R20 (MARE) CYBER SECURITY

UNIT-1 FUNDAMENTALS OF MALWARE ANALYSIS

Malware is an executable binary that is malicious in nature. Malware’s can be used by attackers to perform variety of
malicious actions like Spying on the target using Keyloggers or RAT’S, they can also delete your data or encrypt your
data for “Ransom”.
Types of Malware: Malware is designed to perform malicious actions and they have different functionality. Various
types of Malware are:
1. Trojans – Trojans can destroy data and exfiltrate data and can also be used for spying.
2. Rat’s – This type of malware allows attacker to remotely access and execute commands on system.
3. Ransomware – Ransomware encrypts all files on the system and holds the System and its data for ransom.
4. Dropper – Droppers functionality is to download/drop additional malware.
What is Malware Analysis? Malware Analysis is the study or process of determining the functionality, origin and
potential impact of a given malware sample and extracting as much information from it. The information that is
extracted helps to understand the functionality and scope of malware, how the system was infected and how to defend
against similar attacks in future.
Objectives:
 To understand the type of malware and its functionality.
 Determine how the system was infected by malware and define if it was a targeted attack or a phishing attack.
 How malware communicates with attacker.
 Future detection of malware and generating signatures.
Types of Malware Analysis:
 Static analysis – It is a process of analyzing the malware without executing or running it. This analysis is
used to extract as much metadata from malware as possible like P.E headers strings etc.
 Dynamic analysis – It is process of executing malware and analyzing its functionality and behavior. This
analysis helps to know what malware does during its execution using debugger.
 Code analysis – It is a process of analyzing/reverse engineering assembly code. It is combination of both
static and dynamic analysis.
 Behavioral analysis – It is the process of analyzing and monitoring the malware after execution. It involves
monitoring the processes, registry entries and network monitoring to determine the workings of the malware.
Common Steps in Malware Analysis:
 Identification: Determining the presence of malware and understanding its characteristics.
 Acquisition: Obtaining a copy of the malware for analysis, ensuring proper handling and containment.
 Preliminary Analysis: Conducting initial assessments to gather basic information about the malware.
 Static Analysis: Examining the malware without executing it to extract metadata and understand its structure.
 Dynamic Analysis: Executing the malware in a controlled environment to observe its behavior and effects.
 Code Analysis: Analyzing the malware’s code to understand its functionality, logic, and potential
vulnerabilities.
 Behavioral Analysis: Monitoring the malware’s actions during execution to identify its interactions with the
system and network.

1
R20 (MARE) CYBER SECURITY
 Reverse Engineering: Unpacking and decompiling the malware to understand its inner workings and
algorithms.
 Post-Analysis: Documenting findings, generating reports, and deriving insights for future prevention and
detection.
Advantages of Malware Analysis:
1. Threat Detection: Malware analysis enables the detection of previously unknown threats, allowing
organizations to proactively defend against attacks.
2. Improved Security: By understanding the behavior of malware, organizations can improve their security
measures and reduce the risk of infection.
3. Understanding of Attack Techniques: Malware analysis provides insight into the methods and techniques used
by attackers, allowing organizations to better prepare for and defend against future attacks.
4. Early Detection: By analyzing malware early in its lifecycle, organizations can mitigate the impact of an
attack and reduce the time required to recover from it.
5. Forensics: Malware analysis can provide valuable information for forensic investigations and can aid in the
prosecution of attackers.
Disadvantages of Malware Analysis:
1. Time-Consuming: The process of malware analysis can be time-consuming and requires specialized
knowledge and tools.
2. Risk of Infection: Conducting malware analysis in an uncontrolled environment can result in the spread of the
malware, potentially causing harm to other systems.
3. Cost: Malware analysis requires specialized tools and expertise, which can be expensive for organizations to
acquire and maintain.
4. Difficulty: Malware is constantly evolving, and the analysis process can be challenging, requiring specialized
knowledge and expertise.
5. False Positives: Malware analysis can sometimes result in false positives, leading to false alarms and a loss of
confidence in the security measures in place.
Reverse Engineering:
Reverse engineering can extract design information from source code, but the abstraction level, the
completeness of the documentation, the degree to which tools and a human analyst work together, and the
directionality of the process are highly variable.
Reverse engineering (RE) malware is a process of analyzing malware to understand its purpose and
functionality. It's a challenging process because malware is often designed to be difficult to analyze
Objective of Reverse Engineering:
1. Reducing Costs: Reverse engineering can help cut costs in product development by finding replacements or
cost-effective alternatives for systems or components.
2. Analysis of Security: Reverse engineering is used in cybersecurity to examine exploits, vulnerabilities, and
malware. This helps in understanding of threat mechanisms and the development of practical defenses by
security experts.
3. Integration and Customization: Through the process of reverse engineering, developers can incorporate or
modify hardware or software components into pre-existing systems to improve their operation or tailor them
to meet particular needs.

2
R20 (MARE) CYBER SECURITY
4. Recovering Lost Source Code: Reverse engineering can be used to recover the source code of a software
application that has been lost or is inaccessible or at the very least, to produce a higher-level representation of
it.
5. Fixing bugs and maintenance: Reverse engineering can help find and repair flaws or provide updates for
systems for which the original source code is either unavailable or inadequately documented.
Reverse Engineering Goals:
1. Cope with Complexity: Reverse engineering is a common tool used to understand and control system
complexity. It gives engineers the ability to analyze complex systems and reveal details about their
architecture, relationships and design patterns.
2. Recover lost information: Reverse engineering seeks to retrieve as much information as possible in
situations where source code or documentation are lost or unavailable. Rebuilding source code, analyzing data
structures and retrieving design details are a few examples of this.
3. Detect side effects: Understanding a system or component’s behavior requires analyzing its side effects.
Unintended implications, dependencies, and interactions that might not be obvious from the system’s
documentation or original source code can be found with the use of reverse engineering.
4. Synthesis higher abstraction: Abstracting low-level features in order to build higher-level representations is
a common practice in reverse engineering. This abstraction makes communication and analysis easier by
facilitating a greater understanding of the system’s functionality.
5. Facilitate Reuse: Reverse engineering can be used to find reusable parts or modules in systems that already
exist. By understanding the functionality and architecture of a system, developers can extract and repurpose
components for use in other projects, improving efficiency and decreasing development time.
Reverse Engineering to Understand Data:
Reverse engineering of data occurs at different levels of abstraction .It is often the first reengineering task.
1. At the program level, internal program data structures must often be reverse engineered as part of an overall
reengineering effort.
2. At the system level, global data structures (e.g., files, databases) are often reengineered to accommodate new
database management paradigms (e.g., the move from flat file to relational or object-oriented database
systems).
Internal Data Structures
Reverse engineering techniques for internal program data focus on the definition of classes of objects.
1. This is accomplished by examining the program code with the intent of grouping related program variables.
2. In many cases, the data organization within the code identifies abstract data types.
3. For example, record structures, files, lists, and other data structures often provide an initial indicator of
classes.
Database Structures
A database allows the definition of data objects and supports some method for establishing relationships
among the objects. Therefore, reengineering one database schema into another requires an understanding of
existing objects and their relationships.
The following steps define the existing data model as a precursor to reengineering a new database model:
1. Build an initial object model.

3
R20 (MARE) CYBER SECURITY
2. Determine candidate keys (the attributes are examined to determine whether they are used to point to another
record or table; those that serve as pointers become candidate keys).
3. Refine the tentative classes.
4. Define generalizations.

Reverse Engineering to Understand Processing:

To understand processing begins with an attempt to understand and then extract procedural abstractions
represented by the source code. To understand procedural abstractions, the code is analyzed at varying levels
of abstraction :system, program, component, pattern, and statement.
1. Each of the programs that make up the application system represents a functional abstraction at a high level of
detail. A block diagram, representing the interaction between these functional abstractions, is created.
2. Each component performs some subfunction and represents a defined procedural abstraction. A processing
narrative for each component is developed.
For large systems, reverse engineering is generally accomplished using a semiautomated(partial automation)
approach. Automated tools can be used to help you understand the semantics of existing code. The output of
this process is then passed to restructuring and forward engineering tools to complete the reengineering
process.
Steps of Software Reverse Engineering:
1. Collection Information: This step focuses on collecting all possible information (i.e., source design
documents, etc.) about the software.
2. Examining the Information: The information collected in step-1 is studied so as to get familiar with the
system.
3. Extracting the Structure: This step concerns identifying program structure in the form of a structure chart
where each node corresponds to some routine.
4. Recording the Functionality: During this step processing details of each module of the structure, charts are
recorded using structured language like decision table, etc.
5. Recording Data Flow: From the information extracted in step-3 and step-4, a set of data flow diagrams is
derived to show the flow of data among the processes.
6. Recording Control Flow: The high-level control structure of the software is recorded.
7. Review Extracted Design: The design document extracted is reviewed several times to ensure consistency
and correctness. It also ensures that the design represents the program.
8. Generate Documentation: Finally, in this step, the complete documentation including SRS, design
document, history, overview, etc. is recorded for future use.
Reverse Engineering Tools:
Reverse engineering tools accept source code as input and produce a variety of structural, procedural, data,
and behavioral design. Reverse engineering if done manually would consume a lot of time and human labor
and hence must be supported by automated tools. Some of the tools are given below:
1. CIAO and CIA: A graphical navigator for software and web repositories and a collection of Reverse
Engineering tools.
2. Rigi: A visual software understanding tool.

4
R20 (MARE) CYBER SECURITY
3. Bunch: A software clustering/modularization tool.
4. GEN++: An application generator to support the development of analysis tools for the C++ language.
5. PBS: Software Bookshelf tools for extracting and visualizing the architecture of programs.

Malware analysis lab set up

A lab setup for malware analysis typically includes the following components:
1. Virtual Machines: Virtual machines are used to isolate the malware and prevent it from causing harm to the
host system.
2. Analysis Tools: Tools such as antivirus software, sandboxing tools, and disassemblers are used to analyze the
behavior of malware and understand its functionality.
3. Networking: A virtual network is used to simulate a real-world environment, allowing the malware to
communicate with other systems and allowing the analyst to observe its behavior.
4. Storage: A large storage device is used to store the malware samples and analysis data.
5. Monitoring Tools: Monitoring tools such as network sniffers and process monitors are used to track the
behavior of malware and collect data for analysis.
6. Backup System: A backup system is used to ensure that the analysis environment can be quickly restored if it
becomes compromised or unstable.
7. Documentation: Documentation is important for keeping track of the analysis process and for sharing
information with others who may be involved in the analysis.
It’s important to note that a malware analysis lab must be designed and managed with security in mind. Access to the
lab should be restricted, and all tools and systems used in the lab should be kept up-to-date and regularly reviewed to
ensure that they are secure.
Threats are one of the most challenging areas in the field of Information security and the lack of qualified personnel
makes it even harder for companies to keep their information and assets secure and cater to such a situation without
incurring much loss. Malware analysis is the process of determining the origin, potential impact, and functionality of
the given malware sample such as virus, trojan horse, etc. In this article, we are not going to discuss the whereabouts
of Malware or Malware Analysis. Rather we will see How can you effectively set up a lab for Malware Analysis. As
one plan can not fit the need of all the organizations, we need to take into mind a few alternatives and decide the best
according to your organization’s needs. We will be covering the following topics in this article:
 Why do we need Malware Analysis Lab?
 Brainstorming to build a Malware Analysis Lab.
 Steps for setting up a Malware Analysis Lab.
Let’s get started and discuss each of these topics in detail.
Why do we need Malware Analysis Lab?
Malware Analysis Lab can help you in any of the following ways:
 It will increase your analysis speed.

