See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/357891134

Reverse-Engineering Malware

Chapter · January 2022

DOI: 10.4018/978-1-7998-8693-8.ch010

CITATIONS READS

3 287

4 authors, including:

Marwan Omar Luis Borges Gouveia

Nawroz University Universidade Fernando Pessoa
34 PUBLICATIONS 224 CITATIONS 486 PUBLICATIONS 952 CITATIONS

SEE PROFILE SEE PROFILE

JN Al-Karaki
Zayed University
76 PUBLICATIONS 6,463 CITATIONS

SEE PROFILE

All content following this page was uploaded by Luis Borges Gouveia on 06 April 2023.

The user has requested enhancement of the downloaded file.

194

Chapter 10
Reverse-Engineering Malware
Marwan Omar
Universidade Fernando Pessoa, Portugal & Saint Leo University, USA

Luís Borges Gouveia

https://orcid.org/0000-0002-2079-3234
Universidade Fernando Pessoa, Portugal

Jamal Al-Karaki
Zayed University, UAE

Derek Mohammed
Saint Leo University, USA

ABSTRACT
Cyberspace is quickly becoming overwhelmed with ever-evolving malware that
breaches all security defenses and secretly leaks confidential business data. One of
the most pressing challenges faced by business organizations when they experience a
cyber-attack is that, more often than not, those organizations do not have the knowledge
nor readiness of how to analyze malware. The objective of this research is to present
the fundamentals of malware reverse-engineering, the tools, and techniques needed
to properly analyze malicious programs to determine their characteristics. Those
tools and techniques will provide insights to incident response teams and digital
investigation professionals. In order to stop hackers in their tracks, we need to equip
cyber security professionals with the knowledge and skills necessary to detect and
respond to malware attacks. Additionally, the authors discuss what ransomware
is, how it infects systems, and how to prevent infection. It will also examine some
different variations of ransomware, as well as explore some cases of ransomware.

DOI: 10.4018/978-1-7998-8693-8.ch010

Copyright © 2022, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Reverse-Engineering Malware

INTRODUCTION TO THE FASCINATING

WORLD OF MALWARE ANALYSIS

Information technology has forever changed the way we live and work and there is no
doubt about the fact that the world has benefited from technological advancements in
ways that are immeasurable and never imagined before. However, these technological
advancements are not risk-free and there is a flip side to this: cybercriminal activities
have skyrocketed in recent years to the point where in some cases hackers have been
able to take business organizations hostage using malware.
Most cyber-attacks involve deploying some type of malware. Malware that
viciously targets every industry, every sector, every enterprise, and even individuals
has shown its capabilities to take entire business organizations offline and cause
significant financial damage in billions of dollars annually. Malware authors are
constantly evolving in their attack strategies and sophistication and are developing
malware that is difficult to detect and can lay dormant in the background for quite
some time to evade security controls (Allen, 2017).
Our cyberspace is quickly becoming overwhelmed with ever-evolving malware
that breaches all security defenses, works viciously in the background without user
awareness or interaction, and secretly leaks confidential business data. To stop
hackers in their tracks and beat cybercriminals in their own game, we need to equip
cyber security professionals with the knowledge and skills necessary to detect and
respond to malware attacks. Learning and mastering the inner workings of malware
will help in the fight against the ever-changing malware landscape. This learning
is pursued via malware analysis techniques which could be performed statically,
automatically, dynamically, or on the code level.

WHAT IS MALWARE ANALYSIS?

Before we try to understand what is malware analysis and why malware analysis is
important in the context of cyber security, let’s try to define malware. Malware is
code that is utilized to perform malicious actions with the intent of causing harm
and destruction on computer systems and networks. Malware is typically designed to
take advantage of some type of security flaw or backdoor and benefit at the victim’s
expense. Moreover, malware is often written by people or organizations to use its
capabilities for malicious intentions and purposes.
Malware analysis aims to examine malware’s behavior. The objective of malware
analysis is to gain an understanding of the inner workings of malware and how to
detect and remove it. To reliably analyze malware, we analyze the malware specimen
in a safe environment to identify its characteristics and functionalities so security

