Dynamic malware analysis of TrickBot trojan using Regshot, Fakenet, Procmon, and Process hacker tools.

In this article, I?explained how to dynamically analyze a TrickBot trojan using?Regshot, Fakenet, Process hacker, and Procmon tools.

?

What is Dynamic malware analysis??

?In dynamic malware analysis, we execute suspicious malicious software in a safe environment, and we can gather how the malicious software behaves, what are files created and deleted, registry value modifications, which domain the malicious software connects to, which information transfers to the hacker server, etc.?

Follow the given steps to do a Dynamic malware analysis:?

STEP 1: Open the?Procmon tool, then?click the capture button to stop capturing records, and click the clear button to clear all records,

Procmon is used to capture and display file system activity, network activity, threat activity, and registry key activities.?

Double-click to open the procmon tool, after that the interface would be like this,?

Click the capture button to stop capturing records, and click the clear button to clear all records. because we don't want other records not created by TrickBot trojan.

STEP 2: Open Fakenet for giving a fake response to the malware’s request,?

Fakenet is used to intercept and redirect all or specific network traffic while simulating legitimate network services. If malware makes requests to connect to the internet, then fakenet will give fake responses to the malware's request.

Double-click to open the FakeNet tool, after that the interface would be like this,?

STEP 3: Open Regshot, then take a first shot,?

Regshot is used to capture all registry values, folders, and files in our system.?

Double-click to open the Regshot tool, after that the interface would be like this,?

?I want to capture Entrire "C:\" disk, so, I click the Scan directory and then type "C:\"

then Click the "1st shot" button to take the first shot, It takes some time to capture the entire disk,

you can see in the above image, It captures all registry values, keys, files, and folder counts.

STEP 4: Once the 1st shot completes, then click the capture button in procmon to capture all records

After taking 1st shot, go to procmon, then click the capture button to capture records.

STEP 5: Execute a malware sample then wait for 1 -?5 mins,?

After taking 1st shot and resuming capture in procmon, then run the malware sample in our safe environment. make sure your guest operating system internet connection should be in Host-only adapter.

before running this sample, add the ".exe" extension to this sample, because it's an executable, already we gather this information from static malware analysis.

double click to run this TrickBot trojan.

wait for 1-5 mins, because some malware takes time to connect the command and control server.

STEP 6: keep eye on the fakenet outputs,?

After executing the TrickBot trojan. you can see whether it's trying to connect any host, HTTP requests, and IP addresses in fakenet.

so, keep eye on the fakenet outputs,

In the above image, you can see "svchost.exe" is making requests to the IP address "119.92.23.203" via port "449"

This TrickBot trojan may be copying its malicious code into the "svchost.exe" process to connect to the internet.

STEP 7: Use the Process Hacker tool,

Process hacker is used for monitoring system resources and dumping unpacked malicious code in a target process.

using this tool to find whether this TrickBot trojan spawns any child process.

This Trickbot trojan copies its malicious code into the "svchost.exe" process, because it has process injection capability, we gathered these hints from static malware analysis and It is presented in the last. you can see this in the given image below.

STEP 8: After 5 minutes, stop procmon to capture records,

After 5 minutes, go to procmon, then click the capture button to stop capturing records,

In the above image, you can see the "svchost.exe" process makes changes in the registry.

In this article, I'll not explain these procmon records. I will only show you how to perform dynamic malware analysis, we'll discuss these records in my upcoming articles.

STEP 9: Using Regshot to take the 2nd shot,

After stopping procmon to capture records, then go to regshot, and take a "2nd shot".

STEP 9: Once the 2nd shot completes, then click the compare button to get the output,?

once 2nd shot completes, then click the compare button to get the output in the ".txt" file.

STEP 10: Study the regshot Output.?

After getting a comparison in the text file, to study what are the changes it makes.

you can see in the above image, TrickBot trojan deletes some keys and adds some keys. It deletes the windows defender or disables it.

It adds some values to the registry.

It deletes some values in the registry, as the results above, it disables windows defender.

a lot of files were deleted by TrickBot trojan in C:\ disk.

you can see in the above image, It creates a folder called "PS_Transcripts" and then adds some files.

when it is executed, it copies itself into another folder called "C:\Users\Raj\AppData\Roaming\wnetwork"

and the new copied executable file is "Usjclbpt.exe"

you can check these "TrickBot.exe" and "Usjclbpt.exe" executable files hashes to find whether these two files are same or not.

Conclusion:

In this article, I analyzed a TrickBot trojan dynamically using Procmon, Regshot, Process hacker, and Fakenet. after making a dynamic analysis we gathered what files it deletes, and creates, then which process is spawned, which place it copies itself, which host it connects to, and more. In my upcoming article, I'll show you how to gather information from Procmon records and fakenet logs.