5
R20 (MARE) CYBER SECURITY
 A suitable environment will build a framework and identify TTP and IOC.

 A malware analysis lab will help you to get control of what gets in and out of the network.
 It will decrease the risk of infection.
Brainstorming to Build a Malware Analysis Lab
The first and the most important thing to do before setting up a lab is to figure out the needs and the requirements for
setting up a lab. It is very important to have some dedicated systems with tools to control, analyze, and safeguard your
environment. Some of the questions that you need to be clear about, to have a clear understanding of what you need in
your lab.
What tools you need?: There are a lot of tools available in the market for each task associated with Malware
Analysis. But you need to try a bunch of these tools and determine which tools are best suited for your need. What
type of Operating Systems do you need?: There are a variety of systems available out there like Windows, Linux,
OS X, or even mobile OS like Android, iOS, etc. It is advisable to get started with Windows and Linux first and then
you can get your hands on other operating systems.
What do you want to achieve?: You should have a clear understanding of your motive of setting up the lab and be
clear which what you want to achieve through the lab.
Steps for setting up Malware Analysis Lab
To set up the Malware Analysis Lab, follow the points mentioned below.
1. Network: One of the most important and the first step in setting up a lab is to define its network. Here are a few
reasons why this step is important:
 You need to have information about your network to identify uncommon patterns and uncommon connection
attempts.
 You need to know about what is going in and what is going out of the network.
 You need to intercept traffic between your Analysis system and the Network.
 You need to isolate the analysis system from other computers.
Choose your favorite private network address spaces so you assign static IP addresses to each one of your systems.
The reason for this allotment is that when you start collecting Network information and you will spend most of your
time trying to figure out which systems did that belong to if you don’t make a list. You’re also going to need a
dedicated machine to control your network traffic and to act as a gateway for your lab. REMnux and Kali are two
options that you can consider for your gateway.
2. Virtualization: Virtualization software is required in either of the following scenarios:
 When you don’t have a few spare machines, a switch, and a dedicated physical space for this.
 You simply want to carry your Lab with you whenever you go.
There are few options for Virtualisation software like VMWare, Qemu, Virtual Box (free), and if you don’t mind
spending a few bucks then you can go for VMWare Workstation. Virtualization software will allow you to host your
entire lab in a single machine and they provide another interesting feature i.e. snapshots. Snapshots allow you to revert
the state of your machines to a clean state, so you can start an analysis over and over again. These are quite useful for
keeping track of your work on long analysis. If you are using Virtualization Software, how you set up your virtual
network is very important. You have three options for this:
 Bridged: Do not use Bridged mode, this can expose your network to threats, and you don’t want to infect
anybody else systems.
 NAT: This is the ideal choice. Disable DHCP so you can stick to your design.

6
R20 (MARE) CYBER SECURITY
 Host-Only: Host-Only will only communicate your virtual system with your host machine, you don’t want
this either.
3. Analysis Machines: If you are going to do Malware Analysis, then you will need a variety of systems to run your
samples, Execute your tools, and do Static and Dynamic Analysis. You will have to follow the following simple steps
to set up each one of the systems that you choose.
 Install the Operating System and install the Security Updates.
 Install Virtual Machine Tools(optional).
 Install Analysis Tools and for Windows, you can check Flare VM tools to automate some of this task.
 Set up Network Configuration.
 Save a Snapshot in a clear state.
These simple five steps will help you to get a checklist and set up the machines you’ll need to move forward on your
analysis. Operating systems can be selected from the following list:
 Windows 10
 Windows 7
 Linux (Ubuntu Server 16.04)
 REMnux
 Kali Linux
 Metasploitable 2
 Metasploitable 3
 Virtual Machine with OS X
 Android
REMnux or Kali needs to be your Gateway as REMnux is a dedicated system for Malware Reverse Engineering and
comes with tons of handy tools for this purpose and Kali is a Linux Distro which is specifically designed for
Penetration Testing and Ethical Hacking. For beginners, REMnux should be first and the last choice for the Gateway
as REMnux allow you to sniff network traffic outside from your analysis machines and also control it. In case, you are
ready to go with both the options, REMnux and Kali, then these should be your only machines with Internet access.
You can achieve this by adding more than one network card to these virtual machines. As the second Network card
will allow you to provide Internet access to your analysis machine when needed and you’ll be less prone to expose
yourself to the malware samples that you are analyzing.
4. Testing your Environment: Before starting with the analysis, you need to make sure that everything is perfect and
working fine. For this you need to check the following things:
 Make sure no analysis machine has access to the Internet or your home/ work network. You can control this
with a Gateway. Try turning it ON and OFF so that you can get familiar with the process.
 Turn all your machines ON and try running a network scan to see that everything is working properly.
 It is very important to make sure that all your machines have a Snapshot in a clear state. You should have clear
rules and definitions stating how often you will update them to install security patches, new software versions,
and other caveats.
Advantages of a Malware Analysis Lab:
1. Improved Security: By isolating malware in a controlled environment, a malware analysis lab helps to reduce
the risk of harm to the host system and to sensitive data.
7
R20 (MARE) CYBER SECURITY
2. Increased Understanding: A malware analysis lab provides a safe and controlled environment for analyzing
malware and understanding its behavior, allowing analysts to develop better security strategies and respond
more effectively to threats.
3. Increased Efficiency: A well-designed malware analysis lab can automate many of the tasks involved in
analyzing malware, reducing the time and effort required and increasing efficiency.
4. Better Decision Making: By providing a comprehensive view of malware behavior, a malware analysis lab
can help security professionals make more informed decisions about how to respond to threats.
Disadvantages of a Malware Analysis Lab:
1. Cost: Setting up a malware analysis lab can be expensive, and ongoing maintenance and upgrades can also be
costly.
2. Complexity: The process of setting up and maintaining a malware analysis lab can be complex, requiring
specialized knowledge and skills.
3. Risk of Contamination: If not properly secured, a malware analysis lab can become contaminated with
malware, putting the host system and sensitive data at risk.
4. Limited Access: A malware analysis lab may be restricted to a small number of individuals, limiting the ability
to share information and collaborate with others who may be involved in the analysis.
5. Maintenance: A malware analysis lab requires ongoing maintenance and upgrades to ensure that it remains
effective and secure.

