Malware Analysis

Practical Malware Analysis – Part 2

Dynamic Analysis
1. Goals of Malware
Analysis

2. Signature types

3. Rules of Analysis

4. Basic Static
Analysis tools

5. Labs (Review)
All rights reserved
 Dynamic Malware Analysis
 Dynamic Malware analysis is a second step
– Normally when static malware analysis reaches a dead end
– An efficient, quick and reliable way of knowing malware
functionality

 Dynamic analysis also has some associated risks /

shortcomings
– Can risk your system / network
– Not every code path gets executed all the time
• Some code runs under certain pre-defined conditions

 Advanced static / dynamic analysis may be needed to know

full functionality of the malware

Malware Analysis - Riphah International University 2

All rights reserved
 Sandboxes
 Sandbox is a security mechanism for running untrusted
codes in a safe environment
– Without risk of any damage to the system

 Sandbox is a virtual environment which runs necessary

network services needed by the malware
– Pretty much like the virtual machines which run entire OS in a
safe environment

 Many web-based free Sandboxes are available

– Examples: Norman, GFI, Anubis, Joe, ThreatExpert, BitBlaze,
Commodo Instant Malware Analysis etc.
• Norman and GFI are more popular and probably commercial as
well
Malware Analysis - Riphah International University 3
All rights reserved
 GFI Sandbox

Malware Analysis - Riphah International University 4

All rights reserved
 GFI Sandbox
 Analysis Summary consists of:
– Static analysis information & an overview of dynamic analysis
 File Activity lists:
– Files created, deleted or opened by a malware process
 Created Mutexes lists
– Mutexes created by the malware

 The Registry Activity lists:

– Changes made to the registry
 The Network Activity consists of:
– Setting up a listening port / DNS activity
 VirusTotal lists the results of virus scan done by VirusTotal

Malware Analysis - Riphah International University 5

All rights reserved
 Sandbox Drawbacks
 Drawbacks of Sandboxes
– Can not run malware using command line arguments

– If malware needs some command from C&C server, it will not

run within sandbox

– Sleeping for much longer period of times before performing

some event is another reason sandbox might fail

– Malware with anti-VM techniques is another problem

– Certain malware need some registry keys to run

Malware Analysis - Riphah International University 6

All rights reserved
 Basic Dynamic Analysis

HOW TO RUN MALWARE?

Malware Analysis - Riphah International University 7

All rights reserved
 Running Malware
 Running EXE files is simple
– Double click or run from command line

 Running DLL files

– Export Arguments refer to exported functions

• Can be referred by function names or ordinals

Malware Analysis - Riphah International University 8

All rights reserved
 Running Malware
 DLLMain is executed on loading of DLL
– rundll32.exe will force DLL to load

 DLL can also be turned into an EXE file

– Modify the PE header and file extension

 Modifying the PE header

– Wipe the IMAGE_FILE_DLL flag in the characteristics field of
IMAGE_FILE_HEADER
• No imported function will work and binary may crash

– DLLMain is still executed and we can collect some information

Malware Analysis - Riphah International University 9

All rights reserved
 Running Malware
 Running Malware as a service
– runDLL32.exe will force DLL to load

 Service may also need some command line arguments

– Or may need windows SC command if no explicit function for
installing it as a service (see book)

Malware Analysis - Riphah International University 10

All rights reserved
 Basic Dynamic Analysis

PROCESS MONITORING

Malware Analysis - Riphah International University 11

All rights reserved
 Process Monitoring – Process Monitor
 An advanced tool for process monitoring
– Also known as procmon
– A combination of two tools – FileMon, RegMon

 procmon can monitor

– Registry, file system, network and threat activities

 Drawbacks of procmon
– Can not monitor device driver related activities
• Ex: talking to a rootkit via device I/O interface

– Inconsistent across different windows versions

Malware Analysis - Riphah International University 12

All rights reserved
 Process Monitoring – Process Monitor
 Using procmon for a longer period of time can make VM run
out of memory and crash eventually
– Use option: File -> Capture Events to being capture
– Clear display before starting

Procmon mm32.exe example

Malware Analysis - Riphah International University 13

All rights reserved
 Process Monitoring – Process Monitor (Filters)
 Filtering option in procmon can be used to short-list the
entries based on:
– exe/process name or system calls

Malware Analysis - Riphah International University 14

All rights reserved
 Process Monitoring – Process Monitor (Filters)

Display after applying the filter

Malware Analysis - Riphah International University 15

All rights reserved
 Process Monitoring – Process Monitor (Filters)
 Filters on Toolbar
– Registry By examining registry operations, you can tell how a
piece of malware installs itself in the registry.

– File system Exploring file system interaction can show all files
that the malware creates or configuration files it uses.

– Process activity Investigating process activity can tell you

whether the malware spawned additional processes

– Network Identifying network connections can show you any

ports on which the malware is listening

Malware Analysis - Riphah International University 16

All rights reserved
 Process Monitoring – Process Explorer
 Processor Explorer is a free tool from Microsoft to:
– list active processes, DLLs loaded by a process, various process
properties, and overall system information
– Kill processes, launch / validate processes, force logout etc.

