During late 2022 and early 2023, ChatGPT made headlines in the tech industry and everyone caught scent of the excitement! ChatGPT is a truly intriguing example of the capabilities of Artificial Intelligence, and how it can be used in variety of different ways to boost productivity and perform tasks that are even beyond one’s own skillset. But what does this new technology mean for cyber security professionals. especially on the defensive side?

Malware analysis is the process of evaluating potentially malicious files, executables and code in order to gain insight into their inner workings, behavior and potential impact on computer systems. Malware analysis requires a great deal of expertise, and is a crucial part of cyber security. ChatGPT, developed by Open AI, has the capability to assist you in malware analysis by providing a deeper understanding into the behavior and characteristics of malicious code.

VMware Carbon Black Threat Analysis Unit has published a technical article about the notorious NotPetya ransomware specimen that targeted various organizations, banks, ministries and electricity firms in Ukraine back in 2017. Please review the article for more information below:

Technical Analysis of the NotPetya Ransomware

ChatGPT can function as an interactive virtual consultant. You can ask questions and receive answers. Please be aware that the quality of the answer you receive depends on the quality of the question you ask. You can request ChatGPT to act as a Malware Analyst when answering your questions. You can list specific questions you want answered such as the following:

1. What language is used?

2. What is the purpose of the code snippet?

3. What does the code snippet do?

4. What measures should be taken to defend against the behavior observed in the code snippet?

After reviewing the code snippet ChatGPT gives us a wealth of important information. The first key takeaway is that the code snippet is written in C or C++. Why would this be relevant? C is a low level programming language that is statically typed, which means that the variable types are checked at compile time. This in turn results in the program being faster. Secondly, C is definitely more difficult to learn than than a scripting language such as Python. Thirdly, C does not require any additional piece of software to be installed in order to run whereas Python code will not run natively on Windows. Based on these facts, you can make the assumption that the entity who wrote this code is a professional, or at the very least, an individual with advanced coding skills.

While this itself is impressive, it may not be enough. You can always ask ChatGPT to provide additional information or even a line by line explanation. Just by reading the explanation, you can learn a great deal about the language and how it works. For instance, the V3 variable is presented with the following explanation:

The FindResourceW function is called to search for a resource
in the binary file identified by the variable SRC.
The second argument is a reference to V20, which is set to 0 and then incremented by 1.
The third argument, 0xA, specifies the type of resource to be searched for.
The result of the function is stored in the variable V3.

From a malware analysis perspective, there a some intriguing findings. The functions FindResourceW and LoadResourceJWM are interesting, because the code uses these to look for a particular resource and then load it into memory, after which it creates a new process for it by using the CreateProcessW function. Especially malware specimens that function as droppers, will look for specific downloaded files and will attempt to execute or install them. Secondly, it is not uncommon for malware to look for temporary folders and write data to them, as is the case with this code snippet. ChatGPT also identifies that the code creates a Globally Unique Identifier (GUID) and uses the StringFromCLSID Class Identifier function.

Despite the wealth of knowledge that ChatGPT can provide, it is finite and does not know everything. Moreover, there are even obvious details that it can miss. For instance, ChatGPT did not point out that the code creates a named pipe to open a communications channel. This is unfortunate, because named pipes can be significant. As always, you can request for more information about the code itself or about any technical details in the code that you do not understand. If named pipes are new to you, ChatGPT can explain the concept to you.

Named pipes are a form of inter-process communication in the Windows operating system,
allowing one process to communicate with another process
by sending and receiving data through a named pipe.
The use of named pipes can be used for legitimate purposes,
such as communication between separate processes or between a client and a server.
However, named pipes can also be used for malicious purposes.

ChatGPT is an excellent tool for cyber security professionals. It is definitely something you will want to have in your malware analysis arsenal. Not only can it assist you in your work, it can function as a teacher or mentor as well as provide a virtual partner with who you can brainstorm ideas. If you have not already tried ChatGPT, sign up and go for a spin!