I would like to share knowledge about the basic malware component. As we know that malware application is just like another normal application developed by following the best practice of the software development.
Common malware is built from some component that has purpose during the malware attack.
The payload is where the core of the code that does the objective of the malware infection in the host. Most of the malware developer put their efforts on developing this code section since the success of the attack depends on this quality of code.
Packer is like eggshells that encapsulate the payload. Why payload need to be encapsulated? the answer is to hide the malicious code from the detection of anti malware application. Packer will actually compress and obfuscate the payload so that anti malware application will fail to detect the malware with static and signature based analyses. The real payload will be unpacked by the malware with defined algorithm made by the developer. There are many algorithm in the wild that can be used to pack the payload
The malware that has infected the host will always to try to persist their presence in the host even after the machine rebooted or user logoff. There are many ways that malware will tamper in order to persist such as using the registry autorun
Path to start up folder
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup
Registry Path for start up
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Malware that infect the host will usually build connection back to the malware creator (C2, CnC, C2C) this connection is intended for many things one of them is to exfiltrate the data from the machine back to the malware creator or to retrieve new command to do next action. Usually they will use encrypted channel such as SSH, SSL, TOR to hide their communication from the network detection
Beside infecting one host and get the highest privilege in the host, The malware would also intents to spread to some other machine in order to gather more foothold in the network. It could use vulnerability that is found in the system or network and exploit it to copy itself to the other host.
The malware creator will try to defend its code from the detection of antimalware software such as antivirus, EDR, Sanbox and many other product. Usually when the malware is run in a machine and it find that there are antimalware present in its environment then it will exhibit a benign activities to avoid detection. It also would detect the present of malware analysis tools such as debuger, IDA, Procmon, Process Hacker and many other tools.
The malware will need to hide its presence in the host or infected machine to avoid from the detection of plain sight or event anti malware software. Stealth mechanisms can range
from simple techniques like altering file properties that make it hidden to more complex
techniques like infecting other clean programs on the system, code injection, process
hollowing, and rootkits