Advanced Static Malware Analysis

I would like to share some of my notes of the advanced static malware analysis from what I learned from PMAT (Practical Malware Analysis & Triage) course of TCM Security.

If you missed my notes of the basic static malware analysis, you find them here: https://www.dhirubhai.net/pulse/basic-static-malware-analysis-yusuf-amr/?trackingId=VPQaQHSOSImQBWPAhMCVIA%3D%3D

Introduction

In this article, we will focus on the advanced static malware analysis of the windows portable executables. So we have malware.exe, and we want to get the source code. To do this we need to do reverse engineering to this executable malware to create something that looks very close to the original source code and that's the advanced static analysis.

When we want to create a program, we write it in a high level programming language such C++ or C#. Afterwards, when we run the program, it's compiled to a low level language till it reaches to zeroes and ones that the computer hardware can understand. In the advanced static analysis, we will do the opposite of this flow process. We will look at the possible lowest level language which is the Assembly and fortunately Assembly is a human-readable CPU instruction set.

Malware authors write their malware in a high level language, and we will try to decompile the program to extract the and know how this program was written and its logical execution flow.

What is great about Assembly is that there are no hidden layers that somebody can hide, so this is the absolute truth of what is going on the operating system when the program is called.

We can see the Assembly code through a tool called “Cutter”. What is special about Cutter is its graph feature, which shows a nice view of what is going and where the program will jump, move data and locations of the memory register.

The Assembly

To illustrate Assembly we will need to define three main concepts, and they are: x86 CPU instructions, memory registers and stack.

Those are the common instruction of the CPU instructions:

• mov: if the program will move data around while it's running.
• jmp: if the program will jump into another location depends on a condition.
• push: it's related to the stack, and it means to set an attribute.
• pop: it's related to the stack, and it means to pull the attribute.
• call: to call a function.
• ret: the return of a function.

Let's talk about the Stack. We assign a certain location in memory. We refer to the location by three parts:

1. Zero
2. String
3. Hexadecimal number

So the top location in the stack is 0xffffffff and the lowest location is 0x00000000.

An important thing to know about the stack, that it's LIFO (Last Input First Output).

Last thing is the memory register and common registers are:

• eax → extended accumulator register
• edx →extended data register
• ebx →extended base register
• esp → extended stack pointer
• ebp → extended base pointer

These registers are used for temporary data storage and memory access.

Example

Here's an example of malware after uploading it to Cutter to see the Assembly:

Code Explanation:

NOTE: we write an instruction for example, we write "mov ebp, esp" mov is the instruction action, ebp is the destination and the source is esp.

• Firstly, we look at the main function which is the root of the program, and we notice that it takes three arguments.

• Let's look at the call branch as the photo below. It's another function from the main function. When we move the value of the stack pointer to the new base pointer, this is a common calling for a function.

• Then here we have 5 push. We are pushing 5 onto the stack. Let's take it from bottom to top. It calls API to access the internet (InternetOpenW). To do that it will need a user agent which is the browser, so it pushes Mozilla. Then the remaining arguments are 0.

• Finally, we push some strings to the stack, which one of them is a path in C users public documents then the name of the executable that's downloaded from the URL. Then the second argument is the place it is downloaded from. So we can conclude that we are downloading something from a URL, finally we test some contents and depends on this condition we jump to another location if not equal J and E.