Introduction to Malware Analysis – Behaviour Analysis

It involves Code Analysis, Behavior Analysis

Behavior Analysis – Examines the interactions of Malware with the environment i.e., Files system, Registry, Network etc

It is convenient to use Virtualization software such as VMWare, Virtual PC etc to host lab environment. It provides snapshot functionality that can be used to rollback to the original state of the machine before malware test case is infected.

Inorder to analyze the behavior we need to have monitoring tools to monitor the changes.



Detects changes in Drives, Registry Entries.

Prior to Infection Take a Snapshot

  1. Check Scan Drive to C:\ i.e Primary Drive
  2. Click 1st Shot
  3. Infect the System by opening Malicious Program
  4. Click 2nd Shot
  5. Compare

It shows you all the registry entries Modified, Files created/modified in C:


Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and
non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more


It logs all the API calls by any process

API Calls include interaction with registries, file system etc


If you find any files created/modified, registries changed, then look into those in the actual infected system.



Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates. Capture BAT monitors state changes on a low kernel level. Capture BAT provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application.




-c Captures any files that might be deleted in background i.e malicious files created in temp files
-n It captures pcap files so that we can analyse nework traffic



Wireshark is a popular network sniffing tool that presents a clear view of packets passing over the NIC.


Some (or Most) of the malwares usually connect to network and usually via domain names rather than hardcoded IP.

So lets analyze its network functionality.


Download –

It is used to setup a DNS Server that
spoofs dns responses to controlled ip’s i.e whatever domain name is queried, it responds to provide specified IP only.

Initiate FakeDNS to return localhost (or controlled IP) to whatever domain name is queried. Also Set DNS Server to localhost. So Malware sends all communication to localhost which we can sniff and analyze its behavior.


MailPot –
Setup Mail Server on the Computer.

It helps us to receive the mail communication the malware intended to send to hacker.


Content gathered from SANS Webcast on Introduction to Malware Analysis by Lenny Zeltser


About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Notes, security, Tutorials, Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s