You should download dnSpy or ILSPy. dnSpy is nicer and it also has a debugger which allows you not only to decompile C#/.NET code, but it even allows you to edit it, rebuild it, place breakpoints and run, etc… If it’s obfuscated, get de4dot and drag the file onto de4dot first, then use dnSpy after.
There’s a saying in the military, something along the lines of “The target dictates the weapon and the weapon dictates the movement”. This implies that the method employed is entirely dependent on the target.
With this in mind I think that the “devastation factor” would be much more closely tied to a target than to the method of attacking that target. For instance if someone were to target say a college computer lab that shuts down the entire university with file-less malware, would THAT be more devastating than if someone plugged a usb into 1 computer that spread ransomware throughout that hospital?
That said any “truly fileless” malware is defeated, simply by rebooting the system. There is usually some persistence mechanism (something on disk or in a network) that must be implemented to ensure a reboot doesn’t revert their actions and thus makes it detectable outside of memory.
So, I’d say a persistent individual or group with a solid understanding of multiple advanced methods of exploitation is likely the most devastating thing that can happen to any system.
I recently started working with IDA. I do it as follow:
Start with strings. Helps you find out Unicode and ASCII strings from binary. With wannacry sample I was able to see a potential zip password and potential bitcoin wallet addresses.
Use PEView to figure out the imports and exports. Imports will help you to get and idea about what the malware is trying to do.
Resource hacker can help you extract if anything is there in the resource section. With wannacry I was able to extract a password protected zip file from resource section.
Now I open the file with IDA and start tracking down functions that are calling the interesting imports listed down using PEView. Normally the binary will contain hell lot of functions and you cannot go through each and every function and you should not. Once you track down interesting functions, you can analyse them and rename them according to your understanding.
Once you are done with it, you can look at the function calls tree in IDA that can them reveal what a program is trying to do.
I’m pretty new to this. Suggestions and corrections are welcome.
Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.