malware2.md

layout	permalink	title
default	/RE101/section2.1/	Malware Techniques

Go Back to Reverse Engineering Malware 101

Section 2.1: Malware Techniques

The malware classes may exhibit one or more of the following techniques. Mitre Att&ck framework provides a great reference for many of these techniques.

Techniques Overview

• Compression
• Obfuscation
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Theft
• Reconnaissance
• Lateral Movement
• Execution
• Collection
• Exfiltration
• Command and Control

---

Compression

• Combining the compressed data with decompression code into a single executable
• Runtime packers
• Self extractive archives
• List of packers
  • Themida
  • Armadillo
  • ASPack
  • ASPR (ASProtect)
  • BoxedApp Packer
  • CExe
  • dotBundle
  • Enigma Protector
  • EXE Bundle
  • EXE Stealth
  • eXPressor
  • FSG
  • kkrunchy
  • MEW
  • MPRESS
  • Obsidium
  • PESpin
  • Petite
  • RLPack Basic
  • Smart Packer Pro
  • Themida
  • UPX
  • VMProtect
  • XComp/XPack

Goto Top^

---

Obfuscation

• Deliberate act of creating obfuscated code that is difficult for humans to understand
• Plain text strings will appear as base64 or Xor
• Malicious behavior will include junk functions or routines that do nothing to throw off the reverser.
  • Control-Flow Flattening
  • String Encryption

Example Malware

Name	Hash	Link
EXTRAC32.EXE	f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051	virustotal

Goto Top^

---

Persistence

• Once malware gains access to a system, it often looks to be there for a long time.
• If the persistence mechanism is unique enough, it can even serve as a great way to identify a given piece of malware.

Example: Dll Search Order Hijacking

Example Malware

Name	Hash	Link
Banker Trojan	cb07ec66c37f43512f140cd470912281f12d1bc9297e59c96134063f963d07ff	virustotal

Goto Top^

---

Privilege Escalation

• Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.
• Common Techniques:
  • Dll Search Order Hijacking
  • Dll injection
  • Exploiting a vulnerability
    • BufferOverflow
    • StackOverflow
    • Headspray
    • Return Orientated Programming (ROP)
  • Credential Theft
  • UAC Bypasses

Goto Top^

---

Defense Evasion

• Evading detection or avoiding defenses.
• Common Techniques:
  • Killing AV
  • Deleting itself after a run
  • Timebombs/Timestomping
  • Stolen Certificates
  • Dll Side Loading
  • Masquerading
  • Process Hallowing
  • Code Injection

Example Malware

Name	Hash	Link
darkcomet backdoor	1be0ca062facda59239cc5621d0a3807a84ed7d39377041489b09d3870958fee	virustotal

Goto Top^

---

Credential Theft

• Going after password storage
• Keylogging passwords
• Screenshots

Example: Mimikatz Credential theft

Example Malware

Name	Hash	Link
mimikatz	b4d7bfcfb8f85c4d2fb8cb33c1d6380e5b7501e492edf3787adee42e29e0bb25	virustotal

Goto Top^

---

Reconnaissance

• Gain knowledge about the system and internal network.

Goto Top^

---

Lateral Movement

• Enable an adversary to access and control remote systems on a network and could

Example Malware

Name	Hash	Link
winmail.dat^QGIS-KOMIT .zip^QGIS-KOMIT .exe	c0f38384dd6c1536a0e19100b8d82759e240d58ed6ba50b433e892e02e819ebb	virustotal

Goto Top^

---

Execution

• Techniques that result in execution of adversary-controlled code on a local or remote system
• scripts
• post-exploitation

Goto Top^

---

Collection

• Identify and gather information, such as sensitive files, from a target network prior to exfiltration

Example Malware

Name	Hash	Link
keylogger	5d5c01d72216410767d089a3aabddf7fdbe3b88aff3b51b6d32280c3439038fa	virustotal

Goto Top^

---

Exfiltration

• Removing files and information

Goto Top^

---

Command and Control

• Communicate with systems under their control

Example Malware

Name	Hash	Link
backdoor	02fc2d262cb0d5e9d3e8202ea69013c5c8cc197685c73c0689cbeb243d508e76	virustotal

Goto Top^

Malware Classes <- Back | Next -> Section 3