Dynamic Malware?Analysis

In this blog post, we delve into the dynamic/runtime analysis of malware, exploring the tools and setup required for the process.?

We’ll uncover the activities the malware performs on the system, highlight key locations to inspect for malicious behavior, and provide an overview of the tools necessary for analyzing the malware sample effectively.

Process

1. Introduction to Dynamic Malware Analysis

Overview of Dynamic analysis

2. Environment Setup:

Prepare a controlled environment for executing the malware sample

3?. Tools Required for Dynamic Malware Analysis

• ProcessExplorer
• Regshot
• processMonitor
• Fakenet-NG
• Netstat
• Dumpit
• volatility workbench

4. Execution

Run the malware sample in a controlled environment. This step involves executing the malware to observe its behavior and interactions with the system.

5.Monitoring and Analysis:?

Use monitoring tools and techniques to observe the malware’s behavior during execution. This includes tracking activities such as file system modifications, network communications, registry changes, process creation, and system calls.

6. Behavioral Analysis:

Analyze the observed behavior of the malware to understand its capabilities, intentions, and potential impact on the system. Look for indicators of malicious activities such as data exfiltration, privilege escalation, command-and-control communications, or attempts to disable security mechanisms.

7. IOCs and Signatures:

Based on the analysis, generate indicators of compromise (IOCs) and behavioral signatures that can be used to detect and mitigate similar malware in the future. These IOCs can include network signatures, file hashes, registry keys, and patterns of malicious behavior.

Introduction

Dynamic analysis is the process of testing and evaluating a program while the software is running. Also referred to as dynamic code scanning, dynamic analysis improves the diagnosis and correction of bugs, memory issues, and crashes of an application during its execution.

Environment Setup

In the environment setup, I personally utilize a virtual machine running Windows 10 to safely execute the malware sample for dynamic analysis.

a virtualized environment that replicates the entire system environment, including network services like DNS servers. Sandboxes like Norman Sandbox, Cuckoo sandbox, and GFI provide controlled environments for executing malware samples safely.

“Here, we start the dynamic analysis by opening Process Explorer.”

Process Explorer:

This tool allows you to see not only run-time stats of a process, like cpu memory, but also the dlls the process is importing. Also, this allows us to see the strings being used in the program. Now, in case of packed malware as well, without unpacking it explicitly, we can check the Strings being used in the program. Strings give valuable information in terms of what API malware is using, for example, loading a specific dll as runtime, allocating memory, etc.

Next, we launch Process Monitor.

We use Process Monitor to track and log system activity, such as process creations, file accesses, and registry modifications, providing a detailed view of how the malware interacts with the system during execution.

Process Monitor:

This monitors Windows system resources like registry, file systems, and networks and captures the generated events corresponding to any changes happening to those resources. So if there is a file creation or, say, a change in registry, the event is captured. We might need to filter on certain specific events, for example, the run key event, to automatically load the malware on startup.

Regshot

We use Regshot to compare snapshots of the Windows registry before and after executing malware, helping us identify changes made by the malware to the system’s registry settings.

Do registry snapshots. The idea is to take a snapshot before launching malware and then take a snapshot post-launch. The snapshots can then be compared to determine the changes made to the registry by the malware. This information can also be derived via a process monitor, but it will also capture other events as well.

Before executing the malware, we capture a snapshot of the system using Regshot to establish a baseline of the Windows registry and file system

Fakenet-NG

We open FakeNet to simulate a network environment and capture any network activity initiated by the malware during execution, providing insights into its communication patterns and potential malicious intent.

Here, we create a log file to capture all network traffic during the analysis. This log file stores detailed information about network activities initiated by the malware, enabling us to analyze communication patterns and detect any malicious network behavior

now run again

Execution

Next, we execute the malware in the controlled environment to observe its behavior and interactions with the system

After executing the malware, we take a second snapshot of the system using Regshot to compare changes made to the Windows registry and file system by the malware

At this stage, we compare the two Regshot snapshots taken before and after executing the malware to identify any modifications or additions made to the Windows registry and file system by the malware.

After analyzing the Regshot snapshots, we observe that certain registry keys have been deleted following the execution of the malware.

now Analyzing the process tree in Process Monitor is crucial for understanding how programs and processes interact within a system.

you can view a hierarchical representation of processes and their relationships. This analysis helps identify suspicious process chains, track the flow of execution, monitor process properties for anomalies, detect process abnormalities, and generate reports for documentation and forensic analysis.

In the process tree of Process Monitor, we can observe the hierarchical format in which the malware is executed, showing the relationships between processes and helping us track the flow of execution.

It shows details of a program called “main.exe” that was running on the computer. Here are some details from the process tree.

• Process: main.exe
• Company: GitHub, Inc.
• Description: main
• Path: C:\Users\gohel\AppData\Local\Temp\2dKZf9xCIEQrvkP6YvhhKnpAfAB\main.exe
• Command: “C:\Users\gohel\AppData\Local\Temp\2dKZf9xCTEQivkP6YvhhKnpAfAB\main.exe”?—?type=ut
• User: DESKTOP-E6VQKG2\gohel
• PID: 6388
• Started: 4/5/2024, 6:56:57 PM
• Exited: 4/5/2024 6:58:21 PM

Now, we apply filters in Process Monitor to focus on specific processes, activities, or events of interest, helping us streamline the analysis and identify relevant information more effectively

Adding two filters to the architecture

process name

Here, we check the network state using the command “netstat -a -n -o” to view active connections, associated IP addresses, and corresponding process identifiers (PIDs). This helps us identify any suspicious or unauthorized network activity initiated by the malware.

Netstat

Netstat can be used to identify active network connections and the processes associated with them. This information can be invaluable in detecting malicious activity on a network.

netstat -a -n -o

• displays all active ports
• -n?: Numerical display of addresses and port numbers
• -o:?:Presents connections with the associated process ID in each case

Dumpit

We use the DumpIt tool in malware analysis for memory forensics. Specifically, DumpIt is used to create a memory dump of a system’s RAM (Random Access Memory). This memory dump contains valuable information about the state of the system at the time the dump was taken, including running processes, open network connections, loaded drivers, registry keys in memory, and more.

Volatility Workbench

Volatility Workbench allows analysts to perform memory forensics by analyzing memory dumps obtained from live systems or memory images. This is crucial in dynamic malware analysis as it provides insights into the state of the system during malware execution, including running processes, network connections, loaded modules, and more.

conclusion

One of the most important cybersecurity techniques for comprehending how malware functions and communicates with a system in real time is dynamic malware analysis. Through the use of specialized tools like sandboxes, process monitors, memory forensics tools like Volatility Workbench, and network monitoring tools, analysts can observe and analyze a variety of malware behavior aspects, such as file system changes, network communications, process creation, memory artifacts, and more, by executing malware in a controlled environment. This analysis aids in the detection of harmful activity, the discovery of indications of compromise (IOCs), the comprehension of malware functionality, and the creation of successful mitigation techniques. The utilization of dynamic malware analysis is crucial for incident response, threat intelligence, and enhancing cybersecurity defenses against constantly changing threats.