Malware Analysis Notes

The dates and topics are subject to change, but this is the basic outline of the course. We may go faster or slower as needed. Details will be added as the course progresses. Homework assignments will be added as those are developed and assigned.

Many dates and details will be updated!

Spring 2025 semester

DUE DATES AND DETAILS OF HOMEWORKS, TERM PAPER, ETC. MAY CHANGE

1/27/2025 Introduction

Review of course syllabus, campus policies, and logistics
Introduction
You will need to installl VirtualBox. Instructions for doing so are found at www.virtualbox.org.
Users of Macs Beware!
- We do not know if VirtualBox can run on your machines, and students have reported problems in the past.
- If you need a loaner PC in order to tackle this course, the time to find out is now!
We are making a Windows 7 virtual machine available for the class.
- Windows 7 (OVA, 11 gigs, UMBC only)
- Click the link above, and Download.
- You will need to be connected via the UMBC VPN, or access Box (or Google Drive, as the case may be) with your UMBC credentials.
- The download will take a while.
Start VirtualBox. Select File->Import Applicance, and choose the OVA file you just downloaded. This, too, may take a few minutes.

If you don't have enough disk space, we suggest you get an external drive. They're not too expensive, even if it's just a terabyte.
User "student" password "infected"
To get a Windows license, log on as user student, start a browser, visit this web page here (you're looking at this page, right?)
https://courses.cs.umbc.edu/undergraduate/CMSC491malware/notes.html
Download the file win_activate.bat to your VM desktop, and run it as administrator. Restart the VM.
You may decide to install the latest version of Guest Additions, but this is not urgent

Once you import this VM into Virtual Box and boot it up, make sure you turn off automatic updates, and Windows Defender, right away! Discuss why.
We also have a malware analysis platform based on Windows 10, see below.

The recordings for this session, and all other recordings for this semester, will be found on Box

1/29/2025 Basic Static Analysis

Introducing the VM we use for malware analysis
By running a demo of the instructions above!
These Introduction slides will be presented.
Virtual Machines
Importing an applicance into VBox.
We have made some virtual machines available:
- Windows 7 Malware (OVA, 19 gigs, UMBC only) <===== use this one!
  - User "Student" password "infected"
- Windows 10 Stable (OVA, 10 gigs, UMBC only)
- Windows 10 Malware (OVA, 20 gigs, UMBC only)
If your Windows box complains about being unlicensed...
- Download this file win_activate.bat to your Desktop
- Make sure you're connected to the campus VPN
- Right-click on the win_activate file, and select "Run as administrator"
- The campus site license server should take care of activating your copy of Windows!
We'll be demonstrating the use of VirtualBox.

2/3/2025 Tools for Static Analysis
- TAs may demonstrate the use of Discord
- Charles will discuss some of the notes under Basic Tools
- These (recently updated) slides on Basic Static Analysis will be used today (and perhaps next time, too)
- If your VM is running very slow, check the parallelization interface. I suggest "none". See the end of Section 2 in EMA, or visit this link
- We will demonstrate the following, in this order, or maybe not:
  - the Flare VM, including snapshots, clones, and OVA files
  - Virtual Box snapshots, AND screenshots
  - how, and when, to use shared folders in VirtualBox. Drag-and-Drop can be useful, but shared folders can be problematic.
  - the strings command on Flare, and floss if time permits
- Charles will discuss the PE HEaders, and use Detect it Easy to demonstrate.
- The slides will provide more information, but they can be perused off-line
- The course BlackBoard site should now be public.
2/5/2025 Packing and Unpacking

Demonstrate the use of DiE, and strings
We will demonstrate how to upload your work to Blackboard. You will be uploading doc files.
Other instructions will be on the homework assignments.

2/10/2025 Configuring Virtual Machines

Homework 1 is now or will soon be available, and will be due in a week.
- The file "Malware Homework1.docx" will be available for download. Edit this document as needed, with your answers to the homework questions.
  - Check the date on homework assignments! They change from year to year!
- The file hw1.7z is available for download. The password for the zipped malware specimen(s) is "infected", without the quotes.
- We will discuss the homework in some detail...download the docx and zip files to your Flare VMs if you wish.
Malware analysts should know C, assembly , but also Python
- the pefile module in Python can be used to make lots of useful tools.
You may be interested in looking at https://www.secrepo.com/#
Want to know more about the internals of Linux?
- several Nutshell books are relevant
- maybe also this contribution on GitBook

