Skip to main content

Process of Malware Analysis

Is an iterative process

Static Analysis
Dynamic Analysis
Disassemble
Debugging

Each tool provides us with evidence about what the program does Can use this evidence to guide the way we search for more evidence Think about how we might contradict that

Ransomware

Easy to see, encrypt all files on VM
Could guide us how we start to look at the program in a disassembler
Unable to use computer without paying a ransom to some party
Usually encrypts all the files on the computer system
Paying the ransom causes the party to send you the decryption key

Modus Operandi

Generate an encryption key
Send key to ransomware author
For every file on the computer (Certain file types, not OS ones)
- Open File
- Encrypt contents
- Write encrypted content back into file
Display ransom note to user

Finding Files

Windows provides system calls that can be used to iterate over each file in a directory
- FindFirstFile()
- FindNextFile()
- FindClose()
Can use dissembler to import these functions

Ransomware
- Modus Operandi
Finding Files