 Process Explorer lists processes in a tree format

– Child-Parent relationship

Malware Analysis - Riphah International University 17

All rights reserved
 Process Monitoring – Process Explorer

Parent

Child

Services Processes New Processes

Terminated Processes
Malware Analysis - Riphah International University 18
All rights reserved
 Process Monitoring – Process Explorer

Double Click on a
Process to bring up
Properties window

 Verify if the image on disk

 is a Microsoft signed binary
 Malware often changes
Legal binary files

o Malware may
also replace in-
memory image of
a process

Malware Analysis - Riphah International University 19

All rights reserved
 Process Monitoring – Process Explorer

The Process Explorer Strings tab shows strings on disk (left)

versus strings in memory (right) for active svchost.exe
(In-memory process replacement if drastic differences)

Malware Analysis - Riphah International University

All rights reserved
 Process Monitoring – Process Explorer
 Processor Explorer also allows to launch Dependency Walker
– Right click on a process, and choose Launch Depends

 Process Explorer also searches DLLs loaded after loading the

process
– Useful if we have a malicious DLL on disk and want to know if
any process uses it

 Can also compare list of DLLs used by a running process and

the imports shown by Dependency Walker
– Shows if any DLL is loaded by a process after loading

Malware Analysis - Riphah International University 21

All rights reserved
 Comparing Registry Snapshots - Regshot
 Regshot - a tool to take snapshots of registry and compare
them
– Right click on a process, and choose Launch Depends

Malware Analysis - Riphah International University 22

All rights reserved
 Comparing Registry Snapshots - Regshot
Regshot Values modified:2
Comments: ----------------------------------
Datetime: <date>
Computer: MALWAREANALYSIS HKLM\SOFTWARE\Microsoft\Cryptogr
Username: username aphy\RNG\Seed: 00 43 7C 25 9C 68
---------------------------------- DE 59 C6 C8
Keys added: 0 9D C3 1D E6 DC 87 1C 3A C4 E4 D9
---------------------------------- 0A B1 BA C1 FB 80 EB 83 25 74 C4
C5 E2 2F CE
---------------------------------- 4E E8 AC C8 49 E8 E8 10 3F 13 F6 A1
Values added:3 72 92 28 8A 01 3A 16 52 86 36 12 3C
---------------------------------- C7 EB
5F 99 19 1D 80 8C 8E BD 58 3A DB
HKLM\SOFTWARE\Microsoft\Windows\Cu 18 06 3D 14 8F 22 A4
rrentVersion\Run\ckr:C:\WINDOWS\system ...
32\ ----------------------------------
ckr.exe Total changes:5
... ----------------------------------
... Listing 3-1: Regshot comparison
---------------------------------- results
Malware Analysis - Riphah International University 23
All rights reserved
 Faking a Network - ApateDNS

Malware Analysis - Riphah International University 24

All rights reserved
 Network Monitoring – WireShark
 WireShark is an open source tool
– Can intercept and log network traffic
– Provides a Visual interface
• can be used for packet-stream analysis, and in-depth analysis of
individual packets

 A tool used by both white-hat and black-hat community

– White Hat: analyze internal networks and network usage,
debug application issues

– Black Hat: sniff passwords, reverse-engineer network

protocols, steal sensitive information, and can even listen to
online chats

Malware Analysis - Riphah International University 25

All rights reserved
 Network Monitoring – WireShark

1. Filter Box

2. Packets Listing
(matching the
filters)
3. Packet details
(of selected pkt)

4. Hex format (of

selected pkt)

Malware Analysis - Riphah International University 26

All rights reserved
Network Monitoring – WireShark (following a TCP stream)

Right Click a TCP

Packet and Select
Follow TCP Stream

Each side of
Connection will be
in different colors

Select Capture
from Menu and then
Interfaces

Malware Analysis - Riphah International University 27

All rights reserved
 Dynamic Analysis – Tools in Practice
 Setup may include the following
– Running procmon and setting a filter on the malware
executable name and clearing out all events just before
running

– Starting Process Explorer

– Gathering a first snapshot of the registry using Regshot

– Setting up your virtual network to your liking using REMNuxand

ApateDNS
– Setting up network traffic logging using Wireshark

Malware Analysis - Riphah International University 28

All rights reserved
 Dynamic Analysis – Tools in Practice

Malware Analysis - Riphah International University 29

All rights reserved
 Dynamic Analysis

DYNAMIC ANALYSIS WITH

REMNUX

Malware Analysis - Riphah International University 30

All rights reserved
 Virutal Machines Setup

XP Machine

Malware Analysis - Riphah International University 31

All rights reserved
 REMNux Setup
 REMnux configurations
– Define the Network adapter settings on VM to be in a custom
virtual network – VMNet in our case
– Start FakeDNS to answer any DNS requests
– Start HTTP daemon to answer HTTP requests
– Redirect HTTP and HTTPS traffic to port TCP 8080 by
configuring redirect rules via iptables
– Intercept HTTP requests using BURP Suite in Invisible mode on
port 8080

Malware Analysis - Riphah International University 32

All rights reserved
 REMNux Setup
 Here are the commands needed to configure REMnux VM
– sudo fakedns IP-Address
– httpd start

 Following commands are needed only if you wanna capture

network traffic in Burpsuite on REMnux VM
– sudo sysctl -w net.ipv4.ip_forward=1
– sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 8080
– sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443
-j REDIRECT --to-port 8080
– sudo iptables -t nat -L

Malware Analysis - Riphah International University 33

All rights reserved