195
 Reverse-Engineering Malware

defenses can be developed to secure and protect a business organization’s digital

assets (CISA INSIGHTS, 2019).
Many of the cyber incidents and data breaches that we see and hear about in the
news are typically carried out using some sort of malware, which might be designed
to enable the attacker to gain remote control of a compromised computing system,
steal business-sensitive data, spy on the victim’s online activities, spread within
the victim/target organization, and so on. That’s where the importance of knowing
how to examine and analyze malicious programs comes into play as it’s critical to
be able to control the situation and minimize the damage and disruption to business
operations and the organization at large (Hachman, 2017).
One of the most pressing challenges faced by business organizations when
they experience a cyber-attack is that, more often than not, those organizations do
not have the knowledge nor readiness of how to analyze malware once it has been
discovered on their production computer networks. This is where this paper can
help, this paper will help shed light on the tools and techniques needed to properly
analyze malicious programs to determine their characteristics which can prove
extremely helpful when investigating data breaches as those tools and techniques will
provide insights to incident response teams and digital investigation professionals.
Some of the key things that cyber professionals can learn when analyzing malware
are questions related to the nature of the threat posed by malware, the objective of
the adversary using the malware, how to contain, eradicate, and recover from an
incident, and perhaps more importantly, how to strengthen cyber defenses so that
the cyber-attack does not reoccur in the future (CISA INSIGHTS, 2019).

Malware Analysis Techniques

The process of analyzing malware should be a methodical one and generally involves
several stages, which can be viewed in order of increasing complexity. The pyramid
below has been used to illustrate such one ranking:
Fully automated tools can offer an easy and simple way to examine and analyze
a particular malware specimen (as shown in the figure above), some of which are
available as commercial products and some as free ones. These tools are designed
as a triage method to quickly assess the behavior of the specimen if it ran on a
system. They typically produce reports with details such as the registry keys used
by the malicious program, network traffic, and so on. The downside of those fully
automated utilities is that they may not provide as much insight as human analysts
would obtain when examining the specimen manually. On the flip side, and as a
benefit, they can contribute to the incident response by rapidly handling vast amounts
of malware, allowing malware examiners to focus on the malicious binaries that
truly require their time and attention, (Mohurle and Patil, 2017).

196
Reverse-Engineering Malware

Figure 1. Malware analysis techniques

STATIC ANALYSIS

Static analysis is one of the malware analysis techniques used by malware analysts
to quickly triage suspect programs/files without executing them. During this initial
assessment phase, the goal is to be able to extract valuable insights from the suspect
binary which would help inform the subsequent steps so that we can determine how
to analyze or categorize the suspect file and where to focus our analysis efforts
(Oberly, 2019).
This section covers various tools and techniques to extract valuable information
from the suspect binary. we will learn the following: identifying the malware’s
target architecture, fingerprinting the malware, scanning the suspect binary with
anti-virus engines extracting strings, functions, and metadata associated with the
file identifying the obfuscation techniques used to thwart analysis classifying and
comparing the malware samples (Norton, 2018).
These techniques can reveal different information about the file. It is not required
to follow all these techniques, and they need not be followed in the order presented.
The choice of techniques to use depends on your goal and the context surrounding
the suspect file (Oza, 2020).

197
 Reverse-Engineering Malware

Static properties analysis examines the static properties of suspicious files such
as file hashes, embedded resources, digital certificates, and interesting strings
(Sussman, 2020). A good starting point to analyzing potential malware files is the
static properties analysis. The objective of the static properties analysis is to quickly
assess the nature of a potential malware file and develop plans for taking a closer
look in the subsequent phases of malware analysis (Monnappa, 2018).
The best way to demonstrate how to apply the static analysis technique is to use
a real-world malware sample that exhibits static properties (Afianian et al, 2020).
We will consider a fictional enterprise security incident scenario whereby a system
is misbehaving and showing indicators of compromise (IOC). The said system is
suddenly rebooting and is experiencing slow performance, in addition, there is a
foreign process called brbbot.exe running from %AppData%.
The %AppData% is an environment variable on Windows that typically points
to a directory in the user’s profile, such as C:\Users\REM\AppData\Roaming. This
location is designed for storing “user-specific files that applications install” according
to Microsoft. Technet.microsoft.com.
As a “rule of thumb”, when we run malware in our lab, we want to determine what
is the worst that the malware specimen can do, allowing it to reach its full malicious
potential. That said, we will make the brbbot specimen run in the virtual lab
system and infect our virtual host with this potential malware, all of this is done
with full administrator privileges to allow the potential malware sample to exhibit
its full malicious potential, as mentioned earlier (Bat-Erdene et al, 2017).
This approach will help us in making sure that the specimen can interact with all
aspects of the infected host, allowing it to achieve its full malicious potential. However,
sometimes it’s also useful to run the specimen with normal, non-administrative
privileges to observe its behavior-for instance if mimicking a particular scenario of
a production system in a business setting (Kirubavathi and Anitha, 2018).

