CHATGPT POWERED MALWARE ANALYSIS

During late 2022 and early 2023, ChatGPT made headlines in the tech industry and everyone caught scent of the excitement! ChatGPT is a truly intriguing example of the capabilities of Artificial Intelligence, and how it can be used in variety of different ways to boost productivity and perform tasks that are even beyond one’s own skillset. But what does this new technology mean for cyber security professionals. especially on the defensive side?

What is Malware analysis?

Malware analysis is the process of evaluating potentially malicious files, executables and code in order to gain insight into their inner workings, behavior and potential impact on computer systems. Malware analysis requires a great deal of expertise, and is a crucial part of cyber security. ChatGPT, developed by Open AI, has the capability to assist you in malware analysis by providing a deeper understanding into the behavior and characteristics of malicious code.

VMware Carbon Black Threat Analysis Unit has published a technical article about the notorious NotPetya ransomware specimen that targeted various organizations, banks, ministries and electricity firms in Ukraine back in 2017. Please review the article for more information below:

Technical Analysis of the NotPetya Ransomware

What can chatgpt bring to the table

ChatGPT can function as an interactive virtual consultant. You can ask questions and receive answers. Please be aware that the quality of the answer you receive depends on the quality of the question you ask. You can request ChatGPT to act as a Malware Analyst when answering your questions. You can list specific questions you want answered such as the following:

1. What language is used?

2. What is the purpose of the code snippet?

3. What does the code snippet do?

4. What measures should be taken to defend against the behavior observed in the code snippet?

After reviewing the code snippet ChatGPT gives us a wealth of important information. The first key takeaway is that the code snippet is written in C or C++. Why would this be relevant? C is a low level programming language that is statically typed, which means that the variable types are checked at compile time. This in turn results in the program being faster. Secondly, C is definitely more difficult to learn than than a scripting language such as Python. Thirdly, C does not require any additional piece of software to be installed in order to run whereas Python code will not run natively on Windows. Based on these facts, you can make the assumption that the entity who wrote this code is a professional, or at the very least, an individual with advanced coding skills.

Taking the analysis a step further!

While this itself is impressive, it may not be enough. You can always ask ChatGPT to provide additional information or even a line by line explanation. Just by reading the explanation, you can learn a great deal about the language and how it works. For instance, the V3 variable is presented with the following explanation:

The FindResourceW function is called to search for a resource
in the binary file identified by the variable SRC.
The second argument is a reference to V20, which is set to 0 and then incremented by 1.
The third argument, 0xA, specifies the type of resource to be searched for.
The result of the function is stored in the variable V3.

From a malware analysis perspective, there a some intriguing findings. The functions FindResourceW and LoadResourceJWM are interesting, because the code uses these to look for a particular resource and then load it into memory, after which it creates a new process for it by using the CreateProcessW function. Especially malware specimens that function as droppers, will look for specific downloaded files and will attempt to execute or install them. Secondly, it is not uncommon for malware to look for temporary folders and write data to them, as is the case with this code snippet. ChatGPT also identifies that the code creates a Globally Unique Identifier (GUID) and uses the StringFromCLSID Class Identifier function.

Limitations of Chatgpt

Despite the wealth of knowledge that ChatGPT can provide, it is finite and does not know everything. Moreover, there are even obvious details that it can miss. For instance, ChatGPT did not point out that the code creates a named pipe to open a communications channel. This is unfortunate, because named pipes can be significant. As always, you can request for more information about the code itself or about any technical details in the code that you do not understand. If named pipes are new to you, ChatGPT can explain the concept to you.

Named pipes are a form of inter-process communication in the Windows operating system,
allowing one process to communicate with another process
by sending and receiving data through a named pipe.
The use of named pipes can be used for legitimate purposes,
such as communication between separate processes or between a client and a server.
However, named pipes can also be used for malicious purposes.

Final Thoughts

ChatGPT is an excellent tool for cyber security professionals. It is definitely something you will want to have in your malware analysis arsenal. Not only can it assist you in your work, it can function as a teacher or mentor as well as provide a virtual partner with who you can brainstorm ideas. If you have not already tried ChatGPT, sign up and go for a spin!

HUNGRY FOR MORE?

Cyber Security Misconceptions

Cyber Security Misconceptions

Do you lack the educational background and coding skills required to land a job in the cyber security industry? Several misconceptions exist regarding what it takes to break in! Find out more why you could and should pursue a career in cyber security.

Triage

Triage

What is Triage in the context of Cyber Security, and why is it a crucial step in Security Operations and Incident Response? Find out more!

Is coding required for Cyber Security?

Is coding required for Cyber Security?

Are you aspiring to work in the Cyber Security industry but lack coding skills? Is it really a must-have skill to possess in order to succeed? Find out the answer!

Do I need a college degree for Cyber Security?

Do I need a college degree for Cyber Security?

Have you ever been told that you cannot get into the cyber security field without a college or university degree? If you have, you are not alone! Self-learning is a perfectly viable alternative!

IACIS Windows Forensic Examiner review

IACIS Windows Forensic Examiner review

The International Association of Computer Investigative Specialists (IACIS) offers an affordable and comprehensive training solution to address the need for training in Windows Forensics.

Unable to Boot into Linux? Try this!

Unable to Boot into Linux? Try this!

You have just installed a Linux distribution on your computer and now your system refuses to boot. The option you may have overlooked is Trusted Execution Technology.

What does a Cyber Security Analyst do?

What does a Cyber Security Analyst do?

The role of a Cyber Security Analyst is one of great importance and responsibility. While the work can be highly rewarding, it also requires great deal of patience.

Pin It on Pinterest

Share This