Windows Malware Analysis - Prerequisite

Warning! While our web location will not serve up malware (unless you are enrolled in the class) we will be providing you with a location to download and interact with live samples. What does this mean to you? It means the Network Defense Solutions, Inc. is not responsible for what you do with the samples, or if you infect your systems and lose data. From this point forward you take full responsibility and absolve Network Defense Solutions, Inc. of any and all liability which may result. If you are interested in taking the online class you may fill out an application here: Register for classes or, you may purchase the tools, utilities and virtual machines here: Introduction to Malware Analysis, Mac Malware Scripts, Linux Malware Scripts, SOC Analyst Guide to malware, phishing and exploit analysis. or you can purchase the Malware Analysis Labs complete with the tools and class in PDF with videos

As you may have guessed it from the warning, we are about to start delving into malware analysis. There are a few things that you will need in order to proceed with the free courseware and it's content. 1) You will need to have your own virtual system, or environment that is separate from your host machine, or your every day machine. 2) You will need to have some background with Linux and OSX/MacOS as some of the labs will revolve around analysis in those environments. Understanding of some windows commands and the windows command-line is a plus!

If you need to download malware to begin your analysis, you will need to either sign up at: https://virustotal.com or, you will need to do so at https://objective-see.com/malware.html should you find any other locations in order to procure malware, you can use those as well. You are not limited to the resources in which we post or write about here.

Before starting a malware analysis on a system there are a few tools that you will need to obtain in order to conduct a successful analysis of the local or, remote system. Please keep in mind that if the tools are installed post execution of a piece of malware your analysis will not be as through as it should be. All the tools mentioned below should be installed before the malware is executed.

Additionally before the execution of the malicious or suspect file you should start a static analysis and then eventually move into dynamic analysis whereby you will be running the malware and then analyzing the system.

For the static analysis portion, you will need the following tools (please be advised that some of these tools are mentioned as redundancy and or preference):

Static Malware Analysis

CFF Explorer: https://ntcore.com/?page_id=388

HEX Workshop: http://www.hexworkshop.com/

HxD Hex Editor: https://mh-nexus.de/en/programs.php

UPX Encoder: https://upx.github.io/

Other Packers: https://alternativeto.net/software/upx/

Once the tools mentioned above are installed on your operating system (Windows) you will need to read the next segment in order to use them. While the segments will not cover every aspect of the utilities that are mentioned within the applications that are mentioned they will be sufficient enough for you to provide an analysis that is through enough to obtain details about a given suspect file for an in-depth analysis.

Things to consider

  • Virtual Environment

    In our labs we utilize VMWare and ESXi. We also have separate networks to help keep the labs away from our production networks as well as any other networks we have established. You will need to create snapshots of your virtual environment in order to establish a "safe-state" for your VMS. Failure to do so will infect your only known good VM and every time it's rebooted it will boot infected. Furthermore, you will also need some specific hardware if you are doing so on the only box that you have. Additionally, if you don't have the hardware, or opt not to purchase it you must use the VM settings for host-only. DO NOT allow the virtual machines to interact with your system via the same IP Addresses at any cost!!! If you'd like a set of recommendations for the hardware that we will be running, you can utilize the suggestions below. When you are finished with your virtual machines, make sure that you reset them to the previous safe-state!

  • Additional Software

    A firewall in this instance is your friend and you should make sure that your system is up to date! Failure to do so may infect your boxes via software vulnerabilities. It's okay to be extremely paranoid even if we are utilizing host-only virtual machines. If you are using a windows desktop, we suggest zone labs / zonealarm, or you can utilize iptables in Linux or, LittleSnitch in MacOS.

  • Hardware Requirements

    If you are doing this with a desktop computer, minimum of an i5 Intel processor would suffice with a minimum of 16GB of RAM. You can go lower, however, we don't suggest. Additionally you can also purchase a USB dongle USB 3.0 RJ45 Dongle which will help you run your virtual machines off a completely different network if you have a switch which supports VLANs. If you are looking for a decent cisco switch to also practice this on (or you can find a smaller one) you can use this one here: CISCO WS-C4948-10GE-S Catalyst 48 Port Switch If you need assistance with setup, you can contact us and we will be happy to help.

Login Form