Intro to Malware Dynamic Analysis: Part 5
By John Hubbard
This is the first post in a wonderfully enlightening series of five. A new post will be posted every Thursday until they’re all posted.
Unlike the network portion of this analysis, which is generally going to be the same for most malware, there are a multitude of ways to go about identifying host changes. Tools for host analysis are numerous, so to make it easy, I’ll highlight only a few of the main tasks here. Once you become more familiar with analysis, you can deep dive into the more specific tools for use cases and equip your analysis VMs with these capabilities as well. The main host-centric things you need to know are what files the malware drops or changes, any registry modifications it made, what process it runs as, and how it persists.
For persistence, the SysInternals Autoruns tool is a great place to start. In your Windows snapshot, take a baseline of the system in the clean state and save this in your “Analysis Ready” snapshot. Then, after the virus is run, use Autoruns again, and use the compare functionality to easily highlight any differences in the list. If this shows nothing, either your virus does not persist, or you may need to use one of the further methods to identify it. See the photos below for an example of the list before and after comparison – that was easy!
The second item to investigate is what processes are started by the virus and the command line arguments that are used when starting them. I usually go about gathering this in three ways. In my Windows setup, I install the SysInternals Sysmon tool, and have it record all the items that it can. This will leave a detailed trail of all process creation events with time stamps, hashes, and parent process IDs that can be followed in the Windows event log. It can even also identify network traffic and registry changes if it is set up to do so.
The second tool is a little more hardcore. If you want to know every single API call made by malware for the real nitty gritty detail of actions performed, the SysInternals Process Monitor tool can be started just before infection. After activity stops, the output can be analyzed to see what was done on an incredibly granular level. This tool is a complete article to itself. Just be aware that it will give you an important level of detail on everything that happened on the system.
The third tool I like to leave running is SysInternals Process Explorer. This is basically a high-power Task Manager. It allows you to visually identify new processes created when the virus is run, as well as one other key feature – strings! Be aware that many malware samples come in a packed form to resist static analysis. These packed viruses however, must unpack and decode themselves in memory to be able to run. Going into the malicious or injected process in Process Explorer allows you to view the strings of the process in memory. This will often will reveal all the command and control domains, registry keys, and file names it interacts with in easy non-obfuscated form?
Performing Static analysis inside a dynamic analysis, how’s that for fun? Be sure to record any IPs and domains found in case any of it was missed during the network analysis. Here’s a shot from my WannaCry analysis. You can see Process Monitor showing file writes (a technique covered shortly), Process Explorer showing the WannaCry processes, and the in-memory strings of WannaCry giving hints to some IP addresses used, HTTP requests, and the fact that Tor is probably in-play.
The third item is identifying registry changes, and files dropped or modified. One simple tool for identifying registry changes is Regshot. Like Autoruns, you take and save a snapshot of the registry in a clean state. After infection, you run the tool again and see what has changed. There can be a lot of noise as Windows is constantly doing things in the registry. Some tools are available like CaptureBAT or pre-made Process Monitor filters that will attempt to filter this out for you. The use of a combination of information from Sysmon, Regshot, Autoruns, and Process Monitor should be able to steer you in the right direction here.
For file modifications, Process Monitor can get you started. Once again, there are TONS of tools to help do this. Since we already have Process Monitor going, here’s how to do it. Set up a filter for “Operation is FileWrite” as shown in the example photo below. The excludes aren’t necessary, they just help filter noise, but notice how the single new file is easily highlighted in the output below. A similar move can be done for registry keys written or created by setting a filter for Operation is “RegCreateKey” or “RegSetValue”.
Indicators of Compromise (IOCs)
Following this host analysis, you’ll be well equipped to find the indicators of compromise on a host PC. If necessary, you can manually kill the virus and remove all files dropped! You could even go further and write Yara rules, IDS signatures, or other signature that might help you detect these in your environment.
At this point we have a very well-defined piece of malware! We know all the domain names and IP addresses it contacts, what port is uses to communicate with them. We know what protocol it speaks on that port, and a record of what it says on the application layer. In addition, we could likely manually reverse all the actions taken by killing the malware’s process. A good analyst would remove all the dropped files, and kill any persistence mechanisms! This was a light overview of the dynamic analysis process. Consequently. having this level of definition of a piece of malware is likely to give you ammunition to block and remove it from your environment!
Hopefully you found this interesting, learned something along the way, and now have an idea of how malware dynamic analysis works. If you’re interested in going deeper into malware reversing, I can’t recommend the previously mentioned SANS FOR610 class enough. Lenny teaches you how to not only do this process in much greater depth. He also dives deep into static analysis with IDA and OllyDbg. It really is a must-take for any aspiring malware analyst. It opened this universe for me back when I took it in 2014. If you’re interested in some of my other tutorials, come check out my blog at 909research.com where I write about malware, as well as threat hunting, virtualization and more. If you’ve made it this far, thanks for sticking with me. I wish you luck on your journey into malware analysis!
John is a dedicated blue-teamer and is driven to help develop defensive talent around the world. Through his years of experience as the SOC Lead for GlaxoSmithKline, he has real-world, first-hand knowledge of what it takes to defend an organization against advanced cyber-attacks and is eager to share these lessons with his students. As a SANS Cyber Defense curriculum instructor and course author of SEC455, John specializes in threat hunting, network security monitoring, SIEM design and optimization, and constructing defensive postures that allow organizations to protect their most sensitive data. Throughout class, he works with students to explain difficult concepts in relatable and clear language. He illustrates important ideas with stories and demonstrations. John encourages students to push themselves beyond the limit of what they thought possible.
John holds degrees in Electrical and Computer Engineering. His past research spans from malware reverse-engineering to car hacking, mobile app security, and IoT devices. In his free time, John enjoys catching every InfoSec conference he can attend, FPV drone racing, and coffee roasting. John is slowly turning his home into a data center.