MALWARE ANALYSIS Tools and Techniques:

Malware analysis is the process of studying malicious software to understand its behavior, origins, and potential
impacts. The goal is to uncover how it works and determine ways to defend against or mitigate its effects. There are
various tools and techniques used in malware analysis, typically broken down into static analysis, dynamic analysis,
and hybrid analysis. Below is an overview of the tools and techniques in each category:
1. Static Analysis
Static analysis involves examining the malware without running it. This is typically used to understand its structure,
identify suspicious code patterns, and extract indicators of compromise (IOCs).
Tools:
 Disassemblers and Decompiles:
o IDA Pro: A powerful disassembler for reverse-engineering binary files. It can disassemble machine
code and generate assembly code, making it easier to understand how malware functions.
o Ghidra: An open-source reverse-engineering tool developed by the NSA. It supports multiple
architectures and can decompile binaries into a more readable form.
o Radare2: A free, open-source tool for disassembling and analyzing binaries. It is a bit more complex
but very powerful.
o OllyDbg: A debugger focused on Windows binary analysis, used to inspect the behavior of executable
files.
 File Analyzers:
o PEStudio: A static analysis tool for Windows executables (PE files). It can reveal metadata, imports,
and other indicators without running the file.
o Hex-Rays: An interactive disassembler that produces human-readable C-like code for further
inspection of binaries.
8
R20 (MARE) CYBER SECURITY
 Hashing and Signature Detection:

o VirusTotal: A tool to scan files using multiple antivirus engines to detect malware.
o YARA: A tool for creating custom signatures to identify malware based on specific patterns or strings
within the code.
Techniques:
 File Header Analysis: Examine the file format (PE, ELF, etc.) to identify unusual headers or sections.
 Strings Analysis: Extract and analyze human-readable strings embedded in the binary. This can reveal URLs,
file paths, or command-and-control (C2) information.
 Control Flow Analysis: Study the code’s execution flow by examining function calls, loops, and branches.
2. Dynamic Analysis
Dynamic analysis involves running the malware in a controlled environment to observe its behavior, network activity,
and system changes. This approach helps in detecting actions that are not apparent in static analysis.
Tools:
 Sandboxes:
o Cuckoo Sandbox: An open-source automated malware analysis system that provides detailed reports
about the behavior of a sample.
o Any.Run: A web-based interactive malware sandbox, offering detailed insights into how malware
interacts with the system.
o FireEye’s Malware Analysis: A commercial platform that allows running malware in a sandbox and
generates detailed reports about its behavior.
 Behavioral Analysis Tools:
o Procmon (Process Monitor): A tool from Sysinternals that monitors and logs real-time system activity,
including file system, registry, and process changes.
o Wireshark: A network protocol analyzer that captures and analyzes network traffic, helping to detect
malicious communications between malware and a C2 server.
o Fakenet-NG: A tool to simulate network services like DNS or HTTP to monitor malicious traffic
without allowing connections to external resources.
 Debuggers and Emulators:
o x64dbg: A powerful Windows debugger for debugging and analyzing 32-bit and 64-bit Windows
binaries.
o OllyDbg: Used for dynamic analysis of Windows binaries, especially when you need to inspect and
modify memory in real-time.
o QEMU: An emulator that allows malware to run in a controlled virtualized environment, providing
insights into its behavior.
Techniques:
 Process Monitoring: Track the processes started by malware and analyze what files, registry keys, or network
connections they interact with.
 File System and Registry Monitoring: Identify changes in the file system and Windows registry caused by
malware.
9
R20 (MARE) CYBER SECURITY
 Network Traffic Analysis: Examine DNS requests, HTTP requests, or other protocols that indicate C2
communication or data exfiltration.
 Virtual Machine Snapshots: Take snapshots of a VM before and after malware execution to detect file system
and memory changes.
3. Hybrid Analysis
Hybrid analysis combines static and dynamic analysis to gain a more complete understanding of malware behavior.
The tools in this category often automate parts of the analysis or provide integrated features for both static and
dynamic analysis.
Tools:
 Cuckoo Sandbox with Static Analysis: Cuckoo Sandbox can be enhanced with static analysis features, such as
hash comparisons or file integrity checks.
 Hybrid Analysis: A free malware analysis platform that combines both static and dynamic techniques, offering
detailed reports that include file analysis, behavior analysis, and network analysis.
 PeStudio + Cuckoo: A combination of static analysis through PeStudio and dynamic analysis using Cuckoo to
provide a holistic view of malware behavior.
Techniques:
 Memory Analysis: Combining static examination of binaries with dynamic runtime analysis to inspect
malware’s behavior in memory, including hooks, shellcode, or injected code.
 Log Analysis: Correlate logs from tools like Wireshark, Process Monitor, and Event Viewer to track the
lifecycle of malware actions.
 API Hooking: Detect system calls and library calls to identify functions that malware uses to interact with the
OS, like file or network access.
4. Other Advanced Techniques
 Reverse Engineering: Deep understanding of the malware’s inner workings, using tools like IDA Pro or
Ghidra to decompile or disassemble the binary.
 Memory Forensics: Use tools like Volatility to analyze memory dumps and identify malware traces that may
not appear in regular static or dynamic analysis.
 Machine Learning: Some advanced malware analysis tools now integrate machine learning to identify
malicious behavior patterns more efficiently.

Behavioural Analysis vs. Code Analysis

When discussing "Behavioral Analysis" and "Code Analysis" in a technical context, especially in software
development, security, or debugging, we are often referring to distinct methods of understanding and evaluating a
program or system. Below is a breakdown of each concept, along with their respective documents.
1. Behavioral Analysis
Behavioral analysis refers to the study of the behavior of software, systems, or users over time, typically to
understand patterns, predict future actions, or detect abnormal or malicious activities. It can be applied to
various contexts, such as:
 Behavioral Analysis in Security: In cybersecurity, behavioral analysis involves monitoring how software
behaves, particularly in relation to security threats. By observing unusual patterns, such as unexpected
changes in file access or system calls, one can detect malware or unauthorized access.

10
R20 (MARE) CYBER SECURITY
 Behavioral Analysis in Software Development: This approach focuses on how a system functions during
execution. It looks at runtime behavior, inputs, outputs, and interactions between system components.
 Behavioral Analysis in Machine Learning: This could involve analyzing user behavior to personalize
experiences, like in recommendation systems.
Key Components of Behavioral Analysis:
 Data Collection: Logs, system interactions, network traffic, user behavior patterns.
 Pattern Recognition: Identifying normal vs. abnormal behavior.
 Anomaly Detection: Flagging abnormal or unexpected behavior.
 Visualization and Reporting: Presenting data insights in understandable formats (charts, graphs).

