What are malware artifacts ?

Defense + blog + SOC + Cybersecurity Z. Oualid today

Background
share close

In the intricate landscape of cybersecurity, understanding the concept of malware artifacts is paramount for safeguarding digital environments. All malwares has their own digitale signature that is represented by their artifacts, that can be used to detect them in infected machines. So, what are malware artifacts?

Malware artifacts are traces left by malicious software. Here is a list of the most used malware artifacts:

  1. Registry Changes
  2. File Creations
  3. Modified Timestamps
  4. Altered System Settings
  5. Unusual Processes
  6. Code injection
  7. Malware hash
  8. C2 domain names
  9. Registry Autostart Locations
  10. Files extensions

If you want to learn more about what each artifact means, and how it is used to detect malware, then just keep reading.

1)     Registry Changes

In the realm of malware analysis, the term “Registry Changes” refers to the alterations made to the Windows Registry by malicious software. The Windows Registry serves as a centralized database storing crucial system configurations and settings. When malware infiltrates a system, it often manipulates these registry entries to ensure persistence, execute malicious processes, or conceal its presence.

For instance, a common artifact involves the creation of a registry key in the “Run” subkey, enabling the malware to launch automatically during system startup. Another example includes modifications to registry values associated with system security, allowing the malware to disable antivirus software. Another change can also target the network proxy setting in registery to intercept browser requests.

Such changes can be subtle yet impactful, as malicious actors strategically exploit the registry’s role in system functionality. By identifying these registry artifacts during analysis, cybersecurity experts gain valuable insights into the tactics employed by malware, facilitating effective detection and mitigation strategies. Understanding the significance of registry changes is integral to deciphering the fingerprints left behind by malicious entities and fortifying digital environments against potential threats.

2)     File Creations

the term “File Creations” pertains to the generation of new files by malicious software on a system. These artifacts play a crucial role in identifying and understanding the presence of malware.

For instance, a common file creation artifact involves the malware generating executable files or scripts in obscure directories, often with randomized names to evade detection. Additionally, malware might create log files or configuration files to store information or settings for its operations.

These newly spawned files act as digital footprints, enabling cybersecurity experts to trace the activities of the malicious software. Detecting such artifacts is instrumental in early threat identification, as abnormal file creations can signify malicious intent.

Malware may attempt to disguise itself by mimicking legitimate files, or it might generate files with obfuscated code to impede analysis. Thus, comprehending the significance of file creation artifacts empowers analysts to unravel the tactics employed by malware and bolster defenses against potential cyber threats.

3)     Modified Timestamps

Modified Timestamps refers to the manipulation of file creation or modification times by malicious software. These timestamps, which indicate when a file was last modified or created, serve as critical forensic data. Malware may tamper with these timestamps to disguise its presence or to make it appear as if files were accessed at different times.

For example, a common artifact involves the malware altering the timestamps of files it creates to match legitimate system files, making detection more challenging. In another scenario, malware might change timestamps to make it seem as if it had been inactive during certain periods, complicating the reconstruction of its timeline of activities.

By scrutinizing these modified timestamps during analysis, cybersecurity experts can unveil the efforts made by malware to manipulate digital evidence. Understanding the implications of such artifacts becomes pivotal in deciphering the chronology of malicious actions, aiding in the identification, containment, and mitigation of potential cyber threats.

4)     Altered System Settings

“Altered System Settings” encompasses the unauthorized modifications made by malicious software to critical configurations within a system. These settings, which dictate the behavior and functionality of the operating system, become crucial indicators of compromise.

For instance, malware might manipulate firewall settings to allow unauthorized inbound or outbound network traffic, facilitating communication with external servers under the control of threat actors. Another common artifact involves changes to security policies, like disabling antivirus or antimalware services to evade detection.

Additionally, malware may tweak system privileges, elevating its access rights for more extensive control over the compromised environment. Detecting these altered system settings during analysis becomes pivotal for cybersecurity experts, offering insights into the tactics employed by the malicious software.

Recognizing these artifacts aids in unraveling the intentions of the threat, allowing for timely responses to contain and eliminate the security risk. Understanding the implications of altered system settings becomes instrumental in fortifying systems against potential cyber threats and ensuring the integrity and security of digital environments.

5)     Unusual Processes

The term “Unusual Processes” in the context of malware artifacts refers to abnormal or unexpected programs running on a system, indicating potential security threats. Malicious software often employs deceptive tactics by running processes with innocuous names or disguising itself as legitimate applications.

For instance, a common artifact involves malware creating processes with names resembling system-critical services, making detection challenging. Another example includes processes initiated from non-standard directories or with obscure executables, signifying potential malicious activity. Detecting these unusual processes during malware analysis is essential for cybersecurity experts to identify unauthorized activities. It allows for the timely isolation and removal of the threat, preventing further compromise of the system.

By understanding the implications of unusual processes, analysts gain insights into the tactics employed by the malware, facilitating effective responses to mitigate potential cyber threats. This recognition serves as a crucial component in fortifying digital environments against unauthorized activities and ensuring the security of systems and sensitive information.

6)     Code injection

Code injection is a technique employed by cyber threats, involving the insertion of malicious code into a legitimate process or application, altering its behavior. This method allows malicious actors to execute arbitrary commands, manipulate data, or gain unauthorized access.

A common example is DLL (Dynamic Link Library) injection, where malware injects its code into a legitimate process, often to avoid detection or to exploit the privileges of the compromised application. Another form is script injection in web applications, where attackers insert malicious scripts into input fields or user interfaces, compromising user sessions or stealing sensitive information.