2/12/2025 Basic Dynamic Analysis
- Slides: Packed Malware
- We will discuss and demonstrate packers, especially upx
  - Demo upx in Flare
  - We will demonstrate the upx utility to compress (upx -1 or upx -9) and decompress (upx -d) files
  - Other packers used in malware include ASPack, PECompact, Petite, Themida, RLPack, and NSIS.
- There are lots of packers out there! You might want to look at PyPackerDetect from Cylance.
- How can we tell if upx works as it should?
  - compress something, uncompress, and see if the two objects match!
  - how can we do that?
  - lossy vs. lossless compression
- Homework 2 is to be released next Monday
- Slides: Basic Dynamic Analysis Lec 05 VMs and Sandboxes
- Check out an example from VirusTotal
  - Ben gave a good demo of this in Spring 2021, if you want to watch
  - See the Hybrid-Analysis site
  - and the Nextron Systems site, which includes Thor
- Malware sandboxes such as any.run and malcore are very interesting!
2/17/2025 Registry
- Homework 1 will be due today
- Homework 2 will be released today.
  - We will use some class time to discuss Homework 2.
- Some updated instructions for how to properly set up FakeNet-NG, which will be needed for HW2.
- We will be using FakeNet and wireshark. The fakenet package can be download from here.
- Wireshark demo
- More demos useful for Homework 2: Regshot, Process Monitor, Process Explorer
  - perhaps using a certain malware specimen, namely IllusionBot_2007, available from TheZoo on Github
- Procexp: Strings different on disk / in memory, loaded DLLs in bottom pane
- Procmon: look at the resources various processes are using
- Regshot: Capture the registry, in case the registry gets borked by the malware, or the user :-)
  - Persistence through services, WinLogon\Shell
- This tutorial is a good overview of Chapter 3 in PMA. Like Chapter 3, it's a bit out-of-date.
- Slides for Lec 06 Host-Based Dynamic Analysis
- Slides for Lec 07 Network-Based Dynamic Analysis
- You might be interested in reading about how malware authors are using VirusTotal.
2/19/2025 Windows Systems Review
- We may spend some time discussing Homework 2
- Once you import this VM into Virtual Box and boot it up, make sure you turn off automatic updates, and Windows Defender, right away! Discuss why.
- Optional topic: analyzing DLL files
  - Running a DLL with rundll32.exe
  - A DLL can be converted into an executable using a tool such as PE Explorer (Charles to demo maybe)
- More about the Sysinternals Suite, as time permits
- Lots of resources for x86 assembly can be found online, including YouTube
- The best reference is still the Intel Developer Manuals. Buy some paper and toner! It's more than 5000 pages.
- Check out the MOVfuscator (github)
2/24/2025 C code constructs
- A couple of announcements?
- Go over Homework 1, as needed...
- Charles presents slides on x86 Assembly language
- and then maybe more slides on C language constructs in assembly
- Why do we care about assembly code?
- As examples of assembler code, I've heard good things about nasm, a popular assembler
  - you can download and run the installer for Windows at the nasm web site
  - then add the installed directory to your path. You DO know how to add directories to your path, right?
  - for Windows apps, you'll find it convenient to install Visual Studio, whether you use it as an IDE or not
  - whenever you change your path, Windows 11 seems to require a reboot :-(
  - two versions of hello world console and window
    - Hello, World, for the console, for Linux
    - Hello, World, for the console, for Windows
    - another Windows example, assuming that Cygwin is installed
  - nasm is also available for Ubuntu
    - sudo apt-get install nasm
  - do we care about Windows vs. Linux? we sure do!
  - extensive documentation is available
  - the NASM tutorial
  - architecture and opcode information from Intel
- It seems appropriate to discuss CISA
- Triage vs. in-depth analysis
- Charles is aware of a series of tutorials on YouTube that may be useful for learning X86 assembly
- This playground and debugger from GitHub
- Or Learn Assembly the FFmpeg way from Hackaday
- Some resources you might want to look at.
  - Mandiant offers lots of resources, such as their blog, for free!
2/26/2025

Summary of PMA Chapter 6
A simple C program that uses several control structures (pma6.c) and the assembly listing (pma6.s) generated with gcc pma6.c -Wa,-adhln -gnote: no space between Wa and -a
The -g flag causes a lot of useful information to appear in the .s file
Take a look at this list of free online malware sandboxes!
You don't have to keep your Ubuntu environment current, but there are reasons to do so. Update manager is very capable.
- It is often (but not always) good to have VirtualBox install guest additions as well as extensions.

