7 - Malware

Module 07 - Malware

What is a Malware?

Malware is a broad term that stands for "malicious software." It refers to any software specifically created with the intent to cause harm to computer systems, networks, or users. Malware can take various forms and can cause a wide range of problems, including data theft, system damage, unauthorized access, and more. Some common types of malware include:

Viruses: Viruses attach themselves to legitimate programs and spread when these programs are executed. They can cause damage to files, steal data, or take control of a system.
Worms: Worms are self-replicating programs that can spread across networks or the internet without user interaction. They can cause network congestion and exploit vulnerabilities.
Trojans: Trojans, short for "Trojan Horses," are deceptive programs that appear benign but have malicious functions. They often trick users into executing them.
Ransomware: Ransomware encrypts a user's data and demands a ransom in exchange for the decryption key. It can lead to data loss or financial extortion.
Spyware: Spyware monitors a user's activities without their knowledge and collects information like passwords, browsing habits, and personal data, which can be sent to a third party.
Adware: Adware displays unwanted advertisements and can redirect web traffic to generate revenue for the malware creator.
Rootkits: Rootkits hide themselves within a system and provide unauthorized access to the attacker. They can be challenging to detect and remove.
Keyloggers: Keyloggers record keystrokes on a computer, potentially capturing sensitive information such as passwords and credit card numbers.
Botnets: Botnets are networks of compromised computers, or "bots," controlled by a central server. They are often used to perform large-scale coordinated attacks, such as Distributed Denial of Service (DDoS) attacks.
Fileless Malware: Fileless malware operates in memory, making it harder to detect as it doesn't leave traces on a computer's hard drive.

Static Analysis

Header Inspection: Examine the headers of the executable file. Common executable file formats include PE (Portable Executable) for Windows and ELF (Executable and Linkable Format) for Linux.
Disassembly: Disassemble the binary code using a disassembler like IDA Pro, Ghidra, or Radare2. These tools can assist in navigating the assembly code and pinpointing the entry point.

Dynamic Analysis

Debugging: Utilize a debugger such as OllyDbg, WinDbg, or GDB to execute the executable in a controlled environment. Set breakpoints and step through the code until you reach the entry point.
Monitoring Tools: Employ tools like Process Monitor (ProcMon) on Windows or strace on Linux to track system calls and determine when the executable is loaded and begins execution.

Strings and Signatures

String Analysis: Search for strings within the executable that may provide clues to the entry point. Some malware authors leave identifiable strings.
Signature-Based Detection: Utilize antivirus or anti-malware tools with signature databases to recognize known malware and their respective entry points.

Code Emulation and Analysis

Sandboxing: Execute the executable in a controlled environment, commonly referred to as a sandbox, and observe its behavior. Analyze the resulting logs or outputs for indications of the entry point.

Identify malware entry point address

Detect it easy

Execute Detect it easy client tool
Upload malware executable
Click to File info
See entry point address

or using PEiD or PE Explorer tools

Retrieve file connecting to RAT installed into victim machine

ProRat

Execute ProRat
Set victim IP and relative port 5110
Click to connect and search files.

Theef

Execute Theef
Set victim IP and relative ports to 6703 and 2968 (or custom port)
Click to connect and open file manger.

NjRat

Execute NjRat
Insert IP and Port
Click on manager and open directory

Others possible ports can be: 5552, 9871, 6703.

HTTP RAT TROJAN

Web server trojan which allows access to victim’s machine via a web browser
Run httprat.exe
Disable the notification option.
Set server port 84. And create the httpserver.exe
Run this httpserver.exe on the victim machine.
Browser victim’s IP from attacker’s machine to gain web access to the victim
You can view processes, system info, view drives and directories

MoSucker GUI Trojan

Created in visual basic, can be set up to auto load on the victim machine, allows to perform many actions

Go to MoSucker Folder
Run CreateServer.exe.
Leave default settings. Press OK. Save filename as server.exe
Now MoSucker 3.0 Edit server window opens. Remember server Port 4288.
Select Keylogger option and Enable off-line keylogger.
Open MoSucker.exe and enter victim IP and port in given tabs.
On the window machine execute the server.exe file and you will get an error. Ignore the error.
On the attacker machine click on connect on the MoSucker.exe windows and you will be connected to the victim machine.
Start Live Capture to remotely view the machine

njRAT Tool :

open njRat v0.7.exe
check port no : 5552
click start
click on Builder
enter host ip ( attacker ip)
check checkBox - Copy To startup & Registry startup
click build

