Incident Handling: Is this malware packed?

  • Identify if this malware is packed
  • Packers tend to change sections names from the familiar names(.Text, .Data, and .Rsrc) to other names, such as UPX1 or others.
  • Hide most of the apis in the import table

Incident Handling: Is this malware a dropper or a downloader?

  • very common to see droppers having an additional PE file inside their resources
  • Resource Hacker can detect this PE file, able to find the dropped backdoor.
  • For downloaders, it’s common to see an API named UrlDownloadToFileA from a DLL named urlmon.dll to execute the ShellExecuteAfile

Incident Handling: Does it connect to the Command & Control Servers (C&C, or the attacker website)? And how?

  • Tell that this malware connects to the internet, such assocket, send, and recv
  • Tell if they do connect to a server or if they listen to a port such as listen and connect.
  • Tell protocol that they are using such as HTTPSendRequestA or FTPPutFile, and they both are from wininet.dll.

Incident Handling: What functionalities does this malware have?

  • FindFirstFileA (hint that this malware perhaps is ransomware)
  • Process32First, Process32Next, and CreateRemoteThread (process injection functionality)
  • TerminateProcess (represent that this malware may terminate other applications, such as antivirus programs or malware analysis tools. )