As much as Mondays are for discussing different types of malware, this day can also be about malware analysis. For today’s post, I’m going to look at a pretty nifty tool called Regshot.
Regshot is a dynamic malware analysis tool that allows an analyst to perform before and after snapshots of the Windows Registry. Typically, this is used to capture a snapshot of the system prior to executing malware and then immediately afterwards.
The goal is to identify any changes to the registry that the malware made. This may give more indication as to what the malware is capable of, if any additional files are dropped, or any other Indicators of Compromise (“IOCs”). In many cases, including my own, Regshot lives within its own Virtual Machine that is reserved for dynamic analysis.
Regshot is currently at version 1.9.0, and is available for download here. There are both 32- and 64-bit versions available.
Why Use Regshot?
Before I get to a quick example, I wanted to offer a few thoughts to those who may not perform dynamic analysis frequently on why a tool like Regshot comes in handy.
- In some cases, the Windows Registry can be thought of as simply another storage location. There are multiple malware families that use the Windows Registry for storage, evasion, and hiding in plain sight (See my post on 2016–12–12 that discussed fileless malware abusing the registry). Often times the paths, keys, and/or values that are stored by some malware are dynamically generated. For this reason, when performing dynamic analysis, knowing the changes that happened to the registry help zero in on the changes.
- Malware may make a lot of changes to a system as it executes. Simply running malware in a sandbox, without monitoring various system components, doesn’t do much. Even harder is asking an analysis to “find out what happened” when the malware is built to be silent.
- I’ll get into this shortly, but Regshot can be used as an excellent baseline and development tool.
As I mentioned earlier, Regshot is typically utilized in a malware analysis environment — often a VM built for the purpose of malware detonation. As mentioned above, there are 32- and 64-bit versions. Note that there are also ANSI and Unicode versions. The primary difference between these two is that you can use Regshot to generate a hive file — the version you run will determine the encoding of the output.
Regshot has very simple steps:
- Take a shot of the system’s registry now.
- Do something to the system.
- Take a shot of the system’s registry again.
- Wash, rinse, and repeat.
Here’s a look at Regshot’s really simple GUI:
There are options to save the changes as either a text or HTML file.
When taking registry shots, the user is presented with the options Shot, Shot and Save, or Load.
In my opinion, these are some of the greatest options available in Regshot.
- Shot will simply take a shot of the current system’s registry. The calculations of taking this are provided at the bottom of the GUI.
- Shot and Save will take the same shot of the registry, and also save it to an encoded file (either ANSI or Unicode)
- Load allows you to load a previously-taken Regshot hive for either the before or after position.
Once the shot is taken, you’ll be presented with statistics on the shot:
Now, do some things. Run some malware, move around the system, open a file or two.
Clicking 2nd shot will take the second shot. At this point, both snapshots of the registry are saved temporarily. Once this has taken place, the ‘Compare’ button will become available:
If you haven’t saved any files, Regshot will popup a text editor with the changed registry keys within. The top of the file begins with system identification information:
Regshot 1.9.0 x64 Unicode
Datetime: 2017/1/2 05:21:30 , 2017/1/2 05:22:16
Computer: BATMOBILE , BATMOBILE
Username: batman , batman
Below are the keys that were changed. For this example, I didn’t do much, so I’ve only got 21 changes reported.
Not only are we presented with the number of changes, but also the registry contents:
See what I did? In this example I simply changed the ShellBags for a few folders. However, for malware installations, we may see results related to persistence mechanisms, stored values, or complete binaries hidden in registry!
Loading a Previous Hive
I didn’t want to move on before briefly talking about the feature of loading a previous hive in Regshot. This is a powerful capability that allows you to extend the functionality of Regshot simply beyond ad-hoc dynamic analysis. For example, if you deploy gold images within your network, consider taking a shot right before deployment. User gets infected? Compare, and find the malware!
For development purposes, take a shot and see what installing your application does to the system. You might be surprised at what footprints you’re leaving behind!
But wait..there’s more!
While I’ve spent the past few minutes discussing Regshot’s ability to take a before and after of the Registry, wouldn’t it be awesome if we could do the same for a folder? Well, Regshot can! In the Scan dir option box, we can enter a path to monitor. If the analyst had a suspicion about their malware dropping or altering files, you could place a directory under watch and see what changes were made.
Notice in the screenshot above I created the folder Evil DIR in the watched directory. You can enter multiple directories if you want, separated each by a semi-colon. This can be a very useful DFIR triage step, potentially giving you all the secrets about malware once it’s executed!
Until tomorrow, Happy Forensicating!
Index Status: Added to index. Keywords: Regshot