3/3/2025 welcome IDA
- Charles will demonstrate IDA. The freeware version of IDA is available on the Flare VM we provide.
- We are assigning Homework 3. A late policy is being put in place. First two days, -10% per day. After that, -20% per day.
- FLIRT is a feature of IDA that helps with analysis of functions.
- The old freeware version of IDA, which would be needed if you want to use it on Windows XP, is available here. (UMBC only)
- We may also do some of exercises 1-9 from the end of chapter 5 as a demo. (Chapter 5 in the printed book, Chapter 6 on Kindle)
- An easy introduction to IDA (YouTube, 35 minutes). Professor Steve, whom I do not know, seems to have created several useful videos of this type.
- You may be interested in this demo of IDA, with emphasis on its debugger (YouTube, 98 minutes). (CKN has not yet watched these.)
- A series of YouTubes that deal with Ghidra, in case you want to view before next week...
  - Lesson 1 Introduction
  - Lesson 2 UI
  - Lesson 3 Windows Tools Part 1
  - Lesson 3 Windows Tools Part 2
  - Lesson 3 Windows Tools Part 3
  - Lesson 3 Windows Tools Part 4
  - Lesson 4 Exploit "Phoenix"
  - Lesson 5 Structures
3/5/2025 more with Ghidra
- We will spend much of this session demonstrating IDA and Ghidra.
- The questions from PMA that we used for the IDA demo. (Needs myUMBC creds.)
3/10/2025 still more Ghidra
- More on IDA, Ghidra, and the homework.
- Malware and the Windows API (pdf)
- Here is a malware example, as a password-protected zipfile (zip ) with password "malware" without the quotes
- As practice for the midterm. answer these questions: (1) what is the length and SHA-256 hash for this binary? (easy) (2) what, if anything, raises your suspicions in the IMPORTS table? (somewhat easy) (3) using IDA or the disassembler of your choice, what is it that makes this file malicious? what function does something bad? there may be several good answers to this question. we can then discuss in class.
- The recordings for this session, and all other recordings for this semester, will be found here. There are two parts to today's class, Part 1 IDA, Part 2 Ghidra.
3/12/2025 Using Decompilers
- looking at many of Ghidra's features, including variable and function renaming, and decompilation
- For another Ghidra demo, we'll be joining Dr. Joyce's class.
- Homework 4 is hereby released! as of Tuesday March 18. It will be due on 11:59pm Thursday March 27.
  - Late policy -10% per day for first two days, then -20% for each day thereafter.
- Spring Break March 15-23! No class on March 17 or March 19, 2025. Enjoy!
3/24/2025 Chapter 8
- Dr. N. found a short graphic novel about Talos and its recent threat hunting work.
- Present slides on Malware and the Windows API (ppt)
- We may or may not present this material on
  - This online tool may be an alternative to IDA and Ghidra.
  - Another alternative to IDA is radare. It can be used in visual mode, or through the command line. Its documentation is extensive, and the price is right.
  - Alternatives to IDA exist, such as Hopper for OS X and Linux.
3/26/2025 Following Malware Execution
- Finish slides from last time
- Following Malware Execution - inspired by PMA (ppt)
  - For more about DllMain and lots of other stuff, see Microsoft Learn
  - Demo Lab 7-3 (part 1) (part 2) you can watch these demos from RJ's class
3/31/2025 more Chapter 8.
- Finish slides on Malware Execution
- Discuss this report from Mandiant on APT43.
- Peter Drucker's article "Managing Oneself" appeared in the January, 2005 issue of Harvard Business Review.
  - The paper is not being assigned as part of this course, but if you as an authorized UMBC library patron and wish to read it, here it is.
  - The link is supposed to work from a UMBC IP address only.
- Assign Homework 5
- There will be a final exam but it will be optional. If you don't take the final, we'll extrapolate from marks up to that point.
- Class participation WILL figure into the final grade.
4/2/2025 Malware Behavior
- Chapter 12 notes
- Chapter 13 notes
- Covert malware - inspired by PMA (pdf)
- For those who want to learn more about debuggers, and/or the Rust programming language, we recommend a series of blog posts starting here.
- The SANS Institute has a reading room, which includes lots of interesting papers related to malware.
  - RJ recommends Attributes of Malicious Files
4/7/2025 Malware Data Science
- Malware Data Science (ppt)(pdf)
- Possible demo of a Jupyter Notebook for malware data science
4/9/2025 Welcome to the x96 (x32+x64) debuggers
- Homework 5 will be due tonight
- We are releasing Homework 6 tonight.
  - Due date and malware link updated April 14
  - The malware in HW6 uses an anti-debugging method that affects x32dbg. In multiple locations, the malware checks if its file is being opened by any other processes (such as x32dbg or IDA pro). If it is, it exits. Using x32dbg, modify the malware as follows: Navigate to 0x40155E. Right click the PUSH 0x0 instruction and click "assemble". Change instruction to push 0x7. If an orange error message pops up, ignore it - that refers to the instruction after the one you just changed. Close out of the assemble window. Next, navigate to 0x40123C. Change this PUSH 0x0 instruction to PUSH 0x7 as well. Then, the malware can be debugged normally.