INITIAL ASSESSMENT OF A POTENTIAL

MALWARE SPECIMEN- BRBBOT.EXE

Before deciding whether to examine the malicious (or suspicious) program using
behavioral or code analysis techniques, we should consider performing an initial
assessment of the malicious binary by examining its static properties (Stiborek,
Pevný, and Rehák, 2018). In some cases, the binary may turn out to be not malicious
because it possesses a hash that belongs to a trusted program. Performing static
properties analysis is important as it can help us determine where to focus our
subsequent analysis efforts. Static properties analysis is a useful first step as part
of the triage effort (Stiborek, Pevný, and Rehák, 2018).

198
Reverse-Engineering Malware

Figure 2. Foreign process running on the system

Given our brbbot.exe specimen, which is a Windows executable, static properties

of a Windows executable include asking the following questions:

1. Is it malware?
2. What type of file is it (e.g. .exe, .dll,.com, .sys, and so on)?
3. What is the target architecture (32-bit or 64-bit platform)?
4. How bad is it?
5. How to detect it?
6. How to analyze it?

Some of those properties will be examined using the brbbot.exe sample.

199
 Reverse-Engineering Malware

Figure 3. Pestr string helps extract strings from a malicious executable.

EXTRACTING STRING

A string can be defined as a sequence of ASCII and Unicode-printable characters

embedded within a file. Extracting and examining strings can give malware analysts
insights into the program’s functionality and capabilities. Therefore, a common
first step in examining a suspicious file involves looking at the strings embedded
in it. This examination may reveal filenames, domain names, URLs, IP addresses,
hostnames, or registry keys that the program may attempt to access and can help
focus subsequent steps of the investigation. It must be noted, however, that we
cannot trust all the strings embedded into the program because they might have
been embedded there to mislead the malware analyst. Not to mention the fact that
relying on strings alone does not paint a clear or compelling picture of the purpose
and functionality of a malware binary (Allen, 2017).
A convenient way to accomplish this is to use the pestr tool on REMnux, this
utility designed for extracting strings from Windows executable files, automatically
obtains both ASCII and Uni-code-encoded strings in one shot. Alternatively, we
could use the well-known “Strings” tool, present on most Linux distributions. By
default, Strings extracts only ASCI-encoded strings. We can tell the tool to extract
Unicode strings by specifying the –encoding=l (lower case L) parameter as shown
on the screen capture below.
Another way to examine ASCII and Unicode-encoded strings on a file is to use
the GUI tool BinText, available free from https://www.mcafee.com/us/downloads/
free-tools/bintext.aspx. BinText’s Filter tab enables you to configure parameters
such as what characters the tool considers as belonging to a string, as well as the
minimum number of characters the tool considers as belonging to a string. The
default minimum text length value is 5. You can decrease it to find shorter strings.

200
Reverse-Engineering Malware

Figure 4.- Bin Text as a GUI to examine embedded strings on Windows.

STRINGS EMBEDDED IN BRBBOT.EXE SUGGEST

A FEW POTENTIAL CHARACTERISTICS

By examining the strings embedded inside brbbot.exe, we can probably begin

developing some hypotheses about its characteristics. For instance, the string
HTTP/I.1 might imply that this program can communicate over HTTP. The string
referring to the ... Run registry key suggests that this program might use this key
as a persistence mechanism.
Strings might also enable us to formulate indicators of compromise (IOCs),
which can help in identifying systems throughout our organization infected with
this specimen. Potential IOCs based on strings are the brbbconfig.tmp file and the
string %s?i=%s&c=%s&p=%s as part of an HTTP request. Along these lines, the
string that began with Mozi1a 1/4.0 could be a specific User-Agent header sent as
part of the specimen’s HTTP request; this could help us spot the associated network
traffic in our environment (Bat-Erdene et al, 2017).
In the following section, we will be focusing on a special type of malware called
ransomware. We will zero in on the specifics of ransomware behavior, how to prevent
it, and most importantly, how to survive ransomware attacks in the digital age.

INTRODUCTION TO RANSOMWARE BEHAVIOR,

PREVENTION, AND SURVIVAL

In this age of technology, almost everything is stored digitally. Data can be quickly
accessed remotely, and physical degradation is no longer a concern. It requires less
space and allows much more information to be kept for much longer. However, among

201
 Reverse-Engineering Malware

all these positive elements, there is a risk associated with storing data digitally. What
happens if suddenly all that data stored digitally is no longer accessible? Documents,
family photos, intellectual property – none of it is immune to ransomware, should it
strike. Unless this data is backed up, the ease and accessibility of digitally storing
data could be its downfall. Users must be prepared and cautious to protect their data.

