Introduction to Malware Analysis III

Dynamic Analysis and Reporting

a1l4m
6 min readApr 28, 2023
intro to malware analysis

When it comes to static analysis, there are some samples where you will reach nowhere with “dead end" time for dynamic analysis.

There are two ways to do dynamic analysis.

  1. Monitoring the malware's interaction with its environment
  • Processes/OS components
  • File system
  • Registry
  • Network

2. Examining the system after the malware has executed.

We can use sandboxes for that.

Sandboxes architecture

Full System Emulation: The sandbox simulates the host machine’s physical hardware, including the CPU and memory, providing deep visibility into program behavior and impact.

Emulation of Operating Systems (or part of it): The sandbox emulates the end user’s operating system but not the machine hardware.

Virtualization: This approach uses a virtual machine (VM)-based sandbox to contain and examine suspicious programs.

Sandboxes

Why we can’t just rely on sandboxes!

We can just drop the malware in any sandbox and forget about the manual analysis. But unfortunately, we can’t do that because there are disadvantages to sandboxes.

Malware writers have some evasion techniques for sandboxes.

  • delaying execution, either by sleeping for a period of time, maybe a day or some hours, or by waiting for a packet from a server, and the internet is disconnected.

So As a summary of the whole sandboxing thing, if the sandbox tells you that this sample is sus with a rate of 9 or 8 out of 10, you just believe it. But if it’s telling you that it is benign, you have to do some manual analysis to be sure because of the evasion techniques.

Running the malware

running the malware

If it is an executable file, you can just double-click on it, but if it is a dll, you have to use rundll32.exe and give it the function name that you want to use. You can know the functions by using CFF Explorer.

There are some samples for which you will not be able to find the name of the functions, but you will find the Ordinial, which you will use it instead of exportfun

how to use ordinial

You need to run the malware just once, and then there are auto-start options for the malware to use, like putting the process in the startup folder or using the registry keys "Run," "Run Once,” and other locations.

Auto start options.

AutoRuns (tool) has the most comprehensive knowledge of auto-starting locations.

Why does malware use the Windows API? “win32 API”

The Windows API is a set of functions documented by Windows that allow software to interact with the operating system.

Interact with OS by:

  • Show a User Interface
  • Access files
  • Access the network.
  • have multilingual support.
  • Etc. …...

Malware authors don’t need to reimplement all that functionality.

Now, let’s start the real work.

Process Activity

Process Monitor

Process Monitor is a very powerful tool, but you need to always clear the background noise, so you have a clearer output to look at.

With Process Monitor, you will get a lot of events, to make a timeline for these events and make it more organized, you have to use ProcDot.

File Activity

Read

  • read from its config file.
  • read and steal the user’s data and machine information.

Write

  • Write to its config file.
  • Encryption (ransomware)

Delete

  • delete the user’s files or delete itself.
  • For example, take a copy of the user files, then encrypt them; therefore, delete all the nonencrypted files.

We can view file system interaction also with Process Monitor

Also, there are two tools that we can use, like FileActivityWatch, FolderChangesView.

Registry Activity

The malware could be reading about

  • OS
  • User
  • Language: decide which region you are in.
  • PC uptime
  • installed programs.
  • Enabled services (AVs)
  • enabled or disabled Windows options like Smart Screen and Windows Defender.

The malware could be writing its configuration. Enable or disable some options.

We can use a tool like Regshot2, whose name tells you that it takes snapshots before and after the malware and then compares them to see what changes the malware has made.

There is RegisteryChangesView and Process Monitor too.

Network Activity

Download

  • download more malware from an updated version of itself.
  • Advertisements
  • Pay-to-install.
  • DDOS

Upload

  • Exfiltrate data from the victim.
  • Send the encryption key to the server (ransomware)

Lateral Movement

  • To infect other machines in the same network “Pivoting”

We can see the network activity either through Process Monitor or Wireshark. For deep details

Normally You can’t leave the malware to connect with whatever it wants at the beginning; you need to use a fake DNS server so you can extract IOCs and analyze the behavior.

FakeNet-NG It’s a great tool to create fake servers, including HTTP, DNS, SMTP, etc.

AsA scenario, if the malware is requesting a PNG file from the CNC server and you are using FakeNet, you can replace the default image “that FakeNet will send it to the malware” with an executable file and change the extension to PNG to see if the malware is trying to hide an executable file inside the PNG image. If that is true, the executable file will run.

Notes

For the malware analysis, if we want to just extract IoCs, we shouldn’t let the malware connect to the internet “Host-Only” or we can use a fake DNS server like the previous one to see all the requests that this malware made and use them as IoCs.

But if the malware has multiple stages, we should let it connect, so we can examine all the stages. Maybe it even needs to connect to its servers to decrypt some kind of information, maybe a key or something.

Always use a VPN or proxy to hide your location.

Reporting

report phases

Okay

for the sample identification.

We have to know the file type by checking the file format using hex editor or there is a tool that does that for you, like trid in Windows or file in Linux.

Second, we need to get the hash using any tool like windows PowerShell with command sha256sum <filename> or PEstudio , then search with the hash on virus total.

Also, we have to report the file names, history, and file version information. We will find those in the virus total.

From PEstudio, we will find the debugger timestamp, and we will add it to our report.

We shall type any information we can get on the malware itself, like the programming language that the malware is written in.

IoCs that you should add to your report.

IoCs

Here is a malware analysis report template that you can use.

At the end, I hope you enjoyed the series as much as I enjoyed making it. And thanks for reaching this part.

--

--

a1l4m
a1l4m

Written by a1l4m

DFIR | CTF Player & Author

No responses yet