Sectional MD5 - One of the ways for detecting the malware:

 In windows malware analysis, as a malware analyst we usually employs several ways to perform our analysis. The key is to understand what the malware is doing and we need to classify according to the behavior or artifacts which matches with the existing malware family or attackers toolset. In malicious file detection, the companies comes up with writing detection logic for addressing malware campaigns and if new malware set comes in the wild, the detection logic matches then the new files might be detected. Malware authors keep pushing new techniques for evasion and tries to propagate further. In this article, we are not going to see any evasion techniques but we going to see one of the old detection method, we can say the generic signature used by many AV engines to detect the malware, the method is referred as Sectional MD5.

Basically, MD5 is popular hashing algorithm which is to check integrity of the message or a file. For example, if two parties one is sending a message and another one is receiving, that message can be converted in to hash. Consider this, if the server stores a file and client is downloading the file. Server already shared the hash of the file, in our case MD5 hashing algorithm. After client downloads the file, they can calculate the hash of the file, and check whether both the files are same. Hashing algorithms are irreversible. One can generate the hash for a message or a file, but can't reverse it back to the original. Totally for integrity check only. SHA1, SHA256 are popular like MD5 hash. For a note, remember MD5 is prone to collision, we can talk about collision in some other posts.

Every PE files has sections and using any PE tools like PE bear, filealyzer, PEStudio we can determine the hash of the sections present in the files. When a malware researcher given the task to create generic signature, the researcher can compare the samples and found that one section which has malicious code and also it has the same hash in the all the given samples. Now the researcher can write the logic, if any of the section found with this particular MD5, it can be detected as malware. This technique is called as sectional MD5. So a common question is if one single byte changes in that section then the whole sectional MD5 will be collapsed and new hash will be generated. Easily the malware escapes the detection. Most of the times, the sections will not have same hash in the malware samples but still have the same behaviour and codes. It is something like single byte change or assembly logic change. In this scenario, how we can play? 

While debugging, we could spot the malicious call and the same call with same bytes found in the other files. Collect the bytes and locate the bytes in the file at disk; calculate the hash for those bytes which can be supplied as sectional MD5. In previous case, we mentioned about hash of the whole section. And in this case, sectional MD5 got created for the suspicious or malicious call subroutine found in the file. 

We got so many advance techniques for detection writing in practice, but sectional MD5 is known lesser now and even many don't know whether their engine has such capabilities. In the future posts, we will cover similar detection writing techniques and malware analysis related techniques. 

Kindly Note: This post is not generated by AI, and it is written by human; so please share it maximum and help us to write further. Your support needed. Our focus is to create high quality article in malware analysis field without using any AI. 

Post by

newWorld

Setting up breakpoints in VirtualAlloc and VirtualProtect during malware analysis:

 Malware analysts add breakpoints in functions like `VirtualProtect` and `VirtualAlloc` for several key reasons:

Understanding Malware Behavior

1. Code Injection and Memory Allocation:

   - `VirtualAlloc`: This function is used to allocate memory in the virtual address space of the calling process. Malware often uses `VirtualAlloc` to allocate space for malicious code or data. By setting a breakpoint here, analysts can monitor when and how the malware allocates memory, providing insight into its memory management and potential payload storage strategies.

   - `VirtualProtect`: This function changes the protection on a region of committed pages in the virtual address space of the calling process. Malware may use `VirtualProtect` to change the permissions of a memory region to executable, writable, or readable. This is often done to execute code that has been written to a previously non-executable region. Breakpoints here help analysts understand when the malware is preparing to execute code and how it modifies memory protections.

2. Unpacking and Decrypting:

   - Malware often uses packing and encryption to obfuscate its payload. During execution, it must unpack or decrypt this data to carry out its malicious activities. By placing breakpoints on `VirtualAlloc` and `VirtualProtect`, analysts can intercept these steps, allowing them to capture the unpacked or decrypted payload in memory before it is executed.

Code Flow Analysis

3. Execution Flow Control:

   - Placing breakpoints on these functions helps trace the execution flow. When the breakpoint is hit, the analyst can examine the call stack, register values, and the parameters passed to the functions. This helps in mapping out the control flow of the malware, identifying key routines, and understanding how different parts of the code interact.

Identifying Anti-Analysis Techniques

4. Anti-Debugging and Anti-Analysis:

   - Malware often includes anti-analysis techniques to thwart debugging and analysis. By monitoring calls to `VirtualProtect`, analysts can detect attempts to change memory protections in ways that could interfere with debugging (e.g., making code pages non-executable to crash debuggers). Similarly, `VirtualAlloc` might be used to allocate memory in unconventional ways to evade detection. Breakpoints on these functions can help analysts identify and counteract such techniques.

Reverse Engineering

5. Dynamic Analysis:

   - Dynamic analysis involves running the malware in a controlled environment to observe its behavior. Breakpoints on `VirtualAlloc` and `VirtualProtect` are crucial for dynamically observing how the malware manipulates memory. This is particularly useful for understanding complex malware that uses runtime code generation or self-modifying code.

Conclusion

By setting breakpoints on `VirtualAlloc` and `VirtualProtect`, malware analysts can gain significant insights into the malware's memory management, execution flow, and anti-analysis techniques, facilitating a more comprehensive understanding and more effective countermeasures.

Far Manager Tricks: Uncovering Malicious Strings Like a Pro

 Far Manager is a powerful file manager and text-based user interface for Windows, and it can be useful for various tasks, including malware analysis. To find whether a particular string is present in files within a folder, you can use the following steps:

1. Open Far Manager:

   Launch Far Manager and navigate to the directory where you want to search for the string.