Ransomware:

Ransomware is a type of malicious software, or malware, that infects a system and

demands a ransom for system restoration (Oberly, 2019). It comes in three varieties:
those that lock the screen, those that make threats but do not do anything, and those
that encrypt the files, which is the most common (Allen, 2017). In each case, the
user is presented with the option of paying a ransom to regain access to their system
and data or risk losing it. If a user does not have backups of their data, they may be
forced to pay whatever fee is demanded, which can range from hundreds of dollars
for a personal computer to millions of dollars for a large-scale company network
(Oberly, 2019). Not only do companies suffer monetary loss, but their business is
also affected when it becomes public knowledge that their sensitive data has been
compromised and their security breached (Oberly, 2019). Although it is less common,
some forms of ransomware mimic encrypting ransomware, but merely change file
names to make them seem encrypted (Hachman, 2017).

Infection:

The most common technique used by attackers to compromise systems is phishing

(Oberly, 2019). Phishing is the fraudulent practice of sending emails claiming to
be from reputable companies to induce individuals to reveal personal information
or download malicious content. An example of a phishing email can be seen in
Figure 1, along with indicators of suspicious content. Ransomware may also infect
a system through the downloading of seemingly benign files that contain embedded
malware (Oberly, 2019). Attackers may embed malware in the metadata of an
otherwise harmless file. This does not change the file size or raise any other flags
but can have a catastrophic effect. Unauthorized access to a computer is another way
that malicious code could infect a machine. For example, leaving an unprotected
computer around strangers could lead to infection, as it may not be obvious who
has malicious intentions (Allen, 2017).

202
Reverse-Engineering Malware

Figure 5. Example of a phishing email, retrieved from: https://cdn2.hubspot.net/

hubfs/3950430/email-1.png

Ryuk Ransomware

One particular ransomware took the state of Florida host in 2019. Ryuk was the
ransomware that took Florida hostage and was successful in getting about a million
dollars from some cities in Florida. The Ryuk ransomware is deployed by a phishing
email or visiting a sketchy website and clicking the link where bots are then able to
access the network. Once the bots have access to the network they then use lateral
movement to start encrypting machines and locking users out. The attackers caused
so much havoc that it took 911 offline in Riveria Beach, some police officers were
writing paper tickets, healthcare servers were compromised, criminal evidence was
erased and about a year and half of digital evidence were lost letting six narcotics
dealers walk free.
Preventing ransomware can be just as easy as preventing any other attack.
Understanding that clicking links that you are not expecting is probably not the best
thing that our end users could do. Also, Norton has some tips for keeping safe from
ransomware. One thing that Norton suggests is to not pay the ransom. They suggest

203
 Reverse-Engineering Malware

this because if you are doing proper backups of your data then you can easily recover
from these attacks and, it “encourages and funds these attackers and even if the
ransom is paid, there is no guarantee that you will be able to regain access to your
files” (Norton, 2018). Another good strategy in keeping systems safe from malware
is to ensure that proper patching is happening. Keeping your antivirus definition up
to date as well as applying the latest operating system patches will go a long way
in keeping your systems secure. It is also important to note that “exploit kits hosted
on compromised websites are commonly used to spread malware. (Norton, 2018)”
The IT department should also talk with leadership about working to get an email
scanner installed to ensure that any links or attachments that are in inbound emails
are safe and malicious ones are dropped.

Prevention

One of the most important elements of preventing ransomware infection is user training
and awareness. Humans are often the weakest link of security, so network users must
be educated on the dangers of ransomware and on common infection methods, such
as following unknown links (Oberly, 2019). It is always a good practice to type out
links instead of following them, as this can help avoid subtle link differences that
may otherwise have gone unnoticed (Mohurle and Patil, 2017). For example, typing
out www.google.com could help prevent infection from a link such as www.goggle.
com, which may lead to a malicious site or download malware. Resources exist that
examine links or files for malicious content, such as https://www.virustotal.com/
gui/home/upload. Educating users on potential risks and corresponding safeguards
is an important part of ransomware prevention.
Several policies can be established by companies for their employees to safeguard
against ransomware attacks. Companies should draft policies that define expectations
for users concerning areas such as personal email and file-sharing programs on the
company network (Oberly, 2019). All users should also have strong passwords for
their devices and keep these passwords secret; posting passwords on monitors to
remember them is even worse than having no password, as it lulls the user into a
false sense of security (Allen, 2017). A strong password should have at least eight
characters and be a mix of uppercase and lowercase letters, numbers, and symbols.
Another basic but very important policy that should be employed to minimize risk
is the principle of least privilege. It entails only giving users access to what they
require to do their job; administrative access should only be given when necessary
and revoked when no longer needed (Oberly, 2019). This minimizes the risk of
system damage if a user is compromised, as they will have limited power. Along
similar lines of restricted privileges, policies should be employed that limit user
access to common grounds of infection, such as Facebook, Instagram, and other