- TA Raguvir will demonstrate use of x32 by going over Exercise 9-02 from PMA. The questions refer to the file Lab09-02.exe
  1. What strings do you see statically in the binary?
  2. What happens when you run this binary?
  3. How can you get this sample to run its malicious payload?
  4. What is happening at 0x00401133?
  5. What arguments are being passed to subroutine 0x00401089?
4/14/2025 Encoding Data
- Chapter 14 notes (these are pretty old)
- slides on Data Encoding (ppt)
4/16/2025 Packing and Unpacking
- The malware in HW6 uses an anti-debugging method that affects x32dbg. In multiple locations, the malware checks if its file is being opened by any other processes (such as x32dbg or IDA pro). If it is, it exits. Using x32dbg, modify the malware as follows: Navigate to 0x40155E. Right click the PUSH 0x0 instruction and click "assemble". Change instruction to push 0x7. If an orange error message pops up, ignore it - that refers to the instruction after the one you just changed. Close out of the assemble window. Next, navigate to 0x40123C. Change this PUSH 0x0 instruction to PUSH 0x7 as well. Then, the malware can be debugged normally.
- Chapter 18 notes
- dealing with packed malware
- You'll want to use the Scylla plug-in. You can get to it in x32dbg by clicking plugins->Scylla. See this YouTube for more information.
- Former TA Sophie did a demo of tail jump finding in packed files. See the recording, and this tutorial (PDF)
4/21/2025 Anti-analysis Methods
- a special report from Mandiant (pdf, 95 pages)
- more from Peter Drucker
- Chapter 16, Anti-Disassembly
- Anti-disassembly slides
- Impossible disassembly
- Chapter 17, Anti-Debugging
4/23/2025 Networks
- How are you doing, as the semester winds down?
  - Help is available for those who are struggling.
  - From the Maryland Department of Health: Help us spread the word about the new crisis and suicide lifeline, 988. If you or someone you know is in crisis, dial 988.
- Chapter 15 notes Network Indicators
- A recent report from Mandiant (pdf, UMBC only)
- We are releasing Homework 7 today!
4/28/2025 YARA
- Course evaluations are coming! Watch your email.
- Some slides on YARA
- Reading the YARA documentation is a good way to learn about Yara!
  - Includes the installation instructions
  - and a handy YARA rules overview
- For a non-malware use case for YARA, consider a word game such as Spelling Bee
- A quick YARA demo?
4/30/2025 Ongoing Research Topics
- It is important for you to be on the CSEE email lists. Instructions are here.
- Remember to fill out the student evaluations! For this class and others you're taking. Thanks!
- We will be talking about YARA today
- The YARA homework and the associated data may be released next week, if not today.
- More information for Homework 7! A recording made by Dr. Joyce on the subject of finding the OEP is here.
  - We plan to have Raguvir demo this in class next Monday!
5/5/2025 Malware on UNIX
- More about Homework 8. Is anybody interested in trying YaraDbg?
- Check out the latest on DarkReading.com
- I'm impressed by this Gitbook entitled Reverse Engineering For Everyone!
- Charles may talk about Exploit Kits!
- Check out this list of Awesome Malware Techniques
- The Student Evaluation of Educational Quality (SEEQ) is a standardized course evaluation instrument used to provide measures of an instructor’s teaching effectiveness. The results of this questionnaire will be used by promotion and tenure committees as part of the instructor’s evaluation. The Direct Instructor Feedback Forms (DIFFs) were designed to provide feedback to instructors and they are not intended for use by promotion and tenure committees. The responses to the SEEQ and the DIFFs will be kept confidential and will not be distributed until final grades are in.
5/7/2025 Wrapping Up
- The topic of Linux malware should not be ignored, but that's what we're going to do.
- Nor have we talked much about malware on the Mac. Much of the information related to Mac malware is old, unfortunately
- But I can recommend this recent report from Malwarebytes.
- Chapter 20, Shellcode Analysis, which we won't get to explore in a homework, but you should be aware of it.
- Please fill out the SEEQs, thanks!
5/12/2025 Optional Topics
- After the semester ends, I may end up putting items of interest here. Such as:
  - This report from BlackBerry on RATS
  - Malcat is a hexadecimal editor and disassembler for malware analysis
- Maddies Stone has Android Malware material on YouTube
  - Android App Reverse Engineering Live! from April 24, 2020 (youtube)
  - Android App Reverse Engineering Live! from May 19, 2020 (youtube)

Dino says, "Enjoy your summer!"

Lecture/Lab Notes