# Behavioral Analysis Report for Software XYZ

## 1. Introduction
Behavioral analysis of Software XYZ was performed to understand its runtime interactions and potential
security risks. The objective is to analyze how the software responds under various conditions, identify
anomalies, and assess overall security behavior.

## 2. Methodology
- **System Monitoring**: We employed tools like Process Monitor and Wireshark to capture system and
network interactions.
- **Behavioral Metrics**: We focused on memory usage, CPU consumption, file access patterns, and network
connections.
- **Data Aggregation**: Logs were aggregated from various sources such as OS events, application logs, and
third-party monitoring tools.

## 3. Findings
- **Normal Behavior**: Software XYZ functioned within expected CPU and memory limits during normal
operations.
- **Anomalies Detected**: Anomalous network connections to suspicious IP addresses were detected during
runtime.
- **Potential Threat**: The software exhibited signs of data exfiltration after specific user actions, suggesting
possible malware involvement.

## 4. Conclusion
Behavioral analysis confirmed that Software XYZ functions as expected but also revealed concerning
anomalous behaviors that warrant further investigation. We recommend patching and updating the system to
prevent security breaches.

## 5. Recommendations
- Implement advanced intrusion detection systems.
- Regularly audit network and system logs for anomalies.

2. Code Analysis
Code analysis involves examining the actual codebase of a software application to ensure quality, security, and
performance. It can be static (analyzing code without execution) or dynamic (evaluating the program during
execution).
Types of Code Analysis:
11
R20 (MARE) CYBER SECURITY
 Static Code Analysis: Analyzing the source code or binary code without executing it. This is useful for
finding potential issues like security vulnerabilities, bugs, and coding standard violations.
o Tools: SonarQube, ESLint, Checkmarx, and other linters.
 Dynamic Code Analysis: Observing the code during execution, often used to identify runtime errors, memory
leaks, or performance issues.
o Tools: Valgrind, JProfiler, or profilers like Visual Studio Profiler.
 Security-Focused Code Analysis: This type looks for vulnerabilities such as buffer overflows, SQL injection
risks, and improper input validation.
Key Components of Code Analysis:
 Code Quality Metrics: Identifying code smells, duplicate code, and maintaining readability.
 Security Vulnerabilities: Identifying security risks like cross-site scripting (XSS), SQL injection, and buffer
overflows.
 Performance Optimization: Finding bottlenecks and improving the overall efficiency of code.
 Compliance and Standards Checking: Ensuring the code adheres to coding standards or regulatory
compliance.

# Static Code Analysis Report for Software ABC

## 1. Introduction
The purpose of this code analysis is to evaluate the quality and security of Software ABC's source code. This analysis
focuses on finding bugs, vulnerabilities, and performance issues.

## 2. Methodology
- **Tool Used**: SonarQube for static code analysis and Checkmarx for security vulnerabilities.
- **Scope**: The analysis covers the core module and user authentication components of the software.

## 3. Findings
- **Code Quality Issues**:
- High cyclomatic complexity in the `calculatePayment` function.
- Several unused variables and methods in `userManagement.java`.

- **Security Vulnerabilities**:
- Potential SQL injection risk in the `searchUser` function due to unsanitized user inputs.
- Cross-site scripting (XSS) vulnerability in the `comments.jsp` page.

- **Performance Issues**:
- High memory consumption in `processData()` method, likely due to inefficient data structures.
- Unoptimized database queries causing delays in retrieving user data.

## 4. Conclusion
The analysis revealed several code quality and security issues that need to be addressed. Critical vulnerabilities such
as SQL injection and XSS pose a significant risk to the application.

## 5. Recommendations
- Refactor the `calculatePayment` function to reduce complexity.
- Sanitize user inputs in the `searchUser` function to prevent SQL injection.
- Use prepared statements for database queries to enhance security.
- Optimize memory management in the `processData()` method by using more efficient data structures.
Differences Between Behavioral Analysis and Code Analysis:
 Focus:
o Behavioral Analysis looks at the system or software’s actions during execution, including runtime
behavior and interactions with the environment.

12
R20 (MARE) CYBER SECURITY
o Code Analysis focuses on the static inspection of the source code or the dynamic inspection of the
code's execution to find flaws, vulnerabilities, and inefficiencies.
 Scope:
o Behavioral Analysis might capture everything from user interactions to resource utilization, and it
often addresses issues related to system performance, security anomalies, and external threats.
o Code Analysis is more focused on internal issues within the source code, such as bugs, security flaws,
or non-compliance with coding standards.
Both forms of analysis are complementary, as behavioral analysis gives insights into how the software operates in
real-world scenarios, while code analysis ensures that the underlying code adheres to best practices and is free from
vulnerabilities.
Reverse-engineering malware (REM) is a critical skill for understanding and mitigating cybersecurity threats. It
involves analyzing malware to uncover how it operates, its objectives, and potential countermeasures. The process
typically requires knowledge of assembly, debugging tools, disassemblers, and understanding common malware
techniques. Below are some key resources and areas of study to help understand malware threats and reverse-
engineering techniques:
1. Books on Reverse-Engineering Malware
 "Practical Reverse Engineering" by Bruce Dang, Alexandre Gazet, Elias Bachaalany
This book focuses on practical reverse engineering skills and techniques using tools like IDA Pro and
OllyDbg.
 "The Art of Software Security Assessment" by Mark Dowd, John McDonald, Justin K. P.
A comprehensive guide that includes methods for analyzing and securing software, including malware.
 "Reversing: Secrets of Reverse Engineering" by Eldad Eilam
This book provides an introduction to reverse engineering and practical examples of analyzing software,
including malware.
 "Rootkits: Subverting the Windows Kernel" by Greg Hoglund and James Butler
Focuses on rootkits, a common type of malware, and how they work by subverting operating system
mechanisms.
2. Online Courses and Tutorials
 Malware Unicorn (https://www.malwareunicorn.org/)
Offers a series of practical, hands-on guides for learning malware analysis and reverse engineering, including
challenges and tools.
 Open Security Training - Reverse Engineering Malware
A free, comprehensive course on reverse engineering malware, covering assembly, debugging, and tools like
IDA Pro and Ghidra.
 Pluralsight - Reverse Engineering Malware
A beginner-friendly course that goes over malware analysis fundamentals, tools, and techniques for analyzing
malicious software.
3. Malware Analysis Tools
To effectively reverse-engineer malware, you need to be familiar with various tools:
 IDA Pro (https://www.hex-rays.com/products/ida/)
A powerful disassembler and debugger used for analyzing binary code, one of the most popular tools for
reverse engineers.
 Ghidra (https://ghidra-sre.org/)
A free and open-source reverse engineering tool developed by the NSA, with extensive support for analyzing
malware.
 OllyDbg (http://www.ollydbg.de/)
A 32-bit assembler-level debugger for Windows, helpful for dynamic analysis of malware.
 Wireshark (https://www.wireshark.org/)
A network protocol analyzer used to capture and analyze network traffic, essential when studying malware
that communicates over the network.
 Cuckoo Sandbox (https://cuckoosandbox.org/)
A malware analysis system that automatically executes and analyzes malware, providing detailed reports.