204
Reverse-Engineering Malware

social media sites (Oberly, 2019). Users should also disable wireless connections
such as Bluetooth and Wi-Fi when not needed, and ensure that the network is secure
before connecting (Mohurle and Patil, 2017). However, these policies will have no
effect if they are not enforced, so companies should regularly have external audits
done to test their users. By crafting policies such as these for their employees,
companies can minimize their risk of ransomware infection.
In addition to policies for the employees, general company policies can be
established to protect against ransomware attacks. As ransomware also takes advantage
of known security vulnerabilities in systems, it is very important to regularly update
and patch systems as soon as possible. If systems and applications are not patched,
they have a much higher risk of infection, as the vulnerabilities are known to attackers
and provide them with an obvious opportunity (Oberly, 2019). According to Oberly,
“If a program or device is too old to update, retire it, as the limited range of tasks
that it can perform is vastly outweighed by the risk that the outdated technology
presents to the company’s computer networks and systems, which can provide
attackers with vulnerable entry points to launch a ransomware attack”. Another
method of prevention that can be employed by a company is whitelisting software.
Whitelisting creates a list of acceptable and trusted applications, executable files,
and connections. The system allows these to run while blocking any software or port,
not on the list. Antivirus software and firewalls are other basic requirements that
every company should include in their systems (Hachman, 2017). Company-wide
policies such as these are essential to mitigate possible infections.

Recovery:

The best option for combating ransomware is to ensure that the company policy is
set up to avoid having to pay the ransom, as even if the ransom is paid there is no
guarantee that data will be restored (Allen, 2017). One way to do this is to have
off-network backups of data. All data should be backed up regularly, with essential
data being backed up daily if necessary. Several copies of the entire system should
be stored at different locations to allow for complete reloading of the system
(Allen, 2017). Copies may be stored at different physical locations on a variety of
media, including servers, hard drives, or solid-state drives (SSDs). Additionally,
companies should have a backup that is a few weeks old. This may be necessary if
ransomware remains undetected for some time, propagating throughout the network
before launching all at once. A backup that is a few weeks old will not contain the
most up-to-date data, but it should predate any infection. A prudent approach is to
keep both recent and older backups. Even with regular backups, however, any data
created since the last backup will be lost (Allen, 2017).

205
 Reverse-Engineering Malware

Recent Prominent Variants

The following are a few examples of notorious strings of ransomware. Ransomware

first appeared in 1989 with the AIDS Trojan. This ransomware attack failed overall
because the ransom could be bypassed by extracting the encryption key from the
trojan code. Its creator, Joseph Popp, was caught and ended up donating the money
he had managed to capture to AIDS research, hence the attack’s name. Since this
time, attacks have become much more sophisticated and successful. The percentage
of organizations affected by ransomware has dropped significantly, but the gains in
revenue for attackers have remained largely the same.
SimpleLocker was a ransomware attack that surfaced in 2015. This attack was
the first android platform attack to encrypt a file, as opposed to blocking the user
from the user interface like previous attacks. SimpleLocker’s payload was in the
trojan downloader, but it affected a relatively small portion of Android users since
the infection came from downloading sketchy apps from outside of the Google Play
store. This attack originated in Eastern Europe, but most of the targets were in the
United States.
SamSam was another attack that had Eastern European origins but targeted
the US. This attack took place in 2016 and offered ransomware-as-a-service,
where controllers carefully probed targets for weaknesses and then exploited the
vulnerabilities that they found. Once this attack made its way into the system, it
quickly escalated privileges encrypt files.
Just a year later, the WannaCry ransomware attack appeared. This attack was
a cryptoworm, encrypting data and spreading to other machines via port 445, or
the Server Message Block (SMB) port. WannaCry utilized EternalBlue, an exploit
discovered by the NSA that took advantage of a defect in Microsoft’s implementation
of SMB protocol. Although a patch was released from Microsoft on March 14, many
people had not yet installed it and had the SMB port 445 open. This allowed the
ransomware to spread easily, as it didn’t need user interaction but traveled across
servers via 445 port. This attack ended after four days, as Marcus Hutchins discovered
a kill switch within the malware that greatly reduced further compromise.
NotPetya was a ransomware that exploited the same EternalBlue vulnerability
as WannaCry, taking place only weeks after. This attack was primarily focused on
Ukraine, targeting energy companies, power grids, bus stations, gas stations, airports,
and banks. A Ukrainian tax preparation program, M.E. Doc, was compromised to
spread the malware, and an investigation afterward revealed that software updates
had not been applied on these servers since 2013. The backdoor utilized in this
attack was present nearly six weeks before, showing this attack was well planned. A
“vaccine” for this threat was developed, as Amit Serper found that before encryption,
NotPetya would search for its filename. Users could create the read-only file perf.c,

