Virology: Dynamic Malware Analysis
Dynamic software analysis - a type of analysis that is performed immediately after starting the software itself. Dynamic analysis is the second step in the study of malware, after the initial static analysis. Static analysis can come to a standstill if malware is protected, while dynamic analysis solves this problem.
Dynamic analysis allows you to determine what manipulations the program performs during its execution, to track changes in the system. But this also carries great risks, because the system is prone to infection. Therefore, to perform a dynamic analysis of the program, a test environment (virtual operating system) is required .
Test environment
A virtual machine is best suited as a test environment (there are still sandboxes, but they have some of their drawbacks, I won’t write about this). A virtual machine provides complete isolation of a running environment using virtualization methods. Best suited for our purposes
VMwareorVirtualBox . The main advantage of a virtual machine is that at the end of the analysis, you can return the virtual system to its clean state. But virtual machines will still not completely protect your computer from malware.
Malicious software can break out of a virtual environment and infect your physical system. Malicious applications could exploit a software vulnerability. In order to avoid this, you must install the latest version of the required operating system, prevent the virtual machine from accessing any removable media and physical disks, and not store any data on the virtual machine.
Pprocess monitor
Process Monitor ( https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ) is a dynamic process analyzer that shows interaction with the registry, system, and threads in real time. By default, this program monitors all processes, but you can use filtering ( CTRL + L) or search ( CTRL + F ) to reduce the amount of unwanted information.
Nnoriben
Noriben ( https://github.com/Rurik/Noriben ) is a Python script that works in conjunction with Process Monitor to automatically collect, analyze and report malware runtime metrics. Noriben includes additional filters to remove unnecessary information when monitoring processes.
Process hacker
Process Hacker ( https://github.com/processhacker/processhacker/releases ) is a tool for monitoring processes and studying them.
Process Hacker has extensive functionality: managing disk activity, network activity, monitoring process startup time, monitoring process activity time, managing process parameters and much more that will help you in studying a malicious process.
Regshot
Regshot ( https://sourceforge.net/projects/regshot/ ) is a utility that allows you to take a snapshot of your registry and then compare it with the second one taken after installing or running the program. Regshot does not have much functionality, but this is one of those programs that should be on the list of everyone’s must-have installed on the computer.
Wwireshark
Wireshark ( https://www.wireshark.org/download.html ) is a network traffic sniffer that supports the study of individual packets and streams. It does not work on the principle of proxying and is able to capture network traffic from all processes. Wireshark (like any other sniffer) is not able to decrypt SSL traffic, but, on the other hand, malware rarely uses a secure connection. To start capturing network traffic, you need to select the active stream and click the Capture button .
To view all captured HTTP traffic, go to File - Export Objects - HTTP.
Any.run
Great online tool for dynamic analysis.
Summary
After reading the topic, you will understand what dynamic analysis is, how to perform it and get acquainted with some analysis tools. Of course, I did not completely describe the operation of utilities, the stages of analysis, and other subtleties. You should get to know this yourself first of all in practice. You can get malware for your practical work at https://www.hybrid-analysis.com/ , but you need to register.
Commentaires