So far in our previous blogs, we have seen how to setup our sand boxing environment for Static Malware analysis and Dynamic Malware Analysis and we analyzed a piece of malware too in our series of blogs on Malware Analysis.
Today, we are going to analyze a malware dynamically in our dynamic analysis lab
It’s not the simple behavioural analysis just like that to execute a malware and get on to inspect it. First of all we need to know where to start and what are all the things that we need to take into account before executing a malware. Let’s See what it is.
Environment: VIRTUAL OR BARE METAL
VIRTUAL: Malware analysis lab set up in virtual environment
BARE METAL: Dedicated host for malware inspection
It is always advised to have both the environment for malware inspection, because several malware are virtual aware, so we need to analyze that in bare metal environment. If it’s not then, we can analyze in Virtual Environment.
Behavior: HOST AND NETWORK
In the babyhood of computers, malware did not have any much network functionality like we have now such as reverse connection and backdoor threats. But now a days it is mandatory to analyze the malware in both host and also in network functionality level also.
It is important to analyze a malware by knowing its fundamental behavior in an infected system. To accomplish its objective, malware needs to do some preliminary actions in the target system or compromised host such as
3) Protective Mechanism
4) Malware Objective
Malware uses dropper, downloader or other means to get its work done. It install its components in these folders
1) Windows Folder
2) System Folder
3) Temporary Files
Dropper Downloads its malware packages and installs it from internet that’s why our dynamic malware analysis lab should be malware friendly to get connected with the internet whenever it needs.
Malware always ensure that it survives a shutdown or a reboot by the victim. The phase where malware tries to be intelligent to make itself up and other components to be persistent. Malware do these things by playing with various autostart(Startup) techniques in windows. some are
1) By affecting boot sector
2) Infecting System Files
3) Malware in Startup Folder
4) Task Scheduler
5) Playing Registries
Playing with Registries is very common among malware to get start up using
Loading of Drivers and Services
Loading Of Explorer shell Extensions
Loading of Browser Extensions.
How Malware protects itself and its components to be un detected from researcher’s eyes. some of the techniques are
Hiding using Attributes – Many malware today uses file and folder attributes to protect itself. so Malware set its attribute to the folders they are located in to be hidden.
Hiding in Normal Sight – Malware used to get blend with thousands of files in a folder where normal victim can’t find or distinguish it from original files. Malware have the tendency to change the file name by obfuscation technique by changing O into 0(zero) and adding up of win, 32, 64 terms to the filename to make it looks like OS Files.
Hiding with Rootkit – By hiding the malware and its components with the rootkit technology.
So far we have seen the installation, persistence and Protection of malware and its components but the main part in here is its directive.
Directive / Objective
This one needs live monitoring and recording of malware behavior for cases like nuisance, destructive, data ex-filtration among the files.
We need to look at these three major places for Modifications.
1) File System
Look for the files that is added, Deleted and Modified in to the victim’s machine. It is important to record and monitor the files that are added in the system. According to modern malware functionality it holds lot of functionality and components with it to carry out the directive.
Some of the component files are,
Deleted Files : Malware deletes some files that can cause vulnerable action to its progress such files are
System Restore Files
Security Product Files
Modified Files: How we normal people do recognize the malware infection, when we finds our files got modified right? It is still important to check for modified files. For Example a series of modified document files can signal the presence of a ransomware that encrypts files for ransom.
For good Persistence malware usually modify the Registries, some of the common registry entries are,
▶▶ HKLM\System\CurrentControlSet\Control\Session Manager
▶▶ Loading of driver and services
▶▶ Upon logon
▶▶ HKLM\Software\Microsoft\Windows\CurrentVersion\ RunOnce
▶▶ HKLM\Software\Microsoft\Active Setup\Installed Components
▶▶ Loading of Explorer shell extensions
▶▶ Loading of browser extensions
▶▶ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
▶▶ HKLM\Software\Microsoft\Internet Explorer\Extensions
Malware utilize system’s memory where code and data are decrypted. Advantage of monitoring and capturing unencrypted code and data is the feasible way to get to know the malware’s behavior.
we have multiple Process Explorer to explore the memory.
Already we have covered all the necessary and basic stuffs that we will use in next dynamic malware analysis in practical way.
Stay Tuned with our Malware analysis series of Blogs
Come back again to analyze a malware dynamically.
Sam Nivethan V J
Security Analyst & Trainer.