Using Far Manager and Hiew duo in malware Analysis

I have been using the Far Manager and Hiew Combo for a really long time while doing Malware Analysis . (Unfortunately I could not fix the formatting issues to words the end of the blog)

Far Manager is not a malware Analysis tool at all but an alternative to windows explorer . But certainly it solves some basic level of problems for malware analysis like sorting based on size, see hidden files ,view processes . Far manager is a command line alternative to windows Explorer(Explorer.exe) which is used to browse the file system .It speeds up your work as it is you can browser your file system quicker the the conventional windows explorer . you can do a lot of quick stuff using keyboard shortcuts  . Don't worry about remembering shortcuts. After sometime it will be on your finger tips.

You can download far manager from https://farmanager.com/. You can run it by extracting and double clicking the Far.exe .Default far manager has two panes left and right. you can two locations of you file system at a time.left side pane is displaying contents in folder "C:\Program Files\7-Zip" and right side pane is displaying contents in folder "D:\books\c-prog" . you can browse through files in the directories using up and down arrow keys. cursor is the green color.

At the bottom you can see 1.Help, 2.User Menu,3.View..... 5.Copy

This means F5 is used for copy. If you want to explore more options press the keys left ctrl+ right ctrl, left shift, right shift , alt and see whether these options change. 

If I press ctrl, I see 12-sort . Now if I press ctrl+F12 let's see what happens .

You can sort the files in the directory using size,extension etc. Note:This can be useful for analysts when they are dealing with huge set of files. Often malwares in a same family which are close to each other have similar size. You can sort by size and cluster the same size files.

The cursor or control is on left pane on the file "History.txt" . If you want to copy paste History.txt from "C:\Program Files\7-Zip" to "D:\books\c-prog" you need to press F5. For cut paste you need to press F6. See how quick it is to do a cut paste. Multiple files can be copy pasted at same time. to select a file to copy paste you need to press "shift+down/up arrow" key. Same keys for de-selecting a selected file. To select all the files below the cursor you need to "shift+right arrow" for above "shift+left arrow". you can then use F5 or F6 for starting the copy .

to shift between the panes or go from "C:\Program Files\7-Zip" to "D:\books\c-prog" , you can press tab. You can use use up and down arrow keys to browse the files in same directory.

The exe is green(7z.exe,unistall.exe) colored text and directory is white("lang").

If you want to open a file in directory you just need to move the corsor there and then press enter. An exe will execute and a .txt file will open in notepad. Hidden files are seen in light blue color. This can be often used in malware analysis if the malware hides any of it's dropped file by using hidden properties of windows .

You can see more details of files in the directory  by pressing “”left Ctrl + 3”. you can see the extension, file size, creation date time

We can also browse directories using keyboard shortcuts .If you want to go into the "lang" directory move your cursor to lang using the up or down arrow key and then press enter. If you want to go to the directory above press "Ctrl + pgUp".

Searching Files in a Directory:
This is done by pressing alt+(alphabets of the key- u can use wildchars too).

Sorting files in a directory:

you can sort files in a directories by pressing F12. This gives you option to sort by size,extension,write time etc .you can use this feature to cluster similar size files etc

Creating shortcuts to directories and accessing them:

save shortcuts to directories- you can save upto 10 directories in shortcut with keys  0 to 9.

To create shortcut for directory go to the directory on number 1 and press :ctrl+shift+1 .  

Now to go to the shortcut saved in number 1 key  press right ctrl +1 . similarly you can create shortcuts to 10 directories .

Adding tool Shortcuts to  Far Manager:
As malware researcher we need to use all lot of tools on the samples. you can add shortcuts of tools to far manager. I want to add hiew (hacker's view) to my far manager and would like to open samples with it.

Before adding hiew to Far, I have downloaded hiew from http://www.hiew.ru/ and extracted to "D:\tools\hiew" in my system. I need to Hiew32Demo.exe to the Far manager.

to open a file in hiew ,from command line, I need to type the command hiew32demo.exe file__full_path where file__full_path is the parameter to hiew32demo.exe .

To add a command I need to press F2. 

you can see a window popping up over far manager which asks you to press Del,Ins,F4, Alt+F4 keys . you can try out each of these keys. To add Hiew I press Ins key.

After I press a insert key I get a windows like below.

hotkey - stands for shortcut key. I have put h here. Label is just for your reference ,I have added hiew here. I commands I have put D:\tools\hiew\hiew32demo.exe "!.!" . Here "!.!" means selected file which is the parameter to hiew32demo.exe .

Now in order to save the command use arrow button to reach [ok] in menu and then press enter.

Now hiew is added to my tools. In order to open a file in hiew I can browse to a files then press F2+h to open the file in Hiew.

Hiew to be continued in next blog.

Simplifying Malware Analysis:

The article is meant for people who want to start their career in Malware Analysis . Malware analysis is a growing need in the cyber security industry with increase in attacks involving malware. The article  talks about how to approach malware analysis. Before that it’s important to know how the malware works. Here are some of the topics I would be covering in the article.

