Malware Basic Dynamic analysis

In previous blog we studied basics of malware https://medium.com/@jain.sm/malware-introduction-eeb3eb201cb3

In this blog we go over the Dynamic/Run time analysis of malware and tools and setup needed to accomplish the same.

Dynamic analysis is a technique to launch the malware and analyze its behavior during run time. Since we don’t want to run the malware directly to avoid any harm caused by it, we take certain steps to isolate the execution of the malware and then analyze.

One way of doing it is to shut off internet connectivity and run the malware on a physical machine. But malware might not just be doing an internet based attack, but also might be trying things like process hollowing or manipulating registry etc. This might lead to a corrupted physical machine.

Other way is to run the malware in a virtual machine and shut of outside communication by following a host only networking (no NAT to outside). This has a disadvantage as some malwares detect if they are running on virtual environments and they don’t exhibit the desired behavior. Another advantage of using a virtual machine is that we can take a snapshot of the VM post the setup and also if needed from time to time. This will allow us to restore to the functional state even if malware corrupts the VM.

Network setup for the VM could look like the below

The host is connected to internet, but VM traffic cant go to internet to avoid malware establishing an internet connection and launching a command and control like setup.

Dynamic analysis can be put to use to analyze the runtime behavior of malware. Unlike static analysis, one doesn’t need to understand in depth how the packing is being done as an example. If malware author has used a custom packer, in static analysis one has to understand that and then start analysis post unpacking. In case of dynamic analysis this might not be needed.

One of the mechanism to do dynamic analysis, is to use a Sandbox, which will virtualize the complete environment and also mimics the network services like DNS servers etc. Examples of sandboxes are Norman Sandbox, Cuckoo sandbox, GFI etc.

Execute the malware.

The exe files can be launched directly but if malware is in form of a dll, it can be launched using rundll32.exe with dll name and exports as the argument to it. Exports are the exported api from within the dll.

Post running the malware, we can use the following tools to monitor the behavior

1. Process Monitor — This monitors the windows system resources like registry, file systems, network and captures the generated events corresponding to any changes happening on those resources. So if there is a file creation or say for example a change in registry the event is captured. We might need to filter on certain specific events though as an example the run key event to automatically load the malware on startup.

2. Process Explorer — This tool allows to see not only run time stats of a process like cpu memory, but also allows to see what dlls the process is importing. Also this allows us to see the strings being used in the program. Now in case of packed malware as well without we unpacking it explicitly we can check the Strings being used in the program. Strings give value able information in terms of what API malware is using, as an example if its loading a specific dll as runtime, allocating memory etc.

3. LordPE — a tool for analyzing the PE file. Gives us an idea of the memory layout and also how PE headers and sections are laid out. Can also be used to manipulate the existing sections or add new sections dynamically.

4. Regshot — Do registry snapshots. The idea is to take a snapshot before launching a malware and then take a snapshot post launch of malware. The snapshots can then be compared to determine the changes done to registry by the malware. This information can also be derived via process monitor but just that it will also capture other events as well.

5. Network simulation — tools like AapateDNS or InetSIM can be used to simulate the network for the malware. It simulates services like FTP,http/s,DNS etc. InetSIM should be launched in a linux VM sitting side by side and reachable from and to the windows 32 VM on which malware is being executed. All we have to do is to change the DNS resolution server to point to InetSIM in the windows machine. Then all traffic which malware is trying to initiate, then goes to the simulated DNS on the Linux VM. It will also fake the responses for the malware to think that it is able to reach the internet 😊. For easier setup a Kali Linux VM is preferred as it comes with the desired setup of InetSIM already. The logs can be analyzed to check the intent of the malware as an example if Malware is trying to setup command and control over the internet.

6. Wireshark — This tool can be used for network traffic fingerprinting and determining if there are some malicious payloads being loaded over the network. Also the packets being sent for command and control can be analyzed via wireshark. The term malware analysis uses for such packets is called beacon which is a state in which the malware tells the control server that it has infected the machine. This can be used to fingerprint and determine the infected machines.

In next section we go over static analysis of the malware. https://medium.com/@jain.sm/malware-basic-static-analysis-cf19b4600725

For more details on malware analysis please read the book Practical Malware analysis by Michael Sikorski and Andrew Honig

Disclaimer : The views expressed above are personal and not of the company I work for.