Other Tools

Cuckoo Sandbox: An open-source automated malware analysis system.
FireEye: A platform for detecting, preventing, and resolving advanced malware.
Joe Sandbox: A malware analysis platform that provides both static and dynamic analysis.
OllyDbg: A 32-bit assembler level analyzing debugger for Microsoft Windows.
IDA Pro: A multi-processor disassembler and debugger for Windows, Linux, and macOS.
Ghidra: A software reverse engineering framework developed by the NSA.
Radare2: A portable reversing framework that supports a wide range of architectures.
Process Monitor: A monitoring tool for Windows that shows real-time file system, registry, and process/thread activity.
Wireshark: A network protocol analyzer that lets you capture and interactively browse network traffic.
YARA: A tool for identifying and classifying malware based on patterns.
Volatility: A memory forensics framework for incident response and malware analysis.
The Sleuth Kit: A collection of command-line tools for digital investigation and analysis.
Autopsy: A digital forensics platform that provides a graphical interface for The Sleuth Kit.
Mandiant Redline: A free tool for host investigations and memory analysis.
Regshot: A utility that takes a snapshot of your system's registry and compares it to a second one.
PEiD: A tool that can detect the compiler/packer/cryptor of PE executables.
PEview: A lightweight and portable tool for viewing PE files.
PEStudio: A free tool that performs malware assessments on executable files.
Dependency Walker: A utility that scans any 32-bit or 64-bit Windows module and builds a hierarchical tree diagram of all dependent modules.
VirusTotal: A service that analyzes suspicious files and URLs to detect malware.

Additional Resources

Previous6 - System Hacking Next8 - Sniffing

Last updated 10 months ago

HTTP RAT TROJAN

Web server trojan which allows access to victim’s machine via a web browser

Run httprat.exe

Disable the notification option.

Set server port 84. And create the httpserver.exe

Run this httpserver.exe on the victim machine.

Browser victim’s IP from attacker’s machine to gain web access to the victim

You can view processes, system info, view drives and directories

MoSucker GUI Trojan

Created in visual basic, can be set up to auto load on the victim machine, allows to perform many actions

Go to MoSucker Folder

Run CreateServer.exe.

Leave default settings. Press OK. Save filename as server.exe

Now MoSucker 3.0 Edit server window opens. Remember server Port 4288.

Select Keylogger option and Enable off-line keylogger.

Open MoSucker.exe and enter victim IP and port in given tabs.

On the window machine execute the server.exe file and you will get an error. Ignore the error.

On the attacker machine click on connect on the MoSucker.exe windows and you will be connected to the victim machine.

Start Live Capture to remotely view the machine

Other Tools

Cuckoo Sandbox: An open-source automated malware analysis system.

FireEye: A platform for detecting, preventing, and resolving advanced malware.

Joe Sandbox: A malware analysis platform that provides both static and dynamic analysis.

OllyDbg: A 32-bit assembler level analyzing debugger for Microsoft Windows.

IDA Pro: A multi-processor disassembler and debugger for Windows, Linux, and macOS.

Ghidra: A software reverse engineering framework developed by the NSA.

Radare2: A portable reversing framework that supports a wide range of architectures.

Process Monitor: A monitoring tool for Windows that shows real-time file system, registry, and process/thread activity.

Wireshark: A network protocol analyzer that lets you capture and interactively browse network traffic.

YARA: A tool for identifying and classifying malware based on patterns.

Volatility: A memory forensics framework for incident response and malware analysis.

The Sleuth Kit: A collection of command-line tools for digital investigation and analysis.

Autopsy: A digital forensics platform that provides a graphical interface for The Sleuth Kit.

Mandiant Redline: A free tool for host investigations and memory analysis.

Regshot: A utility that takes a snapshot of your system's registry and compares it to a second one.

PEiD: A tool that can detect the compiler/packer/cryptor of PE executables.

PEview: A lightweight and portable tool for viewing PE files.

PEStudio: A free tool that performs malware assessments on executable files.

Dependency Walker: A utility that scans any 32-bit or 64-bit Windows module and builds a hierarchical tree diagram of all dependent modules.

VirusTotal: A service that analyzes suspicious files and URLs to detect malware.