Hey Everyone,
We have completed all the Basic and Theoretical stuffs that we use in our practical session, today we will be analyzing a piece of malware with various techniques by monitoring registries, file systems and memory for potential risks and threats.
For those who don’t have any idea what’s going on here, i would suggest you to go back and go through all our malware analysis series of blogs before continuing with this one by just a click away in here.
Look for System Changes:
Whenever we install, delete or modify any new files, our registries got affected by this action, so in here we are going to monitor changes in our system by inspecting registries using a tool called InstallRite. You can download this tool by clicking this link.
After Installation, we don’t need to configure the tool by default it will monitor entire registry. so we take screenshot first by clicking next, it will take more than 10 minutes.
You have to be ready with malware sample then it will be in flow with your work. you can download many malware samples from internet you can download from here too i have 2 samples ready to do your work.
We need to choose our malware sample by browsing the directory where we have our malware.
Once it is installed we can check out what files, registries have been added, deleted or manipulated with our HOST. We can easily come to know everything by inspecting all the necessary things to check in our host with the help of Directory tree.
we can use other tools too like uninstall Tool to install and trace our malware to check its behavior. you can download this tool from this site
Memory Inspection
To perform this inspection we need an infected windows system and a process explorer to analyze a malware running processes.
We are going to use a tool called Sysinternals suite from this site
we need to extract the downloaded folder and open a file named as procexp.exe
we Already infected our system by running the malware in the previous inspection with registries.
we need to find out our malware process then we can inspect its properties by double clicking it.
TCP/IP tab shows its network capability.
Lets Inspect a malware already in there in our system
This is how properties of a process will look like
We can easily get into TCP/IP tab to find any external communication backdoor that malware is trying to create.
We can analyze the process threads from threads tab and strings tab will display all the strings that are available with that file where researcher will come to know that the malware is packed or not by analyzing the strings that might have details of packager details. Eg. UPX (Already seen this in static analysis)
Note: The memory option in strings tab reveals the encrypted strings as de-crypted ones, as we already know that.
CHECK FOR PERSISTENCE
The main objective in this session is to check the malware is really persistent enough to start up again after every shutdown or reboot. We will be using same sysinternals suite, autoruns tool from it.
CHECK FOR NETWORK BEHAVIOR
It is important to analyze and understand the network behavior of a malware in a system, we should know where our malware infected system is connecting with. Modern day malware comes always with backdoor functions, analyzing network behavior will be a great lead to finds out IP address information and objective of malware and sometimes the real owner who created it.
We will use TCPView tool from Sysinternals suite.
Installation procedure is same for all the tools. Just need to download and extract.
TCPView clearly helps us to determine where the malware connects.
If the condition is neither listening nor established that means either the system is down or its dead.
In this way we can use TCPview and other resources to check out where the malware is communicating back. I used a simple reverse connection malware to inspect for an example, I have used a malware that i created with msfvenom.
We can analyze our infected system’s network behavior using wireshark also by noting down the Destination IP address easily.
What we don’t have in Dynamic Analysis (LIMITATIONS)
Behavior of a malware totally depends on the dependencies it needs, in case if it fails to meet its requirements your malware will not perform its objective so your analyze will also fail at some point. (Eg, If your malware don’t have an objective of reverse connection or it can’t find the Network interface card in the infected system )
SUMMARY
Today we have seen how to analyze a malware dynamically to get to know about the behavior in terms of HOST & NETWORK
HOST – FIles, Registries, Memory
we Discussed various tools and techniques that will help us to achieve our goal of monitoring, recording and gathering information about malware and how it behaves in the host as well as network.
Tools Summary
Host Monitoring Tools – InstallRite, Uninstall tool
Memory Analysis Tools – Process Explorer
Persistence Checker – Autoruns
Network Analysis tools – TCPView and Wireshark
I hope you guys got all the stuffs that you need to know before analyzing a malware dynamically.
Obviously our Limitations in Dynamic Malware Analysis Will lead us to do Reverse Engineering of Malware.
See you again in another post in Malware Analysis Series. Stick with Us, Learn With Us.
Thank you!
Stay Safe & Secure
AUTHOR
SAM NIVETHAN V J
SECURITY ANALYST & TRAINER