206
Reverse-Engineering Malware

and the ransomware would think the machine was already infected and not execute.
This attack was further stopped when the attacker’s email service provider shut
down their email account, preventing them from receiving payment confirmation.
One of the more recent ransomware attacks is Ryuk, which was common from
2018 to 2019. It was derived from Hermes ransomware and specifically targeted
organizations with little tolerance for downtime. This attack worked by disabling the
Windows System Restore to minimize chances of users getting around the ransom,
and higher ransoms were demanded from higher-value targets. This attack did not
run on computers with Russian, Belarusian, or Ukrainian set as their language,
suggesting that it was of Russian origin. These are only a few examples of the
multifarious variations of ransomware that have targeted users and companies.

Cases

There have been countless cases of ransomware, with targets ranging from personal
computers to government institutions. Medical institutions such as hospitals are
a common target, as they have sensitive and vital information that they normally
cannot afford to lose. Hollywood Presbyterian Medical Center (HPMC) was one such
example. HPMC was stricken with ransomware and had to pay $17,000 to restore
critical data and communication capabilities. HPMC paid the ransom before reaching
out to the authorities, wanting to restore systems as quickly as possible. Conversely,
Ottawa Hospital experienced a ransomware attack that affected over 9,800 machines,
but they did not pay the demanded ransom. This hospital had extensive back-ups,
so they were able to wipe all the hard drives and restore the system from their back-
ups. Kentucky Methodist Hospital, Chino Valley Medical Center, and Desert Valley
Hospital were similar cases. These hospitals had their files, images, and documents
encrypted and renamed with the .locky extension by the ransomware, but they were
able to successfully restore their systems from their back-ups.
In addition to medical institutions, entire cities may be targeted by ransomware
attacks. In 2016, the San Francisco Municipal Transportation Agency (SFMTA)
experienced a ransomware attack that disrupted their train ticketing and bus
management systems, with a $73,000 ransom demand for restoration of their
system. SFMTA did not end up paying the ransom, thanks to a speedy response
and comprehensive backup process that allowed SFMTA to restore their systems
in two days. However, SFMTA did not escape unharmed, as, during the two-day
restoration process, all the passengers were able to ride for free. Atlanta is another
city that experienced a ransomware attack. A January 2018 audit found 1,500-2,000
vulnerabilities in the city’s infrastructure, and in March, it fell to a brute force
SamSam attack. One-third of all software programs in the city were affected by this
attack. Atlanta is an economic and transportation hub, and utilities, parking, court

207
 Reverse-Engineering Malware

services, and police services were all affected. Many police and court documents
were permanently deleted, but the police department was able to restore all of its
investigation files. The city took many services offline to recover from the attack,
and for a short time, all payments and bills had to be in paper format until systems
could be restored.

Demonstration Methods:

To investigate the behavior of ransomware, this project used a virtual machine,

VMware, to download and run a sample of ransomware. In the virtual machine, a
WannaCry ransomware sample was downloaded from GitHub and uploaded to the
any.run website. This site is an interactive malware analysis tool that allows the
analysis of Windows programs, scripts, and other files in a full sandbox environment.
Any.run has a free community version, which was used in this project, and paid
plans with extended features. The community version supports a Windows 7 32-bit
virtual environment and includes detailed process information, as well as network
information, files, and debug functions. When the ransomware sample is uploaded to
this site, it is virtually executed, showing how the file would affect a regular system.
The process information pane tracks any processes that are executed or created and
offers a threat analysis on each. The file was executed and allowed to run for 60
seconds to collect information, which was examined in detail.

Demonstration

The ransomware sample chosen was a WannaCry sample downloaded from https://
github.com/fadyosman/WannaCrySample/network/members, in a file called
wannacry.exe. The file was downloaded inside the SIFT distro VMware and uploaded
to the any.run website. After executing for 60 seconds, the file completely encrypted
the virtual desktop and displayed a ransom note. Below are the four stages of desktop
encryption. As can be seen, the ransomware was able to fully execute and take over
the host system within 60 seconds.
Following the 60 seconds of execution, any.run offers a variety of information
regarding the process just executed. As can be seen below, information regarding
network connection, threats, files, processes executed, and more are readily available.
The network tab beneath the desktop offers information regarding connections
made by this process. Ports 9001, 9090, 1512, and 12638 are all TCP/UDP ports,
and port 80 allows internet connection.
Any.run also contains a threat tab that displays all the threats related to wannacry.
exe.

