This document by Luigi Capuzzello provides a comprehensive introduction to malware analysis, detailing essential skills and techniques for analyzing modern malware through both static and dynamic analysis. It covers critical tools for network traffic monitoring, file analysis, and behavioral assessment necessary for understanding malware behavior. The text emphasizes the importance of configuring a malware analysis lab and developing a practical toolkit for effective malware forensics.

1. LUIGI CAPUZZELLO
Cutting out Malware
Integrated malware analysis.
Versione: 1.0
Luigi Capuzzello
11/01/2014
http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a
http://www.slideshare.net/luigicapuzzello
@FisherKasparov
luigi.capuzzello
A good introduction to malware analysis, offering detailed coverage of all the essential skills required to
understand the specific challenges presented by modern malware.

2. Introduction.2
Sommario
Introduction..........................................................................................................................................3
What you will learn..........................................................................................................................3
What you should know.....................................................................................................................3
Basic Static Analysis............................................................................................................................3
Hashing: [winMD5free]...................................................................................................................3
String: [strings].................................................................................................................................3
Packed software [PEiD / exeinfope].................................................................................................4
PE Header [Dependency Walker / PEView / Resource Hacker Tool].............................................5
Basic Dynamic Analysis......................................................................................................................7
Monitor malware activity [procmon / regshot / Process Explorer]..................................................7
Go deep into network traffic.............................................................................................................9
So what the hell can we do ?..............................................................................................................11
Summary............................................................................................................................................11
On the Web.........................................................................................................................................11
About the author.................................................................................................................................12
Other Specification.............................................................................................................................12
Luigi Capuzzello

3. Introduction.3
Introduction.
An email arrives in your inbox; it’s your girlfriend Ann. She invites you to see her in a very funny picture. -Click !“But! What? This picture is not really funny, and …she is not Ann”.
Day by day we store more and more confidential information on our computers, from sites account credentials to our
bank account.
Day by day malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into
your device to do something …that you don’t want.
What you will learn...
-
Configuring a malware analysis lab
Assembling a really toolkit for malware forensics
Performing behavioral analysis of malicious Windows executables
Performing static and dynamic code analysis of malicious Windows executables
-
What is a PE Header
Knowledge about network protocol
Basic knowledge about windows registry and processes
What you should know...
Basic Static Analysis.
Static Analysis describes the process of analyzing the code and the structure of a program to determine its main
feautures.
In this phase of your analysis the program itself is not running; we are just analyzing a file, a sequence of bytes.
We have to find as many information as possible. All the information, even the ones apparently trivial, are actually
extremely important, above all when you go deep into the malware analysis
You can find several tools to implement static analysis but just a few of them are really interesting.
In the next section I will describe all the most juicy tools and I show to you how you can use them.
Hashing: [winMD5free].
First of all it could be a good idea to get the a fingerprint of the malware.
Hashing is a common method used to uniquely identify malware; the Message Digest Algorithm 5 (MD5) and Secure
Hash Algorithm (SHA-1) are the method most commonly used.
For example we can use winMD5Free to get the hash and then we can search for it online.
If the malware is a well known one you will find all about it; if you know what malware is able to do then it can not
hurt you anymore.
This is an example of winMD5Tool; it can calculate MD5 Hash of a particular program
Once you have the identity card of the malware you can use it on google to discover all about it.
String: [strings].
Another method to find some usefull hints about a malware is to get all the strings from the malware
Luigi Capuzzello

4. Introduction.4
Strings program can anlyze a file to extract both ASCII and UNICODE (indeed the windows implementation of unicode
string also well-known as wide character string); this program ignore the context and formatting, it just analyze all the
bytes one by one. Because of this mechanism it could be find characters or strings when they are not.
You can use strings from command line:
E:>strings.exe Lab01-01.exe
Strings v2.51
Copyright (C) 1999-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
!This program cannot be run in DOS mode.
Richm
.text
`.rdata
@.data
_^[
UVWj
@jjj
D$0
_controlfp
_stricmp
kerne132.dll
Kernel32.
Lab01-01.dll
C:WindowsSystem32Kernel32.dll
WARNING_THIS_WILL_DESTROY_YOUR_MACHINE
Error Messages and IP addresses are the most interesting information we can found on a file.
In the above example I have highlighted some important strings
Packed software [PEiD / exeinfope]
Sometime the malware we are analyzing could be packed. This is a problem because the packer hide us a lot of
information, so that static analysis becomes almost useless.
There are many software that could help us to find the packer used. For example:
PEiD: it is a detector for PE (Portable Executable - Exe/Dll) files, similar to an anti-virus except it detects what
a file is, not what it does.
Mostly it detects packer and protector programs like UPX, PECompact, Armadillo etc but has a customisable
database to add your own detections
Be careful because of this has been disconnected from April 2011 and because many PEiD plugins will run the
executable without warning. Despite of this, it is the best tool available for packer detection.
-
exeinfope is another good tool.
Here is an example of PEiD interface
Luigi Capuzzello

