PMAT Journey — 2
Last update I was 21% through the course and had not begun any analysis on the malware samples in the lab. I am at 47% complete with several modules to go. I have completed Basic Static Analysis and begun Basic Dynamic Analysis. Let’s break these terms down.
Static analysis is analyzing malware without executing. Whereas dynamic analysis is analyzing malware while the sample executes. This is why it is so imperative to ensure your lab environment is locked down from the internet and your host machine. You do not want the malware sample to touch your host nor the internet for several reasons such as to not infect your host machine and to not actually download anything malicious from a C2 (Command and Control) server. This is why Matt spent a great deal of time and focus to ensure you are safe when you detonate malware throughout this course and beyond. He also spends time discussing industry standards of safely handling malware as an analysis, safe sources for malware samples, and ensuring you keep your malware sample defanged until you are deliberately ready to fang your malware.
On a side note, I personally still chuckle with the defang and fang terms and it’s probably because it reminds me of my goofy greyhounds and their teeth. See below.
The Basic Static Analysis lesson takes you through several topics to include hashing samples, checking malware repositories, using strings and FLOSS, PEview, and PEStudio. In addition to that, Matt ensures you have a little extra knowledge to understand the “why” behind what you are doing. I appreciate this to no end as I am sure others will while taking the course. With that he covers down on some basic Windows API (Application Programming Interface) explanation as well as some more depth into how to use PEview to characterize malware more thoroughly. For example, Matt discusses the importance of looking at specific headers in PEview to help you, as the analyst, determine if malware might be packed. Malware packing is a technique that malware authors can use to disguise or obfuscate an executable to avoid AV (anti-virus) detection.
Below I have included a screenshot from my VM. I blacked out and greyed out some of the text. Some of the “samples” in this course are written by Matt to mimic malware. So, I do not want to A) plagerize his material nor B) give away the fun of the exploring in the course. The highlighted bits, Virtual Size and Size of Raw Data are parts of the puzzle in malware analysis to help determine if the malware sample is packed.
Some other parts of the course that were eye openers to me is using the IMPORT_Address_Table in PEview. This is yet another example of how Matt gives you more of the “why” behind a task. The IAT can be used to gleen information about API calls and correlate that information with other IOCs (Indicators of Compromise) to paint a larger picture of what is happening. Don’t worry, it’ll be explained thoroughly as well.
I personally recommend looking quickly at the note review at the end of the Basic Static Analysis module to see how Matt takes notes before you begin. He uses Microsoft OneNote but if this is not available to you, a word processor with the ability to hold screenshots will suffice. You don’t need to understand what he is talking about at the moment. Just get an idea of how he takes notes so you can take notes as you go through the module.
Lastly, Matt has added some updates since the initial release of the course. In 11/28/21 he added information about a great resource and how to use it, MalAPI.io by mrd0x. This helps you identify which Windows APIs are commonly abused in malware. Also, a more recent update was made on 11/19/22 discussing a tool called Capa by Mandiant. Capa is a beast on its own and maps to frameworks such as MITRE ATT&CK, and industry standard on defining Tactics, Techniques, and Procedures (TTPs), and the Malware Behavioral Catalog or MBC.
Oh, and did I mention, Matt Kiely is hosting the Advent of Cyber 2022 event today on TryHackMe and there is a carol to go along. I’ll be checking that out after I post this.
