Malware Analysis

1. Malware Analysis: Initial Steps


Malware Symptoms


The first step in my investigation was finding out the symptoms that the program causes. My friend told me when he first ran the program, top malware 2022 it induced a Blue Screen of Death, but nothing out of the ordinary occurred when he rebooted the computer. This told me 2 things about the malware:


Since the "virus" caused a Blue Screen of Death, this means it messed up somewhere. Malware aims to cause as little disruption as possible, since events such as a blue screen can alert the user to the fact that something is wrong.


The malware programmer is not advanced. A seasoned malware author would not be foolish enough to cause a BSOD. BSODs are usually caused by mistakes such as null pointers, and other memory reference issues. By understanding the author, you can better understand his work.


Just from the fact that the virus caused a top malware 2022 Blue Screen of Death, I learned a lot about the program and its author. By better understanding the malware and author, I can take educated guesses regarding its level of complexity, as well as motivation and goals.


File Information Gathering


After looking at the symptoms, I next took a very brief look at parts of the program itself. I ran all of this on a Linux system in order to prevent accidental infection. Even then, I ran the tests on a non work related computer, and one that was isolated from all networks. Like all other cases involving malware analysis, it pays to be careful. The last thing you want to happen is to accidentally infect yourself, only to spread it to your other, more important computers. Later, I end up using VMware for this very reason.


File: I first run the "file" utility to figure out what exactly I'm dealing with. The results showed this:


w89e85t5.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit Mono/.Net assembly


The output tells me a few things. First, it is a portable executable, meaning it is made for maximum portability. In the context of this malware analysis, this makes sense, because the malware author is going to want to have this run on as many computer types as possible. The second half of the output shows us that it is made to run on 32 bit computers, and is was made using Mono with the.Net Framework.


Another useful tool in malware analysis is a program called PEiD, which scans an executable for signs of being packed. Packers are utilities used in order to obfuscate the executable, making it more difficult for reverse engineers to disassemble the malware using programs such as IDA Pro. PEiD returned a result of "Microsoft Visual C# / Basic.NET", confirming that.NET was used in creating the malware. The Visual C# portion also gave me some more information regarding the language used to create the virus.


2. Malware Analysis: Virtual Computer System


After finding some preliminary information regarding the malware, I next wanted to move onto something a little more risky, namely running the malware under a virtual computer. Rerversing malware under virtual systems has several benefits: