Malware Analysis with Ghidra | TryHackMe Advanced static analysis
We covered an overview of malware analysis, starting with basic static analysis and moving through to advanced static analysis techniques such as reverse engineering and finishing with dynamic analysis. The focus of this tutorial was on the methodology an analyst should follow when reverse engineering a binary sample. Things to look for during this phase are strings, Windows API calls, exports and DLLs, function calls and execution flow. We covered few samples and analyzed them using the popular dissassembler “Ghidra” and also solved a practical scenario from TryHackMe Advanced static analysis which is part of SOC level 2 track.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Creating an environment for malware analysis
A lab setup for malware analysis requires the ability to save the state of a machine (snapshot) and revert to that state whenever required. The machine is thus prepared with all the required tools installed, and its state is saved. After analyzing the malware in that machine, it is restored to its clean state with all the tools installed. This activity ensures that each malware is analyzed in an otherwise clean environment, and after analysis, the machine can be reverted without any sustained damage.
Following these steps ensures that your VM is not contaminated with remnants of previous malware samples when analyzing new malware. It also ensures that you don’t have to install your tools again and again for each analysis.
Static Malware Analysis
Static analysis is marked by analyzing the file without opening it. In static analysis we aim to extract the below details
1- File extension
2- Hash
3- IOCs (IPs, domains, hostnames, hashes)
4- Useful strings
5- Imports and Exports (API Calls)
6- sections (.text, .rsrc, .data)Advanced Static Analysis & Reverse Engineering
The advanced static analysis aims to uncover hidden or obfuscated code and functionality within the malware. This involves using more advanced techniques to analyze the malware’s code, such as de-obfuscation and code emulation. To perform advanced static analysis, disassemblers such as IDA Pro, Binary Ninja, and radare2 are commonly used.
- Identify the entry point of the malware and the system calls it makes.
- Identify the malware’s code sections and analyze them using available tools such as debuggers and hex editors.
- Analyze the malware’s control flow graph to identify its execution path.
- Trace the malware’s dynamic behavior by analyzing the system calls it makes during execution.
- Use the above information to understand the malware’s evasion techniques and the potential damage it can cause.
Ghidra for malware analysis
Ghidra is a software reverse engineering tool that allows users to analyze compiled code to understand its functionality. It is designed to help analysts and developers understand how the software works by providing a platform to decompile, disassemble, and debug binaries.
Installation
Making sure Java is installed
sudo apt update
sudo apt install default-jre
sudo apt install default-jdkThen download Ghidra from below link
https://www.github.com/NationalSecurityAgency/ghidra/releasesUncompress the zipped file and give the required permisions
chmod +x ghidrarunRun Ghidra
./ghidrarunRoom Answers | TryHackMe Advanced Static Analysis
Room answers can be found here.
