Okay, at this point your lab should be set up, and you are itching to dive into some malware. (If not go back and check out my previous posts ).
In this post, we are going to explore the different techniques and processes you can go through to analyse a sample.
Depending on the job, and how much information you are looking to gain will determine what processes you go through. Each process has their own Pros and Cons and each process makes the malware reveal different information to you.
So lets get stuck in!
Firstly, but pretty straight forward. Know the difference between “static” and “dynamic” analysis. During static analysis you are looking at a sample without actually executing it, nothing can change in the sample. you are getting a look at the raw information. During dynamic analysis, you are letting the sample run, either controlled or not and seeing how it behaves.
Static properties Analysis
Often the first place an analyst will look, and can be a great place to base the rest of your analysis on, are the “static” properties of a sample. These are things like the HASH of the file, certificates, strings, imports and exports, if the sample is packed, how it was compiled, when it was created. The list can go on.
All of this information can help you build a picture of what the sample may be capable of. It can also verify if you want to spend more time analysising it.
Below is a screenshot of a programme called PeStudio, it allows you to view multiple static properties in one place. Looking at the output of the strings we can already see, a user agent string, API calls, registry key, and temp filename.
Although a lot can be seen here, not all the information can be trusted. A malware author could add misleading information into the sample or hide some of the properties by packing the sample.
Use static properties analysis to formulate theories about a sample and to help guide you through further analysis.
Behavioural analysis allows us to monitor the malware as it actually executes. In the simplest terms your, are clicking that malicious looking executable and seeing what happens (In a controlled environment!).
During Behavioural analysis you are looking to see what the malware does to your machine, below are some of the things we will be able to monitor.
- Network Activity – Does it try to connect to a specific domain or IP
- File manipulation – Does it try to write new files or delete existing one
- Persistence – Does it move to other location on the disk, Create Scheduled tasks
- Registry – what keys are changed, accessed or created
There are many tools available to spy on the malware as its being run and i will discuss a few of my favourites.
WireShark is a free network monitoring tool, it is installed on REMNux. With WireShark running on you lab, you will be able to see all the traffic your infected machine sends out. This could be DNS traffic, HTTP traffic, Application Traffic. This information can be used to create IOCs to check for possible infections on production networks.
Process monitor is a free, powerful tool from Microsoft. It allows you to monitor all system level events, from registry key activity, file system activity and Process activity. It can be a very noisy tool, producing 1000’s of results in a few seconds. The below image show the results after just 5 seconds, with 122,129 events recorded.
All the events are recorded in real-time and ordered chronologically. It is possible to filter out unwanted noise and step through each event to get a picture of what is happening on your system, but this can be extremely time consuming and not very practical. Luckily there is another tool that can take the recorded output from Process Monitor and display is in a more user friendly way.
ProDOT takes the recorded information from Process Monitor as a .CSV file and displays the output in a graphical manner, making it easy to see what Process Monitor recorded.
As you can see above, you are able to single out a process and see what actions that process has taken. There is also a timeline bar at the bottom so you are able to step through and see what order things have happened in.
Although you are able to see registry changes within ProcDOT, you may have to view multiple processes to get a full picture of all the changes. With RegShot, you are able to have the picture of the entire registry at once.
RegShot first takes a complete capture of your registry before your machine has been infected. Then once the malware has been executed, a second capture is taken and the two are compared. All the changes are shown in a simple text file. You have to do a little analysis on the results to verify them as Windows likes to conduct legitimate actions in the background.
Dynamic analysis is the simplest way to find out what a sample does, providing everything is set up to allow the sample to run. For example, if the sample attempts to contact a server over DNS, you will need to provide it a fake DNS server to trick the malware to continue execution, the same with a HTTP request. Tools are available on REMNux such as FakeDNS and InetSim that can help with this, and these tools will be discussed in future posts.
There is also the potential to miss information this way, for example if the malware is set up to cycle through a list of domains until it gets a connection, By providing the connection you may not see all the IOCs.
Finally malware authors are familiar with analysis tools and techniques and will add code that will try and detect the use of certain tools, or the fact they are being ran in a VM. This is where you will need to look at the actual Assembly code of the sample at attempt work out what it is doing and possible patch it so it will dynamically run in your lab.
In the next post i’ll take you through some of the fundamentals of code analysis and introduce some tools that can be used to analyse the Assembly code of malware.