2. Signature types
3. Rules of Analysis
4. Basic Static
Analysis tools
5. Labs (Review)
All rights reserved
Dynamic Malware Analysis
Dynamic Malware analysis is a second step
– Normally when static malware analysis reaches a dead end
– An efficient, quick and reliable way of knowing malware
functionality
PROCESS MONITORING
Drawbacks of procmon
– Can not monitor device driver related activities
• Ex: talking to a rootkit via device I/O interface
– File system Exploring file system interaction can show all files
that the malware creates or configuration files it uses.
Parent
Child
Terminated Processes
Malware Analysis - Riphah International University 18
All rights reserved
Process Monitoring – Process Explorer
Double Click on a
Process to bring up
Properties window
o Malware may
also replace in-
memory image of
a process
1. Filter Box
2. Packets Listing
(matching the
filters)
3. Packet details
(of selected pkt)
Each side of
Connection will be
in different colors
Select Capture
from Menu and then
Interfaces
XP Machine