208
Reverse-Engineering Malware

Figure 6. The initial state of desktop

The Process tab on the left displays a list of all the processes executed by the
file, a total of 24 in this sample.
By clicking on a particular process, more information can be seen. The first
process, wannacry.exe, was flagged by any.run as strongly malicious. It correctly
flagged this as WannaCry ransomware and displayed a long list of all the files
modified by this process. Some files were newly created, and others were encrypted.

Figure 7. Additional files added to the desktop

209
 Reverse-Engineering Malware

Figure 8. Encryption message set as background

This section also displayed the children’s processes of wannacry.exe, which offered
a good place to look for other malicious behavior.
An important section to examine here is the “Indicators of Suspicious Behavior”
section. It contains Danger, Warning, and Info sectors for the varying levels of
concern. Below are the suspicious behavior sections of wannacry.exe.

Figure 9. Ransom note displayed on the screen with payment instructions

210
Reverse-Engineering Malware

Figure 10. Overview of any.run analysis

Figure 11. Connections tab

Examining the children’s processes of wannacy.exe gives more insight into its
behavior. Not every process is malicious, but upon examination, many were found
to be malicious. Below is the layout of processes and their children, with child
processes indented.
A. 1916 wannacry.exe

Figure 12. Threats tab

211
 Reverse-Engineering Malware

Figure 13. Process tab

1. 3752 attrib.exe
2. 3992 icacls.exe
3. 912 taskdl.exe
4. 2524 cmd.exe
a. 4072 cscript.exe
5. 3784 @[email protected]
a. 1520 taskhsvc.exe – modifies 13 tor files
6. 3912 cmd.exe

212
Reverse-Engineering Malware

Figure 14. Wannacry.exe advanced details pane

Figure 15. Wannacry.exe suspicious activities pane

213
 Reverse-Engineering Malware

a. 2144 @[email protected]
i. 2040 cmd.exe*

1. 2712 vssadmin.exe – deletes shadow copies

2. 2884 WMIC.exe – deletes shadow copies
3. 2384 bcdedit.exe – disables recovery
4. 2716 bcdedit.exe – disables recovery
5. 2700 wbadmin.exe – deletes catalog

7. 4004 taskdl.exe
8. 1576 @[email protected] – modifies bitmap (ransom note)
9. 2764 cmd.exe
a. 3856 reg.exe – changes the autorun value in the registry

By examining the children’s processes of wannacry.exe, cmd.exe was another

malicious process. This process was also flagged as highly malicious, upon
examination was found to delete shadow copies of files to prevent the recovery of data.
As can be seen, once ransomware has been downloaded to a machine and
executed, it works very quickly. In only 60 seconds, this WannaCry sample was
able to completely lock down the virtual desktop. It did so by creating processes to
encrypt files and delete shadow copies of files to prevent recovery. It is also able
to change registry items to edit what happens on boot-up, so rebooting the system
does not bypass the ransomware. It is also interesting to note that these abilities
require administrator-level access, so the ransomware sample was able to escalate
its privileges.

CONCLUSION

Information technology has forever changed the way we live and work and there is no
doubt about the fact that the world has benefited from technological advancements in
ways that are immeasurable and never imagined before. However, these technological
advancements are not risk-free and there is a flip side to this: cybercriminal activities
have skyrocketed in recent years to the point where in some cases hackers have been
able to take business organizations hostage using malware. Cyber-crimes have become
a multi-billion-dollar industry in recent years. Most cybercrimes/attacks involve
deploying some type of malware. Malware that viciously targets every industry,
every sector, every enterprise, and even individuals has shown its capabilities to
take entire business organizations offline and cause significant financial damage in
billions of dollars annually. Malware authors are constantly evolving in their attack

214
Reverse-Engineering Malware

Figure 16. Cmd.exe advanced details panel

strategies and sophistication and are developing malware that is difficult to detect and
can lay dormant in the background for quite some time to evade security controls.
The results of our malware analysis demonstrate that malware authors are smart and
creative and that they develop new malware every day. We also noticed from our
results that many malware authors utilize encryption to protect their communication
and make it harder for malware analysts to analyze malware samples. It’s clear that
malware is becoming more advanced, more destructive, and is capable of evading
traditional anti-virus programs.