The following malwares use this technique in real life:

  • Uroburos can use DLL injection to load embedded files and modules.
  • Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.
  • ZxShell is injected into a shared SVCHOST process.

Detecting code injection artifacts during analysis is crucial for cybersecurity experts to uncover the presence of malicious entities. By understanding the nuances of code injection, analysts can develop effective strategies to mitigate these threats, fortify software against exploitation, and safeguard systems and data from unauthorized manipulation. Recognizing the signs of code injection empowers security professionals to stay one step ahead in the ongoing battle against cyber threats, ensuring the resilience of digital environments.

7)     Malware hash

Malware hash refers to a unique identifier generated through a cryptographic hash function for a specific malware file. This hash serves as a digital fingerprint, representing the file’s content in a condensed form. Security professionals use these hashes to quickly compare files and identify known malware.

For example, when an antivirus program scans a file, it computes its hash and compares it against a database of known malicious hashes. If a match is found, the file is flagged as potential malware. Additionally, security experts share malware hashes within the industry, enabling a collective defense against emerging threats. Hashes like MD5, SHA-1, and SHA-256 are commonly used for this purpose.

Here is the hash of some popular malwares:

  • Nanocore: bf994dce3712fb66afa4a2ce5b3ceee4
  • CoinMiner: a9e785de50216ab7987be7403d1bfcf4d7661ebcfdb8c27eb1525c919398ff7d
  • Mirai: 871e19415a39c8d056d22513178a5d63

Understanding malware hashes is pivotal for developing robust threat intelligence, allowing for rapid identification and response to malicious files across various digital environments. It’s a cornerstone in the ongoing effort to stay ahead of cyber threats, providing a streamlined method for recognizing and neutralizing known malware strains before they can wreak havoc on systems and data.

8)     C2 domain names

C2 domain names refer to Command and Control domains utilized by malicious actors to communicate with compromised systems. These domains act as a bridge, enabling threat actors to send instructions, receive stolen data, or update the malware. For instance, a piece of malware may be programmed to reach out to a specific C2 domain to download additional malicious payloads or receive commands from its orchestrators.

Real-world examples include seemingly innocuous domains that, when analyzed, reveal their association with malicious activities. Detecting these C2 domain names during cybersecurity analysis is crucial for identifying and mitigating potential threats. Security professionals often use threat intelligence feeds to stay informed about known malicious domains, aiding in the proactive blocking of communication with these domains.

Here is a list of some popular malwares C2 domains:

  • Shlayer:
    • api.interfacecache[.]com
    • api.scalableunit[.]com
    • api.typicalconfig[.]com
    • api.standartanalog[.]com
    • api.fieldenumerator[.]com
    • api.practicalsprint[.]com
    • api.searchwebsvc[.]com
    • api.connectedtask[.]com
    • api.navigationbuffer[.]com
    • api.windowtask[.]com
  • ZeuS
    • Opaopa[.]info
    • Edmontonjournal[.]com
  • Dridex
    • Oneyearnovel[.]com

By understanding the significance of C2 domain names, analysts can disrupt the communication channels of malware, preventing further compromise and fortifying the cybersecurity posture of digital environments. This proactive approach plays a vital role in staying one step ahead of cyber threats, ensuring the security and integrity of systems and data.

9)     Unusual Network Ports

“Unusual Network Ports” refer to atypical or uncommon communication channels used by software or devices. In the context of cybersecurity, detecting unusual network ports is crucial for identifying potential security threats. Malicious actors often exploit non-standard ports to evade detection or bypass network security measures.

For example, malware might communicate over a less common port, such as port 8080, to disguise its traffic as normal web traffic. Another scenario involves an unauthorized service using a port traditionally associated with a well-known application, signaling potential malicious activity. Recognizing these unusual network ports during analysis allows cybersecurity experts to uncover potential threats and take proactive measures to mitigate risks.

Security tools and network monitoring solutions play a key role in identifying and flagging such anomalies, contributing to a robust cybersecurity posture. Understanding the significance of unusual network ports empowers organizations to stay vigilant against potential threats, ensuring a more comprehensive defense against cyber attacks and unauthorized access to networks and systems.

10) Files extensions

In the realm of cybersecurity, “File Extensions Artifacts” refer to the distinctive markers found in file names that denote the file’s format and type. These artifacts play a crucial role in digital forensics and malware analysis. For instance, a seemingly harmless file named “invoice.pdf” might have a mismatched extension, concealing its actual executable nature, like “invoice.exe.” Cybercriminals often employ this tactic to trick users into opening files, taking advantage of the trust associated with common document formats.

Detecting these artifacts becomes paramount during cybersecurity analysis, enabling experts to identify potential threats. Real-world examples include spotting executable files masquerading as harmless documents or malicious scripts camouflaged with benign extensions.

The significance of file extensions artifacts lies in their role as red flags, helping cybersecurity professionals differentiate between legitimate files and those that may harbor malicious intent. By scrutinizing these artifacts, analysts can uncover hidden threats, fortify digital defenses, and ensure the security of systems and sensitive data. Understanding the nuances of file extension artifacts is instrumental in building resilience against cyber threats and fostering a safer digital environment.

Conclusion

You should keep in mind that malware builders are doing their best into constantly chaning their malware traces and IOCs or even making them dynamic. Malware hashs for examples could easily be chanching by simply adding unnecessary bytes to the malware code. Domain names for C2s are also made dynamic, by pointing to a predictable different domain name each time a malware has infected a machine. However, this IOCs remain important for a successful detection of malware and should be considered all together so that even if one of them is tricked the other one can be helpful.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *