It involves Code Analysis, Behavior Analysis
Behavior Analysis – Examines the interactions of Malware with the environment i.e., Files system, Registry, Network etc
It is convenient to use Virtualization software such as VMWare, Virtual PC etc to host lab environment. It provides snapshot functionality that can be used to rollback to the original state of the machine before malware test case is infected.
Inorder to analyze the behavior we need to have monitoring tools to monitor the changes.
Detects changes in Drives, Registry Entries.
Prior to Infection Take a Snapshot
- Check Scan Drive to C:\ i.e Primary Drive
- Click 1st Shot
- Infect the System by opening Malicious Program
- Click 2nd Shot
It shows you all the registry entries Modified, Files created/modified in C:
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and
non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more
It logs all the API calls by any process
API Calls include interaction with registries, file system etc
If you find any files created/modified, registries changed, then look into those in the actual infected system.
Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates. Capture BAT monitors state changes on a low kernel level. Capture BAT provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application.
|-c||Captures any files that might be deleted in background i.e malicious files created in temp files|
|-n||It captures pcap files so that we can analyse nework traffic|
Wireshark is a popular network sniffing tool that presents a clear view of packets passing over the NIC.
Some (or Most) of the malwares usually connect to network and usually via domain names rather than hardcoded IP.
So lets analyze its network functionality.
It is used to setup a DNS Server that
spoofs dns responses to controlled ip’s i.e whatever domain name is queried, it responds to provide specified IP only.
Initiate FakeDNS to return localhost 127.0.0.1 (or controlled IP) to whatever domain name is queried. Also Set DNS Server to localhost. So Malware sends all communication to localhost which we can sniff and analyze its behavior.
Setup Mail Server on the Computer.
It helps us to receive the mail communication the malware intended to send to hacker.
Content gathered from SANS Webcast on Introduction to Malware Analysis by Lenny Zeltser