2. Use the Find File Feature:

   Far Manager has a built-in feature for finding files that contain a specific string. To use this feature, press `Alt+F7` or go to the "Commands" menu and select "File search."

3. Specify Search Parameters:

   - In the "Search for" field, enter the string you want to search for.

   - You can set other parameters such as file masks, search in subdirectories, and more based on your requirements.

4. Initiate the Search:

   - Press `Enter` to start the search.

5. Review Search Results:

   - Far Manager will display a list of files that contain the specified string.

   - You can navigate through the list and select a file for further analysis.

6. View and Analyze Files:

   - After identifying files of interest, you can view their content by pressing `F3` or using the viewer panel.

   - Analyze the contents of the files to understand the context in which the string is present.

7. Navigate to the String:

   - If the string is found in a file, you can navigate to the specific occurrence by using the search feature within the viewer. Press `Alt+F7` while viewing the file and enter the string to locate its occurrences.

8. Repeat as Needed:

   - If you want to search for the same string in other directories or with different parameters, you can repeat the process.

Far Manager's search capabilities are powerful, and they can be customized to suit your specific needs. This method allows you to quickly identify files containing a particular string within a given folder or directory, facilitating malware analysis and investigation.

Post by

newWorld

Malware Disassembling - An Art!!!

Malware Analysis

 Malware analysis is an art performed by an artist called a malware analyst or malware researcher. In the course of malware analysis, there are two main branches: Static analysis and Dynamic analysis. In this article, we are going to explain malware disassembling and the steps involved.

Malware Disassembling

Disassembling malware is a complex process that should only be performed by someone with experience in cybersecurity. Here are the general steps for disassembling malware:

• Obtain a copy of the malware: In order to disassemble the malware, you must first obtain a copy of it. This can be done by downloading the malware from the internet or acquiring it from an infected device.
• Use a disassembler tool: There are various disassembler tools available that can be used to disassemble malware. Some examples include IDA Pro, OllyDbg, and Radare2.
• Load the malware into the disassembler: Once you have the disassembler tool installed, you can load the malware into the disassembler.
• Analyze the disassembled code: The disassembler will display the malware's code in a format that is easier to read and understand. You can then carefully analyze the code to identify its functions and behavior.
• Reverse engineer the malware: In order to understand how the malware works, you may need to reverse engineer it. This involves analyzing the code and identifying the different components of the malware, such as its payload, command and control servers, and any other components that are involved in its operation.
• Create a report: Once you have completed your analysis, you can create a report that documents your findings. This report can be used to help others understand malware's behaviour and to develop countermeasures to protect against it.

Conclusion

It is important to note that disassembling malware is a complex and time-consuming process. It requires a deep understanding of cybersecurity, as well as the ability to read and understand code. As such, it is not recommended for inexperienced individuals to attempt to disassemble malware.

Malicious IP analysis

We don't know the following Ip address is malicious or not: 103.224.212(.)222
How to proceed our analysis?
Possible approach: try the search in Virus Total.
We got no one flagged it.
VT link: https://www.virustotal.com/en/url/8982272eaf4d679b32716bcbef0d86183e251e4abd49b16547d800d93e42d7c7/analysis/1487660842/
Detection: 0/65.
Additional info:
Quttera- https://quttera.com/sitescan/103.224.212.222 
Sucuri-  https://sitecheck.sucuri.net/results/103.224.212.222



Possible approach: try it in IPvoid or urlvoid.
In this case, IPvoid is our option since we are dealing with the Ip address. We got three results as black listed.

IP Address Information

Analysis Date	2017-02-21 03:53:30
Blacklist Status	BLACKLISTED 3/83
IP Address	103.224.212.222 (Find Websites)
Reverse DNS	lb-212-222.above.com
ASN	AS133618
ASN Owner	Trellian Pty. Limited
ISP	Trellian Pty. Limited
Continent	Oceania
Country Code	(AU) Australia
Latitude / Longitude	-33.494 / 143.2104
City	Unknown
Region	Unknown

Possible approach: try the search in threat crowd
Now, we found plenty and which marks to two malicious files.
Threat crowd link: https://www.threatcrowd.org/ip.php?ip=103.224.212.222
First file: https://www.threatcrowd.org/malware.php?md5=c98dc3be0c7fa850ad1a3161c3f8014a
MD5: c98dc3be0c7fa850ad1a3161c3f8014a
Filename:  _b4c61441.tmp
VT link: https://www.virustotal.com/en/file/f42542c789a3d02513b0b031ab6ed1c7e5d0a476ea3e8c0b58e3a5c947a8867d/analysis/
Detection as Potentially unwanted application/ Adware.


Second file: https://www.threatcrowd.org/malware.php?md5=e8e956637f36a97f251746016be22c30
MD5: e8e956637f36a97f251746016be22c30
Filename diaiomjykaxu.exe
VT link: https://www.virustotal.com/en/file/56f64a3d7bb651b2f70b690e06be05ceab2a74eb147a12e13641b82eb0b5a5c3/analysis/
Detection as Ransomware locky/ Teslacrypt filedecoder.
Another possible approach is simple google search:
We found the following url-
It says that Ip belongs to locky ransomware.


Recommendation


It is advised to block this Ip address in the firewall, also need to add this Ip address in blacklist for future verification. If you found this Ip address in your network logs (any connection established with this Ip address), is having more chances of ransomware infection in the network. Advised to follow the general recommendation for ransomware infection.


We will see the analysis of those two files in the future post.


Post created by
newWorld