Extracting Indicators of Compromise (IOCs) From Malware Using Basic Static Analysis
During a security incident, the incident responder must identify the Indicators of compromise, as they are necessary to determine what machines were compromised during the attacks, to understand a little bit of the behavior of the malware, to mitigate some of the malware propagation mechanism, to stop the infection…etc.
Extracting these IOCs can be tedious but fortunately, there are quite a few tricks to make things easier. We’ll be looking at some of these tricks and techniques in this article.
Where is my Hash?
One of the easiest indicator to obtain is the hash; as long as you have the file, you can use many freely available tools to obtain the hash. I like to use nirsoft’s “HashMyFiles” as it is as easy to use as dropping a file inside and getting the hashes.
After we get the hash, we can add it to our AV for example to blacklist any other occurrence of it.
Can I Google That?
One of the first thing I do after obtaining the Hash, and before diving any deeper into my analysis especially in the case of an incident is, I try to find if the file that I will be analyzing is available online. What do I mean by that?
Well for example, uploading the file to sites like VirusTotal to see if AV vendors have already analyzed it.
Searching for the hash online and you might stumble on a piece of research or write-up that someone did. Which could save you a lot of time and resources trying finding these IOC’s.
Always remember, Google is the malware analyst’s best friend.
Note: In some cases of targeted attacks, the malware could be designed specifically to your corporate architecture and corporate network. The information found inside could well be considered “confidential”. So always think twice before uploading any files to the internet.
Wait, Is this an IP address?
When the malware infectes a machine, generally it tries to communicate to a C2 server or anything of the like to get his next list of commands. So obtaining these IP addresses or domains that the malware communicates to can really help slow down the process of infection and propagation of the malware.
One of the simplest way to look for these kind of IP’s is too look through the strings of the malware.
There exists multiple tools and ways to get the strings out of the file. We’ll take a look at two of them.
Sysinternals Strings with a touch of regular expression (Regex)
Sysinternals strings is the go tool when analyzing a malware for strings. You can download it from here. However, strings.exe on its own only shows the string to extract any network indicators you need to pip the output to a regular expression that searched for IP’s or Domains. For example.
Strings.exe <malware_sample> | findstr /r <valid_ip_regex>pev — the PE file analysis toolkit
pev is great tool for analyzing PE files you can find it here, we’ll only look at the “pestr” module but I highly encourage you to take a look at all the modules.
Pestr comes with predefined flag to search network indicators. Here is an example on how to use it.
pestr --net <malware_sample>Note that obtaining these network indicators can sometimes be difficult as malware writers often obfuscate or pack their malware, which makes it even difficult to do static analysis. So keep that in mind.
This Looks Like A File Path
Often malware drop files to disk for persistence or to execute its next stage. Often we find these paths where the malware is going to drop its next stage hardcoded in the file itself. Using strings.exe in combination with a simple regex, we can find these paths that could be very helpful in our response to the threat. Here is an example.
Strings.exe <malware_sample> | findstr /r <regex_for_file_paths>What’s Next ?
I hope you found this useful, i’ll be doing a second part where we’ll look for tricks and techniques to search for IOC’s using Basic Dynamic Analysis. So please look forward to it.
For more tools and resources about malware analysis, look no further than my other article.
If you felt lost or underwhelmed while reading this article. I point you toward my Malware Analysis Primer, that will hopefully shed some light on this amazing field that is malware analysis.
Thanks for reading.
Questions? Comments? Contact me via twitter @nas_bench
