Malware Behaviour Analysis — 101

Malicious software is the simplest definition of malware. Once malware has penetrated your system environment, you would anticipate…

Malicious software is the simplest definition of malware. Once malware has penetrated your system environment, you would anticipate negative things to occur. Upon entering the system, typical malware performs two fundamental functions: it installs itself and carries out its malicious activity. Malware does not need to warn the user at all in order to force itself to be installed on the system. Instead, it modifies the system directly.

The most important thing which malware do is create persistence.

First let’s see how the malware delivery is done

Malware Delivery

  1. Email

Malware delivered by email would demand that the recipient open the file attachment. The receiver is enticed to open the attachment by the way the email is written. Email spam is the term for these unwanted emails that are sent to several addresses. They often feature a topic and message body that employ social engineering to draw the recipient’s attention and persuade them to run the virus.

2. Instant messenger

This is spam that has been delivered to instant messaging services including Facebook, Skype, and Yahoo Messenger. This also applies to messages sent via Twitter, Facebook, and other social networking sites, whether they are public or private. The messages often connect to a hacked website that is infected with malware or spyware. Malware spim takes use of several file transfer services. These social networking platforms now have back-end security in place to reduce SPIM. Still, there have been a few instances of malware spreading over instant chat as of this writing.

3. network

Every computer is connected to another through a LAN (Local Area Network) or WAN (Wide Area Network), which leaves file sharing techniques vulnerable to attack. Malware has the ability to try and upload copies of itself to file sharing. The infection, however, is dependent on the remote user using the

4. Media storage

The main cause is that malware can be stored on a variety of external storage devices, including USB thumb drives, CDs, DVDs, external hard drives, and even smartphones. A storage device functions as a standard drive once it is attached to a computer. To these storage disks, malware can simply drop copies of itself. These worms rely on the user to run the infection, just like network worms. However, if Windows Autorun is enabled, malware may run after the drive is mounted.

Some other examples of distributed software that could contain malware or adware include hacking tools, pirated software, serial generating programs, and pirated media files. For instance, malware may be downloaded and installed in the background without the user’s knowledge via the setup file of the installer of unlicensed software.

Payload — the evil within

For a specific reason, the attacker creates malware. Usually, the goal is to injure the victim, maybe out of hatred, for amusement, for financial gain, or most likely for political ones. These common malware payloads have been observed in the wild:

  • Encrypting files for ransom
  • Deleting all files and formatting drives
  • Gaining full access to the system and the network
  • Stealing accounts and passwords
  • Stealing documents, images, and videos
  • Changing specific configuration and settings
  • Turning the computer into a proxy server
  • Installing cryptocoin miners
  • Continuously opening websites — ad or porn sites
  • Installing more malware Installing adware

Persistence

Making itself a resident on the system is one of the modifications malware performs. Malware persistence refers to the malware’s ability to continue operating continuously and in the background. Malware could, for instance, be run at a specific time of day or immediately after the system boots up. Malware’s most popular method of achieving persistence is to leave a copy of itself in a system folder and create a registry entry.

  1. Run keys

Entering a file path in the registry data under these registry keys will trigger execution when Windows starts, as can be seen in the following registry path for the Windows 64-bit versionsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\N\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Windows\CurrentVersion\Run

2. Load and Run values

The following registry values, under their respective registry key, will trigger execution when any user logs in:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- Load =
- Run =

3. Startup values

The startup registry value contains the path to a folder which contains files that are executed after the user has logged in. The default folder location is at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.

4. The Image File Execution Options key

File paths set in the debugger of the Image File Execution Options key is run when the process is to be debugged or is run with the CreateProcess APIHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Process Name]
- Debugger = [executable file]
- [Process Name] pertains to the filename of the running executable - This persistence only triggers when there is a need for [Process Name] to invoke a debugger

Tools

  1. Autorun
  2. PeStudio
  3. Fiddler
  4. Ghidra
  5. Process Hacker
  6. Radare2
  7. Cutter
  8. Wireshark
  9. ProcDot
  10. ProcMon

Please give a clap if you found it to be useful and follow me to get more hacking knowledge.