5. Introduction.5
PE Header [Dependency Walker / PEView / Resource Hacker
Tool]
PE Header can give us many information about executable behaviuor.
Using Dependency Walker program we can find information about:
dinamically linked functions;
imported dll;
For example in the above image, at pane 3, we can find all the imported function of the kernl32.dll. If we know which
function are used, we can deduce the malware behavior.
There is also a way to import function ‘on the fly’, using some important function:
LoadLibrary
GetProcAddress
LdrGetProcAddress
LdrLoadDll
So if you find this functions, it means that the malware is going to hide you what is its intention. If you want to
understand more in details its behavior you have to debug it (but this is a story that will relate you another time).
As just said, we can find information about the all dll imported into the executable file and each of them can tell us
something.
Dll
Description
Advapi32.dll
This DLL provides access to the Service Manager and Registry.
User32.dll
This DLL contains all the user-interface components, such as buttons, scrollbars, and
components for controlling and responding to user actions.
Gdi32.dll
This DLL contains functions for displaying and manipulating graphics
Kernel32.dll
This is a very common DLL that contains core functionality, such as access and manipulation of
memory, files, and hardware.
Shell32.dll
Tell us that the program can launch other program.
Ntdll.dll
This DLL is the interface to the Windows kernel. Executables generally do not import this file
directly, although it is always imported indirectly by Kernel32.dll. If an executable imports this file,
it means that the author intended to use functionality not normally available to Windows
programs. Some tasks, such as hiding functionality or manipulating processes, will use this
interface.
WSock32.dll - Ws2_32.dll
These are networking DLLs. A program that accesses either of these most
likely connects to a network or performs network-related tasks.
Wininet.dll
This DLL contains higher-level networking functions that implement protocols such as FTP,
HTTP, and NTP.
Luigi Capuzzello

6. Introduction.6
We can also get information about PE header using PEView tool. Sections are very important because we can see if
there are only standard section (as listed below) or also custom sections, in this case we are dealing with a packer.
Section
Description
.text
Contains the executable code
.rdata
Holds read-only global data that is accessible within the program
.data
Stores global data accessed throughout the program
.idata
Sometimes present and stores the import function information; if this section is not present, the import function
information is stored in the .rdata section
.edata
Sometimes present and stores the export function information; if this section is not present, the export function
information is stored in the .rdata section
.pdata
Present only in 64-bit executables and stores exception-handling information
.rsrc
Stores resources needed by the executable
.reloc
Contains information for relocation of library files
We can also look at .rsrc section (looking for interesting string) using the free Resource Hacker tool.
Luigi Capuzzello

7. Introduction.7
Basic Dynamic Analysis.
Dynamic analysis techniques are the second step in the malware analysis process. Dynamic analysis is typically
performed after basic static analysis has reached a dead end, whether due to obfuscation, packing, or the analyst
having exhausted the available static analysis techniques.
Monitor malware activity [procmon / regshot / Process Explorer]
Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain
registry, file system, network, process, and thread activity. It combines and enhances the functionality of two legacy
tools: FileMon and RegMon.
If you want to filter the activity of a particoular file you have to choose the “Filter  Filter” Menu option and you have
to spacify the filename you are looking for.
There are also four important filter on the menu side bar that allow to filter:
Registry
File system
Process activity
Network: attention this logging not work consistently across Microsoft Windows version.
It is very usefull to use promon because it is very usefull to know what our target is doing with the external
environment (registry, file system and network).
Sometime our target generates many operation especially on registry. So it could be very usefull to have a tool that
compare two snapshots and give us just the differences between them.
Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots.
It is very simple to use regshot. There are only three operation you have to do:
Click on ‘1st shot’ button;
Execute malware ;
Click on ‘2nd shot’ button when you think malware has finished its activity
Click on ‘cOmpare’ button
At the end the software will give you a list of the operations the malware has implemented on the registry.
This type of information could be very usefull because it is not a simple log, it is an elaborated one.
Here is an example of the regshot output:
====================================================================
Regshot 1.9.0 x86 ANSI
Comments:
Datetime: 2014/2/1 21:12:14 , 2014/2/1 21:13:07
Computer: TESTXP , TESTXP
Username: admin , admin
---------------------------------Keys added: 1
---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftMultimediaWaveOwner
---------------------------------Values added: 19
Luigi Capuzzello