13
R20 (MARE) CYBER SECURITY
 Volatility Framework (https://www.volatilityfoundation.org/)
A popular open-source memory forensics tool for analyzing memory dumps, often used to analyze memory-
resident malware.
 PEiD (https://www.aldeid.com/wiki/PEiD)
A tool for detecting packers, cryptors, and compilers used by malware to obfuscate its code.
 x32dbg / x64dbg (https://x64dbg.com/)
An open-source debugger for Windows that helps analyze and debug executable files.
4. Malware Analysis Frameworks
 REMnux (https://remnux.org/)
A Linux-based toolkit designed specifically for malware analysis, it includes a wide range of open-source
tools for static and dynamic analysis.
 FLARE VM (https://github.com/mandiant/flare-vm)
A Windows-based malware analysis environment developed by FireEye's FLARE team, with a large selection
of tools pre-configured for malware analysis.
5. Forums and Communities
 Reddit - r/ReverseEngineering (https://www.reddit.com/r/ReverseEngineering/)
A community dedicated to reverse engineering, including malware analysis, with frequent discussions and
resources shared by professionals.
 Malware-Traffic-Analysis (https://www.malware-traffic-analysis.net/)
Provides network traffic samples from real-world malware, along with analysis guides and lessons on
malware behavior.
 BleepingComputer Malware Removal Guides (https://www.bleepingcomputer.com/virus-removal/)
Offers community-driven malware analysis and removal guides, along with helpful discussions on how
malware behaves.
 The Honeynet Project (https://www.honeynet.org/)
A nonprofit research organization that focuses on the analysis of malicious cyber activity and the creation of
honeypots to study malware.
6. Understanding Malware Families and Techniques
 MITRE ATT&CK Framework (https://attack.mitre.org/)
A knowledge base of adversary tactics and techniques based on real-world observations, helping in the
identification and understanding of malware behavior and threat actor activities.
 Malware Information Sharing Platform & Threat Sharing (MISP) (https://www.misp-project.org/)
A platform for sharing structured information about malware, threats, and attacks, useful for gaining insights
into current malware trends and techniques.
 VirusTotal (https://www.virustotal.com/)
A popular online service that analyzes files and URLs for malware using multiple antivirus engines, useful for
checking samples and understanding their characteristics.
7. Challenges and CTFs (Capture The Flag)
 CrackMe (https://crackmes.de/)
A website that hosts reverse engineering challenges specifically for learning and practicing reverse
engineering skills.
 Root Me (https://www.root-me.org/)
A platform with cybersecurity challenges that include reverse engineering, malware analysis, and exploitation
tasks.
8. Research Papers and Blogs
 "Understanding Malware" Series by the SANS Institute
The SANS Institute provides high-quality research papers and blog posts on the latest in malware analysis and
reverse engineering.
 Google Project Zero Blog (https://googleprojectzero.blogspot.com/)
Offers detailed technical analysis on vulnerabilities and malware, often featuring case studies on advanced
persistent threats (APTs).
 Securelist by Kaspersky (https://securelist.com/)
A blog and resource center that provides in-depth analysis of the latest malware, APTs, and cyber threats.
14
R20 (MARE) CYBER SECURITY
By diving into these resources, you can gain a thorough understanding of reverse engineering malware and the
techniques used by cyber adversaries. It is important to balance learning theoretical concepts with hands-on practice to
fully grasp malware analysis.
Malware Indicators and Classification
Malware indicators are specific signs or traits that suggest the presence of malicious software in a system, network, or
device. Identifying these indicators is critical for detecting, preventing, and responding to cyberattacks. Malware
indicators can be classified into various categories, including indicators of compromise (IOCs) and indicators of
attack (IOAs).
Malware indicators, also known as indicators of compromise (IOCs), are patterns or artifacts that suggest the presence
of malicious activity on a network, system, or endpoint. These indicators help cybersecurity professionals identify and
respond to malware infections and attacks. Below are some common malware indicators:
1. File-Based Indicators
 File hashes: MD5, SHA-1, or SHA-256 hashes of malicious files.
 File names: Specific filenames associated with known malware or suspicious activity.
 File path: Locations where malware is commonly placed (e.g., system directories, temporary folders).
 File size: Certain malware variants might have specific file sizes.
 File types: Executables, scripts (e.g., .exe, .bat, .vbs), or documents with embedded macros (e.g., .docm,
.xlsm).