REFERENCES

7 tips to prevent ransomware. (2018, January 18). Retrieved December 08, 2020, from
https://us.norton.com/internetsecurity-malware-7-tips-to-prevent-ransomware.html

215
 Reverse-Engineering Malware

Afianian, A., Niksefat, S., Sadeghiyan, B., & Baptiste, D. (2020). Malware dynamic
analysis evasion techniques: A survey. ACM Computing Surveys, 52(6), 1–28.
doi:10.1145/3365001
Allen, J. (2017). Surviving Ransomware. American Journal of Family Law, 31(2),
65–68. http://search.ebscohost.com.saintleo.idm.oclc.org/login.aspx?direct=true&
db=a9h&AN=123206569&site=ehost-live&scope=site
Bat-Erdene, M., Park, H., Li, H., Lee, H., & Choi, M.-S. (2017). Entropy analysis to
classify unknown packing algorithms for malware detection. International Journal
of Information Security, 16(3), 227–248. doi:10.100710207-016-0330-4
Carlin, D., O’Kane, P., & Sezer, S. (2019). A cost analysis of machine learning
using dynamic runtime opcodes for malware detection. Computers & Security, 85,
138–155. doi:10.1016/j.cose.2019.04.018
Carrillo-Mondejar, J., Castelo, G. J. M., Nunez-Gomez, C., Roldan, G. J., &
Martinez, J. L. (2020). Automatic analysis architecture of iot malware samples.
Security and Communication Networks, 2020, 1–12. Advance online publication.
doi:10.1155/2020/8810708
CISA INSIGHTS Ransomware Outbreak. (2019). Retrieved from https://www.us-cert.
gov/sites/default/files/2019-08/CISA_Insights-Ransomware_Outbreak_S508C.pdf
Feizollah, A., Anuar, N. B., Salleh, R., Suarez-Tangil, G., & Furnell, S. (2017).
Androdialysis: Analysis of android intent effectiveness in malware detection.
Computers & Security, 65, 121–134. doi:10.1016/j.cose.2016.11.007
Hachman, M. (2017). How to remove ransomware: Use this battle plan to fight
back. PCWorld, 35(4), 129–135. Retrieved from http://search.ebscohost.com.
saintleo.idm.oclc.org/login.aspx?direct=true&db=a9h&AN=122359473&site=e
host-live&scope=site
Kirubavathi, G., & Anitha, R. (2018). Structural analysis and detection of android
botnets using machine learning techniques. International Journal of Information
Security, 17(2), 153–167. doi:10.100710207-017-0363-3
Lim, J., & Yi, J. H. (2016). Structural analysis of packing schemes for extracting
hidden codes in mobile malware. EURASIP Journal on Wireless Communications
and Networking, 2016(1), 1–12. doi:10.118613638-016-0720-3

216
 Reverse-Engineering Malware

Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware
attack 2017. International Journal of Advanced Research in Computer Science,
8(5). https://saintleo.idm.oclc.org/login?url=https://search.proquest.com/docview
/1912631307?accountid=4870
Monnappa, K. A. (2018). Learning malware analysis: Explore the concepts, tools,
and techniques to analyze and investigate windows malware. Packt Publishing.
Oberly, D. J. (2019). Best Practices for Effectively Defending Against Ransomware
Cyber Attacks. Intellectual Property & Technology Law Journal, 31(7), 17–20.
Retrieved from http://search.ebscohost.com.saintleo.idm.oclc.org/login.aspx?dire
ct=true&db=iih&AN=137351116&site=ehost-live&scope=site
Oza, S. (2020, January 24). Ryuk Ransomware - Malware of the Month, January
2020. Retrieved December 08, 2020, from https://securityboulevard.com/2020/01/
ryuk-ransomware-malware-of-the-month-january-2020/
Stiborek, J., Pevný, T., & Rehák, M. (2018). Probabilistic analysis of dynamic
malware traces. Computers & Security, 74, 221–239. doi:10.1016/j.cose.2018.01.012
Sussman, B. (2020, February 27). Ryuk Ransomware Attack Sets Accused Criminals
Free. Retrieved December 09, 2020, from https://www.secureworldexpo.com/
industry-news/ryuk-ransomware-attack-sets-criminals-free
Ul Haq, I., Chica, S., Caballero, J., & Jha, S. (2018). Malware lineage in the wild.
Computers & Security, 78, 347–363. doi:10.1016/j.cose.2018.07.012
Xue, D., Li, J., Wu, W., Tian, Q., & Wang, J. (2019). Homology analysis of
malware based on ensemble learning and multifeatures. PLoS One, 14(8), 0211373.
doi:10.1371/journal.pone.0211373 PMID:31449533
Yadav, R. M. (2019). Effective analysis of malware detection in cloud computing.
Computers & Security, 83, 14–21. doi:10.1016/j.cose.2018.12.005
Yadav, R. M. (2019). Effective analysis of malware detection in cloud computing.
Computers & Security, 83, 14–21. doi:10.1016/j.cose.2018.12.005
Zhang, X., & Song, X. (2020). Stability analysis of a dynamical model for malware
propagation with generic nonlinear countermeasure and infection probabilities.
Security and Communication Networks, 2020, 1–7. doi:10.1155/2020/8859883

217

View publication stats