1. Malware Components 
2. Malware Analysis Steps

Malware Components

In order to understand malware in a better manner I have broken down the malware into components. Below is a diagram for understanding the various components.

I have broken down the malware into the following components:

1. Payload
2. Packer
3. Persistence 
4. Armoring
5. Stealth
6. Communication
7. Propagation

Malware Components

Payload is the mandatory component while malware while rest are optional.

• Payload is the core  component of the malware. Payload executes the final intention of the malware. A malware may steal credentials from browser, steal banking credentials . Malware should be classified or provided name based on the payload .
• Password Stealer(PWS)-steals passwords from browser,ftp clients etc
• Banking Malware-Specially meant to steal banking credentials or do a man in the middle attack.
• Ransomware-Asks the victim to pay ransom. Usually does by hijacking sensitive data or system resources.
• Adware-displays unwanted advertisement to victims
• Point of Sales-This is used to steal credit card information from system linked to POS devices

Packer is a enevepe over the payload. While reverse engineering malware , you need to remove this envelope in order to see the actual payload or functionality of the malware. Packer has algorithms which are used to compress code . Since the actual malware code is compressed by packer, it’s hard to see the actual payload by static analysis(I will talk about static analysis of later in the article. For the time being consider static analysis in this case as viewing an executable in an hex editor). Packer is a program that takes an executable as input and produces packed executable. The original executable and the packed  executable will look different if static analysis is done on it. A polymorphic packer takes one executable program as input and creates multiple(can be in millions) packed executables which look different from each other with static analysis .These executable are released in the wild through various channels like spams , exploit kit. These packed executables are different from other if the analysts performs static analysis on them but their behavior (dynamic analysis would be same). So if an antivirus engineer writes static detection signature on few of the packed executables ,there are chances that the signature may not detect all the executables created by the polymorphic packer . This is one of the methods by which malware can evade static antivirus signatures.

Polymorphic Packer

Persistence:

Malware needs to stay in the system and sustain reboots. A banking malware or stealer needs to stay active in the system even after reboot. The techniques with which malware survives reboot are called persistence mechanism. Most of the malware exploit the operating system features to persist .

Armoring:

Malware’s don’t want to analysed or detected. Security researchers try to break the maware. Armoring is used by malware to protect itself . Anti-debugging,VM-Detection , Sandbox detection , Analysis tool detection are various armoring techniques employed by malware.

Stealth:

Malwares need to hide themselves in the system so that user does not suspect it. Stealth technique can range from simply changing the file property hidden to Code injection techniques and Rootkits can be considered as stealth mechanism . Often Rootkit is considered as type of malware but I would say rootkit is a technique to hide a malware. The payload could be something like a banking trojan that wants to hide itself . Most of the rootkits alter the functionality of the API’s or data structures used by operating system . For example windows task manager refers  to a double linked list in which nodes represent a process. Removing a node from the linked list can hide a process . This rootkit technique is called DKOM. 

Communication:

Malwares would like to communicate with the hacker through command and control servers (CnC). The reason could be anything uploading stolen data, receive commands etc.

Propagation:

Malware need to spread across computers in a network or outside network . Autorun worms used pen drive to spread from one machine to another. The infamous Wannacry used Eternal Blue exploit to propagate through the network . PE File infection(File Infectors) is a spreading mechanism used by 

Malware Analysis

Malware analysis is done in order to find if a program is malware and if so find the impact on the system.

1. Static
2. Dynamic 
3. Reverse Engineering

Static Analysis:

Static analysis is done without executing the sample. A sample is opened in a static analysis tool to view static properties.  

It’s hard to derive conclusion from static analysis as malwares maybe obfuscated. Then why do we perform static analysis?

Static analysis can form the basis of dynamic analysis. Here is an analysis step. I get a sample and check its first few bytes in a hex editor . I see that first MZ at the start of the file. I consider this as a windows executable . Then I check if it 32 bit or 64 bit executable. If it is 64 bit,I would use a 64 bit windows OS for dynamic analysis.

Malware Analysis Steps

If I find a file is a microsoft document file(.docx) then I would need to install a microsoft word in my analysis machine for further dynamic analysis.

Dynamic Analysis:

Dynamic analysis is performed in order to find the changes done by the malware to the system. The changes can include :

• file modification 
• configuration changes 
• network communication 
• Process changes -code injections,API hooks
• Mutexes created
• System code modifications(kernel level API hooks and data structure modifications)

Reverse Engineering:

Reverse Engineering is performed if it is hard to conclude from dynamic analysis . A malware may not execute completely if it detects virtual machine environment(armoring) hence we won’t get conclusive results from dynamic analysis . In this case reverse engineering is performed to locate the code that detects virtual machines and patch the code in order to execute the malware . There can be many other purposes of reverse engineering:

• Finding out algorithms used my malwares
• Writing better antivirus signatures
• Finding out more secrets in malware like similarity with any existing malware used in some attack

 Malware Analysis Training:

All the topics are covered in detail my training. Apart from this malware detection is also included in the training. Contact me abhijit.mohanta.15.08@gmail.com for training's.