8. Introduction.8
---------------------------------HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).x: 0x00000000
HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellBags1DesktopScrollPos1313x932(1).y: 0x00000000
HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamBags381ShellMinPos1313x932(1).x
:…
HKUS-1-5-21-725345543-73586283-682003330-1003SoftwareMicrosoftWindowsShellNoRoamMUICache@shell32.dll,-31237: "Crea una
nuova cartella, vuota, nella cartella aperta."
---------------------------------Values modified: 18
---------------------------------HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729
HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566
HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729
HKLMSYSTEMControlSet001ControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566
HKLMSYSTEMControlSet001ControlDeviceClasses{6994AD04-93EF-11D0-A3CC-00A0C9223196}##?
#PCI#VEN_1274&DEV_1371&SUBSYS_13711274&REV_02#4&47B7341&0&0888#{6994ad04-93ef-11d0-a3cc
…
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF729
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Left: 0xFFFFF566
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF729
HKLMSYSTEMCurrentControlSetControlClass{4D36E96C-E325-11CE-BFC1-08002BE10318}0000SettingsCDVol_Right: 0xFFFFF566
====================================================================
Another important tool is Process Explorer. This tool monitors the processes running on a system and shows them in a
tree structure that displays child and parent relationships.
Process Explorer could also be usefull in detecting if a file is Microsoft signed.
You can achive this task in many way:
-
Click on verify button to verify that the image on disk is, in fact, the Microsoft signed binary. Because
Microsoft uses digital signatures for most of its core executables, when Process Explorer verifies that a
signature is valid, you can be sure that the file is actually the executable from Microsoft.
-
Comparing in memory string and string in the disk executable image.
Luigi Capuzzello

9. Introduction.9
Go deep into network traffic.
Malware, often, needs to connect to a remote server for many reasons. For example it needs to provide information to
that remote host or it need to get commands from that remote host.
So it is very important to understand which sort of traffic is generated from and to the malware.
To achive this hint we have to implement a sort of MITM (Man In The Middle) attack against the malware.
First of all we have to use ApateDNS (a free tool from Mandiant) to see the DNS request made by malware.
To use ApateDNS you have to set:
DNS Reply IP: the IP address ypu want sent in DNS response;
# of NXDOMAIN’s: this is an option that can help us to find all the domain the malware will loop through;
Selected interface: the ethernet interface we want to use
We can set ‘DNS Reply IP’ to localhost (as in the above example) or we can set it to redirect all the traffic to another
machine, for example a linux machine, or better, a virtual linux machine.
On the linux machine we can install INetSim, a free, Linux-based software suite for simulating common Internet
services. INetSim does its best to look like a real server.
And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy
service, a feature that logs all data received from the client, regardless of the port. The Dummy service is most
useful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to
record all ports to which the malware connects and the corresponding data that is sent.
Here is an example of all the port the tool is going to start up.
*
*
*
*
*
*
*
*
*
*
*
dns 53/udp/tcp - started (PID 9992)
http 80/tcp - started (PID 9993)
https 443/tcp - started (PID 9994)
smtp 25/tcp - started (PID 9995)
irc 6667/tcp - started (PID 10002)
smtps 465/tcp - started (PID 9996)
ntp 123/udp - started (PID 10003)
pop3 110/tcp - started (PID 9997)
finger 79/tcp - started (PID 10004)
syslog 514/udp - started (PID 10006)
tftp 69/udp - started (PID 10001)
Luigi Capuzzello