2. Network-Based Indicators
 IP addresses: Known malicious IP addresses associated with malware command-and-control servers, or used
to exfiltrate data.
 Domain names: Malicious domains used in phishing campaigns or for C2 (command-and-control)
communications.
 URLs/Uniform Resource Locators: URLs that are associated with the delivery of malware or are being used
for malicious activity.
 Network traffic patterns: Abnormal traffic or specific patterns of communication, such as large amounts of
data being transferred or connections to suspicious external systems.
 Ports and protocols: Unusual ports or protocols used for malware communication (e.g., ports 4444 or 6660–
6669 are often used by malware).
3. System and Behavioral Indicators
 Unusual CPU, memory, or disk usage: Malware often causes abnormal resource consumption, such as high
CPU usage or disk activity.
 Unexpected processes or services: Unknown or suspicious processes running in the background, especially
those with random or unusual names.
 Modifications to critical system files: Malware often changes or modifies system files, including the addition
or deletion of files in critical directories.
 Registry changes (on Windows systems): Malware may alter Windows registry keys to ensure persistence,
such as adding new autorun keys.
 Creation of new user accounts: Unauthorized user accounts may be created by malware to maintain access.

15
R20 (MARE) CYBER SECURITY
 Changes to system settings: Unexpected modifications to system configurations, firewall settings, or security
software.
4. Email Indicators
 Phishing emails: Emails with suspicious attachments, links, or requests for sensitive information.
 Suspicious email addresses: Emails sent from fake or misleading email addresses or domains.
5. Indicators Related to Exploits
 Buffer overflow signatures: Signs of attempts to exploit vulnerabilities (e.g., specific patterns in data or error
logs).
 Exploitation of known vulnerabilities: Evidence that malware exploits a specific security hole, such as CVE
(Common Vulnerability and Exposure) entries.
 Unusual or failed login attempts: Malicious attempts to log in or brute-force passwords.
6. Malware-specific Indicators
 Ransomware-specific behaviors: Files with specific file extensions, such as .locked or .enc, indicating
encryption by ransomware.
 Trojan-specific behaviors: Suspicious backdoor activity, such as remote control sessions or attempts to
exfiltrate data.
 Worm-specific behaviors: Self-replication and spreading across the network without user intervention.

7. Threat Intelligence Indicators

 Tactics, Techniques, and Procedures (TTPs): The overall behavior of the malware (e.g., lateral movement,
privilege escalation).
 MITRE ATT&CK Framework: Malware actions mapped to specific techniques in the ATT&CK framework,
which helps identify malicious behavior patterns.

Malware classification
Malware classification is the process of categorizing malicious software (malware) into different types based
on various characteristics. This process helps security professionals understand the nature of the threat and
develop appropriate defenses. Malware can be classified in various ways depending on its behavior, purpose,
or the method of detection. Below are some of the most common categories:
1. Based on Behavior
 Viruses: Malicious code that attaches itself to a legitimate program or file, and when executed, it spreads to
other files or systems. It requires user action to activate and spread.
 Worms: Similar to viruses but do not require user interaction. Worms replicate themselves and spread
autonomously over networks, often causing network congestion.
 Trojans (Trojan Horses): Malware that masquerades as legitimate software or files. They often trick users
into installing them and can give attackers unauthorized access to the system.
 Ransomware: Malware that encrypts a victim's data and demands a ransom for the decryption key. It can
spread through phishing emails, malicious websites, or infected software.
 Adware: Software that displays unwanted ads on the user's system. While it may not always be harmful, it is
often intrusive and can track user behavior.

16
R20 (MARE) CYBER SECURITY
 Spyware: Malware that secretly monitors and collects information about the user, such as browsing habits,
login credentials, and more.
 Rootkits: Tools used to hide malicious activity on a compromised system. Rootkits allow attackers to
maintain privileged access without detection.
 Keyloggers: Malware designed to monitor and log keystrokes, capturing sensitive information such as
usernames, passwords, and credit card numbers.
 Bots and Botnets: Bots are automated programs used by attackers to control a system remotely. When a
network of infected devices is controlled, it becomes a botnet, which is often used in Distributed Denial of
Service (DDoS) attacks.
2. Based on Delivery Method
 Phishing Malware: Malware delivered through deceptive emails or websites that trick users into providing
sensitive information or downloading malware.
 Drive-by Downloads: Malware delivered automatically when a user visits a compromised or malicious
website without their knowledge.
 Email Attachments: Malicious files attached to emails that, when opened, infect the user's system.
 Malvertising: Malicious advertisements displayed on websites that contain hidden malware, which is
activated when clicked.
 USB or Removable Media: Malware that spreads via USB drives or other removable storage devices,
infecting systems when they are plugged in.
3. Based on Target or Purpose
 Financial Malware: Malware specifically designed to steal banking credentials, perform financial fraud, or
conduct identity theft.
 Industrial Control System (ICS) Malware: Targeted at critical infrastructure systems, such as energy grids,
water systems, and manufacturing systems. These types of attacks can cause significant damage to public
infrastructure.
 Information Stealers: Malware focused on stealing sensitive information, such as login credentials, personal
identity information, and credit card details.
 Nation-State Malware: Cyberattacks launched by governments or affiliated entities targeting other nations
for espionage, sabotage, or warfare.
 Cyber Espionage Malware: Used to spy on organizations, governments, or individuals, typically to steal
intellectual property, trade secrets, or sensitive data.
4. Based on Exploitation Techniques
 Exploits: Malware that takes advantage of vulnerabilities or weaknesses in software, hardware, or network
configurations to gain unauthorized access.
 Zero-Day Exploits: Attacks that exploit vulnerabilities that are unknown to the software vendor or have no
available fix, making them especially dangerous.
 Privilege Escalation Malware: Malware that attempts to gain elevated privileges on a system to have broader
access, often seeking administrator or root access.
5. Based on Persistence Mechanism
 Fileless Malware: Malware that resides in system memory rather than files on the disk. It operates without
leaving traces on the file system and is harder to detect.
17
R20 (MARE) CYBER SECURITY
 Persistence Malware: Malware designed to remain on a system even after reboots, often using techniques
like modifying system registry or using scheduled tasks.
 Dropper: A type of malware that installs other malicious payloads onto a victim's system. The dropper itself
may not be harmful but sets up the system for future attacks.
6. Advanced Malware Categories
 Advanced Persistent Threats (APTs): These are long-term, targeted attacks, often by sophisticated attackers
like nation-states, focused on stealing information or gaining unauthorized control of systems.
 Polymorphic Malware: Malware that changes its code or appearance each time it infects a new system to
evade detection by security tools.
 Metamorphic Malware: More advanced than polymorphic malware, metamorphic malware rewrites its code
entirely to avoid detection.
7. Based on Detection Method (for classification)
 Signature-based Detection: Relies on known patterns (signatures) of malware files. This method is effective
against known threats but not against new or modified malware.
 Heuristic-based Detection: Focuses on identifying suspicious behavior, patterns, or properties that could
indicate malicious activity, even if the specific malware has not been seen before.
 Behavioral Analysis: Involves monitoring system behavior to detect any unusual activity typical of malware
infections, such as file modifications, network traffic, and process changes.
 Sandboxing: Running suspicious programs in an isolated environment to analyze their behavior without
affecting the actual system.
8. Emerging Trends in Malware Classification
 AI/ML-based Malware: Some modern malware uses machine learning or artificial intelligence to adapt to
new security measures and improve its evasion techniques.
 Fileless Ransomware: A form of ransomware that operates entirely in system memory, avoiding detection by
traditional signature-based antivirus software.
 Cross-Platform Malware: Malware that is designed to attack multiple operating systems, such as Windows,
macOS, and Linux, to maximize its impact.

