Pattern Recognition

and Applications Lab

Malware Analysis for

Cyber Threat Intelligence
Giorgio Giacinto
giacinto@unica.it

University
of Cagliari, Italy

Department of
Electrical and Electronic
Engineering
 Preparation & Tools

http://pralab.diee.unica.it 2
 OnionWRT: Tor router
1. Buy a $20 micro router or Raspberry Pi
2. Install OpenWRT and OnionWRT
3. Investigate over TOR from behind router
4. Put all your devices behind your router

WiFi Encryption

http://www.securityskeptic.com/2016/01/how-to-turn-a-nexx-wt3020-router-into-a-tor-router.html

http://pralab.diee.unica.it 3
 Software to anonymize traffic

https://www.torproject.org/projects/
– Amnesic Incognito Live System (TAILS) Linux distribution
– Tor browser

• Disposable, anonymous inboxes

– https://mailinator.com/

• Browser tricks
– Incognito/private mode can still be tracked
– User agent changes (can do with cURL as well)

http://pralab.diee.unica.it 4
 Cyber Threat Intelligence Tools
• Google Dorks
e.g., filetype: ext: intext: intitle: inurl:
• Shodan
https://www.shodan.io
• Maltego
https://www.paterva.com/buy/maltego-clients/maltego-
ce.php
• Threat Crowd
http://www.threatcrowd.com
• HaveIbeenPwned
repository of compromised accounts
http://pralab.diee.unica.it 5
 Cyber Threat Intelligence Tools
• CAPEC
– Collect and Analyze Information
https://capec.mitre.org/data/definitions/118.html

• OSINT Framework - ptaxonomy of OSINT tools

https://osintframework.com

• FOCA (Fingerprinting Organizations with Collected Archives)

http://pralab.diee.unica.it 6
 Cyber Threat Intelligence Tools
• Malware analysis
– https://www.hybrid-analysis.com/
– https://any.run/

•
http://www.virustotal.com

http://pralab.diee.unica.it 7
 Example
• SHAMOON malware
– https://www.enisa.europa.eu/publications/info-
notes/shamoon-campaigns-with-disttrack
– SHAMOON 2 analysis
https://logrhythm.com/wp-
content/uploads/2020/03/shamoon-2-malware-analysis-
logrhythm-labs-threat-intelligence-report.pdf
– SHAMOON 3 analysis
https://unit42.paloaltonetworks.com/shamoon-3-targets-
oil-gas-organization/
• Look for behaviour and components
– VirusTotal
– Hybrid-Analysis
– other sources
http://pralab.diee.unica.it 8
 Example
• Analysis of the Top 10 Routinely Exploited
Vulnerabilities in the period 2016-2019
https://www.us-cert.gov/ncas/alerts/aa20-133a
• For each vulnerability
– Read the CVE description on the CVE website
– Look for available exploits
– Analyse the reported Indicators of Compromise (IoC)
• i.e., the report on the static an dynamic analysis of malware
– Look for details on the malware samples in VirusTotal,
Hybrid-Analysis and Any.Run

http://pralab.diee.unica.it 9
 Sandboxing

http://pralab.diee.unica.it 10
 Sandboxing
• Virtual machines or containers where applications are
executed in an isolated environment
– Operating system components, device drivers,
configuration files, network connections can be tailored to
the application at hand
– No interference with other applications
• Avoidance of deadlocks and other concurrency issues
– Strict control of data exchange with other applications
• Explicitly defined
– Stopping and resuming the execution is easy, as well as
investigating the inspection of the application behaviour
through instrumentation
• e.g., Android apps are executed in a sandbox

http://pralab.diee.unica.it 11
 Sandboxing for malware analysis
• Virtual machines or containers where malware is
executed in a isolated and controlled environment
– Instrumentation to record all the activities
• Process creation
• System calls
• File system operations
• Internet activities
• Available online services
– Virustotal
– Any.Run
– Hybrid-analysis
• On-premises sandbox
– Cuckoo (https://cuckoosandbox.org/)

http://pralab.diee.unica.it 12