Malware Analysis Lab – Dynamic Analysis

Home » Malware Analysis Lab – Dynamic Analysis

February 16, 2023
4:22 pm

Hello Everyone,

Back again with another blog on Malware Analysis, We have already seen how to set up a sand boxing environment for Static malware Analysis and how to carry out Static Analysis in the previous posts on malware analysis, if you are new here please go thorough our previous blog posts then continue with this one. You can read those Blogs in here

Today, in this blog we will be setting up lab for Dynamic Analysis.

In static we analysed lot of things on malware samples using FLAREVM set up.

Let’s see what we have here in Dynamic Analysis.

Basic Requirements:
Hypervisor – Virtual Box or VM Ware
Operating System – Windows 7,8, or 10

Major Note :- Previously, we were working on a very hardened lab environment for static analysis because in case by mistake we don’t want our malware to get executed.
But, in here we are going to make our lab Malware Friendly

We are going to do the exact opposite things to what we did with static analysis, we are going to make everything friendly for malware so malware can propagate and execute with ease.
We need to do:
1. OS Malware Friendly
2.Internet Browser Malware Friendly
3.Installing exploitable Softwares
4.Create Enticing Files
5.Using of Fake Social media Accounts

The above mentioned to do list are to make fool of malware that we are working on a real time environment not some kind of malware analysis platform.

Let’s do this thing one by one;

Friendly OS for Malware:
For Friendly OS we need to give some administrative privileges for default users for that we need to make some changes in
User account Control,
Disabling of Auto Updates.

In here am using Windows 10

Open Run by pressing Windows key + R
Type services.msc then hit Enter
Choose windows update option
Stop the service in the left pane

Click Start–>Go control Panel–>User Accounts–>User Accounts–>Change user Account Control Settings–> Lower the bar to very low.
Click OK.

Making Internet Browser Malware Friendly:

We should have at least 3 Browsers in it to make it more realistic.
we will use Internet Explorer,
Mozilla Firefox,
Google Chrome.

In Internet Explorer, Open Internet Explorer.

Right click the Start icon and select Control Panel.
Click Programs.
Choose Programs & Features.
In the left sidebar, select Turn Windows features on or off.
Uncheck the box next to Internet Explorer 11.
Select Yes from the pop-up dialogue.
Press OK.
In Firefox, Click Settings options at right top, then Click on options, Then uncheck block pop-up option.

Next we will try to Install few Common Software packages to make it more real like Microsoft Office
Adobe Flash Player
Adobe Reader

Let’s make one by one Malware friendly:
Microsoft Office:
Microsoft Word:
1. Open Microsoft Word
2. Click File–>Click Options–> Trust Center–> Trusted Locations
3. Add New location where you can keep malicious Document files, here i am choosing Desktop as my location.
4. Go to ActiveX–> Enable All controls without Restrictions and without Prompting, Uncheck safe Mod.
5. Go to Macro–>Toggle radio button Enable All Macros(Not Recommended)
6. Click ok until you close all the windows.

Repeat the Same Steps for Excel, Powerpoint, Access too.
In Publisher, it is little different by having DEP settings uncheck Enable Data Execution Protection Mode

Make Adobe Reader Malware Friendly:

Install Adobe Reader
Open Adobe Reader
Choose Edit–>Preferences
Click Javascript–>check enable acrobat javascript is checked–>uncheck Global Object Security Policy.
Click Security(Enhanced)–>uncheck Enable Protected mode–>Uncheck Enable Enhanced Security
Click Trust Manager on left pane
Click Change Settings button under Internet Access from PDF files outside the Web Browser
Click Updater on left Pane
Toggle the Radio Button to Do not download or Install updates Automatically and click Ok
Restart the Adobe Reader application

Create Enticing Files:

We need Enticing files in our Malware analysis Environment to make it more realistic for the malware to execute. It will look for some sensitive information and sensitive files and folders. So we have to create some enticing files and folders in the name of
Salaries
Research
Designs, etc

Enticing Folders as shown Above

Using of Dummy Social Media accounts also needed, in case your malware looks for social media accounts like Facebook, twitter and instagram.

Anonymizing and Isolating the Lab:

We need to anonymize our lab environment from malware and attackers, because at some-case if any attacker tries to take down your malware environment or your system from internet, it will be a bigger problem, So it is good to use
VPN
TOR
Proxy Servers.

Isolation of your lab should be your High priority always isolate your Laboratory from production environment, it should not affect you production at any cost. It is highly preferred if you use a separate Machine for this.

RESTORING AND BACKUP:

Next we have Restoration in here, We need this every time once we finished analysing a malware, we need to bring our environment back to the normal Situation.
We need to do this regularly to avoid mis-happens with malwares and also for restoring too.
we have two methods to do this restoration
Virtualization method
Bare metal Environment Clean State Restoration – Takes too much Time (OLD)

Here we will do this restoration with Virtualization Snapshot method using VMWare Snapshot Method.

And we have to backup our OS into an image because we don’t want to setup our environment once again from the scratch. It is more Time consuming too. Here i am using R-Drive Image, you will find multiple tools like Clonezilla and etc.

BASIC FILES TO CARRY OUT DYNAMIC ANALYSIS:
Device Drivers Monitoring Tools – Driver Booster
Port Monitoring Tools – Currport
Registry Monitoring Tools – RegShot
Windows Startup Programs Monitoring Tools – WinPatrol