Practical Malware Analysis Chapter 3 Notes
Basic Dynamic analysis Notes:
Sadly, I was unable to do the exercises due to the .exe files not working on Windows 7 so instead I decided to do some notes on the chapter instead. Here are those notes on Chapter 3 Basic Dynamic Analysis.
Dynamic analysis actually runs the malware on a live system (generally disconnected from the internet)
To run a dll file you can convert it to a portal executable using runddl32.exe
Procmon
Process monitor (procmon) is an advanced monitoring tool for Windows that provides a way to monitor registry, file systems, network, process, and thread activity. It combines the legacy tools: FileMon and RegMon This tool can miss device driver activity. Procmon monitors all system calls it can gather as soon as it is run because procmon uses RAM to log events until is is told to stop capturing, it can crash a virtual machine using all available memory, to avoid this run procmon for limited periods. You can set procmon to filter on one executable running on the system. You can also filter on individual system calls such as WriteFile or other suspicious calls.
Process Explorer
Process Explorer is an extremely powerful task manager for performing dynamic analysis. Its used to list active processes, DLLs loaded by a process, various process properties, and overall system information. You can use the Verify option to verify if a process is legit in terms of the signature from the manufacturer of the software to see if the signatures match. Which is useful if you suspect that a process has been hijacked by malware. However, it’s useless if an attacker uses process replacement. You can use compare strings to compare the strings for the process on disk vs in memory to confirm if there has been any process replacement in memory. Dependency walker can be used in process explorer, this is useful when you find a process and want to know which dll’s it calls
#Regshot
Regshot is a very useful tool which takes a snapshot of registry and then takes a second snapshot after the malware is run and then it will compare the two registry snapshots and shows the difference.
ApateDNS
Faking a network is used when malware attempts to communicate with a command-and-control server. This useful to quickly obtain network indicators of the malware. To fake a network successfully, you must prevent the malware from realizing that it is executing in a virtualized environment. ApateDNS is useful to see FNS requests made by malware.
Netcat
The TCP/IP swiss army knife is useful for inbound/outbound connections for port scanning, tunneling, proxying, port forwarding and much more.
Wireshark
This tool is used to capture packets on a network. Right clicking ona packet follow TCP stream is the most useful option as it follows the packets in a stream.
INetSim
This tool is used to simulate common internet-services. It allows you to analyze the behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP and others.