10. Introduction.10
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
pop3s 995/tcp - started (PID 9998)
time 37/tcp - started (PID 10007)
ftp 21/tcp - started (PID 9999)
ident 113/tcp - started (PID 10005)
time 37/udp - started (PID 10008)
ftps 990/tcp - started (PID 10000)
daytime 13/tcp - started (PID 10009)
daytime 13/udp - started (PID 10010)
echo 7/tcp - started (PID 10011)
echo 7/udp - started (PID 10012)
discard 9/udp - started (PID 10014)
discard 9/tcp - started (PID 10013)
quotd 17/tcp - started (PID 10015)
quotd 17/udp - started (PID 10016)
chargen 19/tcp - started (PID 10017)
dummy 1/udp - started (PID 10020)
chargen 19/udp - started (PID 10018)
dummy 1/tcp - started (PID 10019)
There is another very interesting tool we must use to monitor the network traffic: wireshark.
Wireshark is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer
network. It has a reach and powerful feauture set.The most common and useful one is the possibility to let you view
the contents of a TCP session; you have just to right-click any TCP packet and select ‘Follow TCP Stream’.
Attention:
wireshark is known to have many security vulnerabilities, so be sure to run it in a safe envronment.
Luigi Capuzzello

11. Introduction.11
So what the hell can we do ?
We have analyze all the principal tool we need to performe a dynamic analysis; so how can we put all these software
together to maximize our analysis ?
We have a windows machine and we have to make some things on it:
1. We have to start procmon, making a filter on the malware name
2. We have to start the Process Explorer
3. We have to get the first snapshot with regshot
4. We have to configure our virtual network (ApateDNS – INetSim)
5. We have to start wireshark to get all the network traffic.
We also have a linux machine with INetSim installed on it.
So this is the situation:
Windows Virtual Machine
IP: 192.168.110.1
Tool:
ApateDNS
Procmon
regShot
process Explorer
wireshark
Linux Virtual Machine
IP: 192.168.110.2
Target
Malware
DNS 53:
ApateDNS redirect
192.168.110.2
Tool:
INetSim
HTTP: 80
HTTPS: 443
FTP: 21
SMTP: 25
ecc..
At this point we can run the malware and we can look at our tool to find as many information as we need.
1.
2.
3.
4.
5.
We can analyzed ApateDNS to see which DNS request were performed;
We can look at procmon to find which file and folder our malwere has modified or created;
We can compare the snapshots of regshot to see what malware has done on our registry
We can see on Process Explorer to see if the malware has generated threads
We can also see the wireshark traffic according to the information we have obtained from ApateDNS and
INetSim.
Summary
Static and dynamic malware analysis help us to understand in detail what behavior was implemented into malware. If
we know which register keys/values it has modified, which file it has created, if we know what the malware has
notified to a remote server and which command it has recived from that host, thenwe can safely think that it is
possible, and not so tricky, to cut out the malware from our pc.
However sometimes it is necessary to go mach more deeper; for example, what can we do if the malware comunicate
to the remote host using a cripted custom comunication ? In this case, and in some others, we need to make a reverse
engineering of the malware code.
This will be the subject of next episode ‘Inside Windows Malicious Software’.
On the Web
●
●
●
●
●
●
●
http://bit.ly/ic4plL - strings tool
http://woodmann.com/BobSoft/Pages/Programs/PEiD - PEiD tool
http://www.woodmann.com/collaborative/tools/index.php/ExeInfo_PE - exeinfope tool
http://www.dependencywalker.com/ - Dependency Walker tool
http://peview.sourceforge.net/ - PEView tool
http://www.angusj.com/resourcehacker/ - Resource Hacker tool
http://download.sysinternals.com/files/ProcessMonitor.zip - procmon tool
Luigi Capuzzello

12. Introduction.12
●
●
●
●
●
http://sourceforge.net/projects/regshot/ - regshot tool
http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx - Process Explorer tool
https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns - ApateDNS tool
http://www.inetsim.org/downloads.html - INetSim tool
http://www.wireshark.org/download.html - wireshark tool
About the author
Luigi Capuzzello has started with informatics in late 1986 (with a beautiful Apple IIe) when he was thirteen years old.
After taking a degree in robotics he has working for more than fifteen years in several areas of IT, but now he is strong
focused on IT security.
His main tasks are related to test applications safety (especially web application) and in reverse engineering
techniques.
Specialties: Project Managment, Information Security, Vulnerability Analysis, Penetration Testing, Ethical Hacking, Web
Application Security
You can find him on http://www.linkedin.com/pub/luigi-capuzzello/7/561/12a
Other Specification
- Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code [Paperback]
- The Hands-On Guide to Dissecting Malicious Software
by Michael Sikorski and Andrew Honig
Luigi Capuzzello