Examining Clam AV Signatures, Creating Custom Clam AV Databases.

Examining ClamAV Signatures
ClamAV (Clam AntiVirus) is an open-source antivirus engine used for detecting and eliminating malware. It relies
heavily on signature-based detection, meaning it looks for specific patterns (signatures) within files to identify
potential threats. Here's how you can examine ClamAV signatures and create custom signature databases.
1. ClamAV Signature Format
ClamAV uses a specific format for its signature files. These signature files are generally stored in a database located at
/var/lib/clamav/ on Linux systems. Signature files can have different types:
 Virus signatures: These signatures identify specific known viruses.
 Heuristics: These identify files with suspicious characteristics, even if the exact virus is unknown.
 Generic signatures: These are designed to identify a broader category of malware based on common
characteristics.

18
R20 (MARE) CYBER SECURITY
Each signature consists of:
 Signature ID: A unique identifier for the signature.
 Description: A short description of what the signature detects (e.g., a virus name).
 Pattern: A string or binary pattern used to detect the virus.
 Meta data: Extra information, such as the date the signature was added.
To view and examine existing ClamAV signatures, you can look inside the ClamAV signature database:

cd /var/lib/clamav/
ls

The primary signature file is often named main.cvd, and additional signature files like daily.cvd and bytecode.cvd may
be present.
To examine a signature file directly:
cat /var/lib/clamav/main.cvd | less
This will show you the compressed content of the signature file, but it’s more useful to use ClamAV’s built-in tools to
view the signatures.
2. Using ClamAV Commands to Examine Signatures
ClamAV provides commands that help in inspecting and interacting with the virus database.
 clamscan: This is the main scanning tool. It doesn’t show specific signatures but can detect malware based on
them.
 clamdscan: A command-line interface to interact with the ClamAV daemon (more efficient for large scans).
 freshclam: Updates the signature database.
For signature-specific queries, you can use the --debug flag with clamscan to get more detailed output about the
signatures being detected:
clamscan --debug /path/to/file
This will display debug information including the signature that triggered a detection.
3. Examining Signature Metadata
If you are working with ClamAV's signature files directly, it’s possible to extract metadata from these files using
sigtool, a utility that is part of ClamAV.
bash
Copy code
sigtool --dump main.cvd
This dumps the contents of the signature file in a human-readable format, including signatures and metadata.
Creating Custom ClamAV Databases
Sometimes you need to create custom ClamAV signatures to detect new or unique threats. To create a custom
signature database, follow these steps:
1. Prepare the Custom Signature

19
R20 (MARE) CYBER SECURITY
To create a custom signature, you need to define a pattern that uniquely identifies a specific file or malware type. A
ClamAV signature is typically based on a byte pattern or regular expression.
You can write a signature manually or extract it from a malware sample.
Example of a ClamAV signature format:
text
Copy code
MyCustomSignature:1:0x1234567890ABCDEF
This defines a signature that looks for a specific byte pattern (0x1234567890ABCDEF) in files.
 1: Unique signature ID.
 0x1234567890ABCDEF: The hexadecimal byte pattern to search for.
2. Using sigtool to Create Custom Signatures
The sigtool command is useful for generating custom signatures. Here's how you can generate a signature based on a
file:
bash
Copy code
sigtool --build-db mydatabase myfile1 myfile2
This command will generate a new signature database mydatabase based on the files myfile1 and myfile2. It analyzes
the files and creates signatures for the unique byte patterns found.
3. Write Custom Signatures Manually
You can also manually create signatures by writing patterns yourself. For example:
text
Copy code
MyCustomMalware:1:*:1234567890ABCDEF
This signature will match any file that contains the byte sequence 1234567890ABCDEF.
4. Adding Custom Signatures to ClamAV
Once you have created your custom signatures, you need to add them to ClamAV's signature database.
1. Save your custom signature to a file, for example, custom.ndb.
2. Place your custom signature file in ClamAV's signature directory, typically /var/lib/clamav/.
3. Run the following command to update ClamAV with your new signatures:
bash
Copy code
freshclam
Alternatively, if you don’t want to rely on freshclam to download updates, you can use the clamd daemon to load the
new signature:
bash

20
R20 (MARE) CYBER SECURITY
Copy code
clamd --reload
5. Testing Your Custom Signatures
Once your signature has been added, you can test it by scanning a file that matches your custom signature.
bash
Copy code
clamscan --database=/path/to/custom.ndb /path/to/test/file
If your signature is correct, ClamAV will detect the file based on your custom pattern.
6. Regular Updates of Custom Signatures
It is important to regularly update and maintain your custom signatures, especially if the threats evolve. You should
also monitor your ClamAV logs to ensure the signatures are effective and don't create false positives.
Tips for Custom Signatures
 False positives: Ensure your custom signature matches only the targeted malware and does not trigger false
alarms on legitimate files.
 Byte patterns: Choose byte patterns that are specific enough to avoid matching benign files.
 Heuristic signatures: Use heuristic techniques to detect malware based on suspicious behaviors or structures,
especially for zero-day threats.

21