The Purple Rabbit

The Purple Rabbit

OSCP, VHL+, BTL1, SC-200, BSc Cyber Security and Forensics

Practical Malware Analysis Chapter 3 Notes

2 minute read

pma

Basic Dynamic analysis Notes:

Sadly, I was unable to do the exercises due to the .exe files not working on Windows 7 so instead I decided to do some notes on the chapter instead. Here are those notes on Chapter 3 Basic Dynamic Analysis.

Dynamic analysis actually runs the malware on a live system (generally disconnected from the internet)

To run a dll file you can convert it to a portal executable using runddl32.exe

Procmon

Process monitor (procmon) is an advanced monitoring tool for Windows that provides a way to monitor registry, file systems, network, process, and thread activity. It combines the legacy tools: FileMon and RegMon This tool can miss device driver activity. Procmon monitors all system calls it can gather as soon as it is run because procmon uses RAM to log events until is is told to stop capturing, it can crash a virtual machine using all available memory, to avoid this run procmon for limited periods. You can set procmon to filter on one executable running on the system. You can also filter on individual system calls such as WriteFile or other suspicious calls.

Process Explorer

Process Explorer is an extremely powerful task manager for performing dynamic analysis. Its used to list active processes, DLLs loaded by a process, various process properties, and overall system information. You can use the Verify option to verify if a process is legit in terms of the signature from the manufacturer of the software to see if the signatures match. Which is useful if you suspect that a process has been hijacked by malware. However, it’s useless if an attacker uses process replacement. You can use compare strings to compare the strings for the process on disk vs in memory to confirm if there has been any process replacement in memory. Dependency walker can be used in process explorer, this is useful when you find a process and want to know which dll’s it calls

#Regshot

Regshot is a very useful tool which takes a snapshot of registry and then takes a second snapshot after the malware is run and then it will compare the two registry snapshots and shows the difference.

ApateDNS

Faking a network is used when malware attempts to communicate with a command-and-control server. This useful to quickly obtain network indicators of the malware. To fake a network successfully, you must prevent the malware from realizing that it is executing in a virtualized environment. ApateDNS is useful to see FNS requests made by malware.

Netcat

The TCP/IP swiss army knife is useful for inbound/outbound connections for port scanning, tunneling, proxying, port forwarding and much more.

Wireshark

This tool is used to capture packets on a network. Right clicking ona packet follow TCP stream is the most useful option as it follows the packets in a stream.

INetSim

This tool is used to simulate common internet-services. It allows you to analyze the behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP and others.

You may also enjoy

How To Store CMD History in Windows

less than 1 minute read

This article is going to be a very quick guide on how you can add history to your commands for command prompt on Windows.

Check Windows 11 Compatability

1 minute read

This is going to be a quick article guide on how to check if your Windows 10 Computer is compatible with Windows 11. The first thing you should know is that ...