TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Malware Under The Microscope: Manual Analysis

2021-01-12 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.005Visual Basic
94%
“##r : r4ptor ' created for personal use, modifications / others are not authorized ' for more informations, looking 4 me { - cng4l on race } ' ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' w…”
T1543.003Windows Service
94%
“malware under the microscope : manual analysis all too often we find clever malware here at huntress. we look for persistent footholds — the implants and backdoors that hackers leave behind so they can maintain access. oftentimes, this takes the shape of code that needs to be sta…”
T1059.005Visual Basic
91%
“shell " ) variable. run " svchost. exe / e : vbscript. encode " " c : \ security \ blood. dat ", false well, this was pretty tame. short and sweet! there are a few things to unpack here, though — this vbscript is creating a wscript. shell object so it can start other processes an…”
T1059.005Visual Basic
77%
“vbsresetperiod = 0rebootmsg = command = nactions = 0actions = startattime = onetime this looks like it outlines how this new msg service would run — indicating another artifact we could examine c : \ security \ system. vbs! before we dive into this new vbscript, i want to take a …”
T1059.005Visual Basic
73%
“, we have something to go off of. the blood. dat filename is very odd, and could be a telltale to uncover what this malware really is. we did our homework and tracked this down to a known threat. it might not come as any surprise that this strain of malware was first discovered i…”
T1569.002Service Execution
60%
“vbsresetperiod = 0rebootmsg = command = nactions = 0actions = startattime = onetime this looks like it outlines how this new msg service would run — indicating another artifact we could examine c : \ security \ system. vbs! before we dive into this new vbscript, i want to take a …”
T1105Ingress Tool Transfer
54%
“reach out to multiple external webservers to download more malware. - silently delete shadow volumes. the strings and variable names throughout the script indicate the malware author was french. “ nomfichier ” = “ filename ”, “ amovible ” = “ removable ”, etc. for your use, here …”
T1569.002Service Execution
54%
“, the interesting value to examine further is the imagepath value, which specifies the full command that is run or executed as the service starts. for this system service, the imagepath value was set to : c : \ windows \ system32 \ system \ svchost. exe msg on the surface, this d…”
T1574.001DLL
35%
“##chost. exe program from windows xp. yes, you read that right. windows xp. while this is very weird, it actually works as unique hacker tradecraft. after all, this is a legitimate microsoft windows application. the binary on its own is “ not malware ”, and it clears a virus scan…”

Summary

Learn manual malware analysis techniques used by threat researchers. Explore static & dynamic analysis, reverse engineering tools, and real-world investigation methods.