administration, and do not spread our samples across the network, thereby defeating the purposes of our analysis.

In this chapter, we'll cover the following topics:

  • Setting up VMware Workstation with Windows 10
  • Tooling installation – FLARE
  • Isolating your environment
  • Maintenance and snapshotting

Technical requirements

The following are the requirements for this chapter:

Setting up VirtualBox with Windows 10

An excellent tool, which is also free (as in beer), is Oracle's VirtualBox. We'll utilize this software package to create our malware analysis environment with a Windows 10 VM.

To begin, we'll navigate to the VirtualBox download page, which can be found at https://virtualbox.org/wiki/downloads. The page should look like the one shown in the following screenshot:

Figure 1.1 – Downloading VirtualBox for macOS, Windows, and Linux

Figure 1.1 – Downloading VirtualBox for macOS, Windows, and Linux

Let's now move on to downloading and installing VirtualBox.

Downloading and verifying VirtualBox

Here, we can select our host OS, with Linux, macOS, and Windows all supported platforms. In this instance, the process will be completed in macOS, but post-installation, the steps are largely the same, and generally platform-agnostic. Begin by selecting your host OS and downloading the latest package for VirtualBox.

As with downloading any binary or package from the internet, it is an excellent idea to ensure that the download is neither corrupt nor has been tampered with during transit.

Thankfully, Oracle provides pre-computed SHA256 sums of their packages, and we can use sha256sum on either Linux or Mac to ascertain whether we have the correct package:

Figure 1.2 – The SHA256 sum of the downloaded file

Figure 1.2 – The SHA256 sum of the downloaded file

Once we have computed the SHA256 in our terminal, we can compare it to known hashes on the VirtualBox page found at https://www.virtualbox.org/download/hashes/6.1.12/SHA256SUMS. Here, we can see that we have a matching hash and can proceed with the installation:

Figure 1.3 – The list of known good hashes published for VirtualBox's installer packages

Figure 1.3 – The list of known good hashes published for VirtualBox's installer packages

Installing Windows 10

Once you have gone through the installation steps for VirtualBox on your platform and have run the application, you'll be presented with the following screen. We can now begin building our environment:

Figure 1.4 – The VirtualBox main screen

Figure 1.4 – The VirtualBox main screen

In order to create our malware analysis environment, it will be necessary to have a Windows 10 installation ISO. If you do not already have a Windows 10 ISO, one may be obtained from Microsoft at https://www.microsoft.com/en-us/software-download/windows10. You will be required to purchase a license key in order to activate your copy of Windows:

  1. To begin creating our VM, we'll click the New button in VirtualBox, as seen in the following screenshot:
    Figure 1.5 – Click New to begin creating your analysis VM

    Figure 1.5 – Click New to begin creating your analysis VM

  2. Clicking the New button will reveal a new pane requiring several selections. Here, we'll want to select Windows 10 (64-bit). The machine may be named anything of your choosing. Once these fields are filled in, click Continue:
    Figure 1.6 – Name your VM and select the proper OS configuration

    Figure 1.6 – Name your VM and select the proper OS configuration

    At this point, VirtualBox will guide you through several steps. Proceed with the defaults here – no additional customization is necessary for our use case, with one exception: if you have sufficient memory on your host machine, strongly consider changing the memory to 4,096 MB for a smoother experience (and to bypass some possible anti-analysis techniques! More on this later).

  3. Once done with the creation of the VM, we are dropped back at our initial screen with a VM available to us. However, it is necessary to specify the ISO file that the VM's OS should be installed from. For this, highlight the VM we've just created, and click Settings, as shown in the following screenshot:
    Figure 1.7 – Click the Settings button in VirtualBox's main pane

    Figure 1.7 – Click the Settings button in VirtualBox's main pane

  4. A new pane will be presented that outlines the many settings currently applied to the VM. Here, we'll select Storage, and then the compact disc icon in the tree. From here, we can click the browse icon and then select the applicable ISO for installation. Then, click OK:
    Figure 1.8 – Selecting the virtual optical disk file

    Figure 1.8 – Selecting the virtual optical disk file

  5. Once the applicable ISO has been loaded, it's time to boot the VM and begin installation of Windows. To do this, simply highlight the VM you have created and then select Start:
    Figure 1.9 – Clicking the Start button will launch our analysis VM

    Figure 1.9 – Clicking the Start button will launch our analysis VM

    If everything has been done correctly to this point, the VM will boot and a Windows 10 installation screen will appear! Here, we can click Next and then proceed as usual through our Windows 10 installation steps:

    Figure 1.10 – Select the appropriate language and keyboard layout for your region

    Figure 1.10 – Select the appropriate language and keyboard layout for your region

  6. We'll continue by creating a new partition and begin our installation as shown in the following screenshot:
    Figures 1.11 – Create a new partition by utilizing the New button

    Figures 1.11 – Create a new partition by utilizing the New button

    Once this is finished, a Windows installation screen will appear. Please wait for it to finish:

    Figure 1.12 – Installation of Windows 10

    Figure 1.12 – Installation of Windows 10

  7. Once the installation of Windows has completed, a screen will appear asking for a username to be utilized, along with a corresponding password:

    Analysis tip

    It is highly advisable to make the password entirely unique to the instance in which we are working. Malware often steals passwords for reuse in further campaigns or operations.

    Figure 1.13 – Choose a totally unique password for this VM

    Figure 1.13 – Choose a totally unique password for this VM

  8. Once the user has been created, Windows will prompt for a few more settings related to privacy – which you may answer how you choose:
Figure 1.14 – Windows 10's privacy settings

Figure 1.14 – Windows 10's privacy settings

Analysis tip

You may consider replicating the settings pictured here. While disabling Windows 10 telemetry isn't required, you may not want to deliver data to Microsoft over the internet if you're utilizing it to analyze sensitive samples.

Once all the selections have been completed, Windows will perform a number of final initialization steps for the OS and drop you at the desktop!

Left arrow icon Right arrow icon
Download code icon Download Code

Description

Malicious software poses a threat to every enterprise globally. Its growth is costing businesses millions of dollars due to currency theft as a result of ransomware and lost productivity. With this book, you'll learn how to quickly triage, identify, attribute, and remediate threats using proven analysis techniques. Malware Analysis Techniques begins with an overview of the nature of malware, the current threat landscape, and its impact on businesses. Once you've covered the basics of malware, you'll move on to discover more about the technical nature of malicious software, including static characteristics and dynamic attack methods within the MITRE ATT&CK framework. You'll also find out how to perform practical malware analysis by applying all that you've learned to attribute the malware to a specific threat and weaponize the adversary's indicators of compromise (IOCs) and methodology against them to prevent them from attacking. Finally, you'll get to grips with common tooling utilized by professional malware analysts and understand the basics of reverse engineering with the NSA's Ghidra platform. By the end of this malware analysis book, you’ll be able to perform in-depth static and dynamic analysis and automate key tasks for improved defense against attacks.

Who is this book for?

This book is for incident response professionals, malware analysts, and researchers who want to sharpen their skillset or are looking for a reference for common static and dynamic analysis techniques. Beginners will also find this book useful to get started with learning about malware analysis. Basic knowledge of command-line interfaces, familiarity with Windows and Unix-like filesystems and registries, and experience in scripting languages such as PowerShell, Python, or Ruby will assist with understanding the concepts covered.

What you will learn

  • Discover how to maintain a safe analysis environment for malware samples
  • Get to grips with static and dynamic analysis techniques for collecting IOCs
  • Reverse-engineer and debug malware to understand its purpose
  • Develop a well-polished workflow for malware analysis
  • Understand when and where to implement automation to react quickly to threats
  • Perform malware analysis tasks such as code analysis and API inspection
Estimated delivery fee Deliver to Slovenia

Premium delivery 7 - 10 business days

€25.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 18, 2021
Length: 282 pages
Edition : 1st
Language : English
ISBN-13 : 9781839212277
Category :
Languages :

What do you get with Print?

Product feature icon Instant access to your digital copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Redeem a companion digital copy on all Print orders
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Slovenia

Premium delivery 7 - 10 business days

€25.95
(Includes tracking information)

Product Details

Publication date : Jun 18, 2021
Length: 282 pages
Edition : 1st
Language : English
ISBN-13 : 9781839212277
Category :
Languages :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 125.97
Malware Analysis Techniques
€41.99
Adversarial Tradecraft in Cybersecurity
€41.99
Privilege Escalation Techniques
€41.99
Total 125.97 Stars icon

Table of Contents

16 Chapters
Section 1: Basic Techniques Chevron down icon Chevron up icon
Chapter 1: Creating and Maintaining your Detonation Environment Chevron down icon Chevron up icon
Chapter 2: Static Analysis – Techniques and Tooling Chevron down icon Chevron up icon
Chapter 3: Dynamic Analysis – Techniques and Tooling Chevron down icon Chevron up icon
Chapter 4: A Word on Automated Sandboxing Chevron down icon Chevron up icon
Section 2: Debugging and Anti-Analysis – Going Deep Chevron down icon Chevron up icon
Chapter 5: Advanced Static Analysis – Out of the White Noise Chevron down icon Chevron up icon
Chapter 6: Advanced Dynamic Analysis – Looking at Explosions Chevron down icon Chevron up icon
Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill Chevron down icon Chevron up icon
Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube Chevron down icon Chevron up icon
Section 3: Reporting and Weaponizing Your Findings Chevron down icon Chevron up icon
Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense Chevron down icon Chevron up icon
Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK Chevron down icon Chevron up icon
Section 4: Challenge Solutions Chevron down icon Chevron up icon
Chapter 11: Challenge Solutions Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(9 Ratings)
5 star 77.8%
4 star 22.2%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Kindle Customer Apr 05, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is excellent. It gives a good detailed guide to what Malware is, the different types, and how to effectively analyze it. The book gives a great hands on approach with the theory not being overwhelming at all. Highly recommend.
Amazon Verified review Amazon
Britt Adams Jun 22, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I hope to have more time soon to finish going through the exercises.
Amazon Verified review Amazon
Amazon Customer Jul 05, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I've always had an interest in malware analysis being a security analyst. Until now I tried to get into multiple malware analysis books but lost interest as most of them are not beginner friendly. This book is surely an exception. It take you from setting up an VM and static analysis to dynamic analysis, touches the concepts of reverse engineering and then using the IOCs for defense. The best part is how Dylan makes it easy for newbies to understand these concepts which once were so scary. I must say every security analyst and those who are interested in malware analysis should read it once.
Amazon Verified review Amazon
WideLineman Sep 10, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Book really teaches you how to put together a safe analysis environment and gives you great insight on developing an analysis workflow. I'm highly satisfied with this purchase.
Amazon Verified review Amazon
PJS Jul 25, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Dylan Barker clearly illustrates everything you need to know. This is the best malware analysis book you can buy!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the digital copy I get with my Print order? Chevron down icon Chevron up icon

When you buy any Print edition of our Books, you can redeem (for free) the eBook edition of the Print Book you’ve purchased. This gives you instant access to your book when you make an order via PDF, EPUB or our online Reader experience.

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact customercare@packt.com with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at customercare@packt.com using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on customercare@packt.com with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on customercare@packt.com within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on customercare@packt.com who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on customercare@packt.com within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela