Scribd
Upload
29 views9 pages

Dynamic Malware Analysis

The document outlines various tools and steps for malware analysis, including network, process, file, and registry monitoring. It emphasizes the importance of tracking malware behavior through tools like Wireshark, Process Hacker, and Sysmon, and details the analysis of a specific malware instance. Key findings include the identification of a scheduled task and file activities related to an information-stealing malware.

Uploaded by

cybersecurite69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views9 pages

Dynamic Malware Analysis

The document outlines various tools and steps for malware analysis, including network, process, file, and registry monitoring. It emphasizes the importance of tracking malware behavior through tools like Wireshark, Process Hacker, and Sysmon, and details the analysis of a specific malware instance. Key findings include the identification of a scheduled task and file activities related to an information-stealing malware.

Uploaded by

cybersecurite69
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

1-Network Monitoring Tools

Information such as the network connections established by the malware, the


addresses it communicates with and how it communicates with those should be
reported as a result of the malware analysis
❖ Wireshark
❖ Fiddler
❖ Burp Suite

2-Process Monitoring Tools


A new process is created for the program we run for malware analysis. In order to monitor these
processes, we should use process monitoring tools.

❖ Process Hacker
❖ Process Explorer (SysInternals)
❖ Procmon (SysInternals)

3-File Activity Monitoring Tools


File activities are one of the first activities that should be followed in dynamic analysis. Malware
can read files to collect information from the operating system, write other components of the
malware to the file system, and move itself to the startup folder to ensure the persistenc

❖ Sysmon

4-Registry Activities
Registries are hierarchical databases that are used for data storage in Windows operating
systems. It is used by attackers for purposes such as stealing data and ensuring persistence.

Some of these registry keys;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Steps you should follow after running the malware!
❖ Process Activities
❖ Network Activities
❖ Registry Activities
❖ File Activities
%TEMP%
Shell: startup
Shell: common startup

Preparing
1. Process Hacker to see the processing activity and the processes belonging to the
malware.

2.

The malware runs under the explorer process now; we need more details to understand
the malware. I will use procmon to understand the tree of the process.
Procmon

Make sure to press the "Show Process Tree" button in the top menu,
procmon will show the process tree it has created for you during the time it
has recorded

As we see, the Malware (727ef..) PID=3716 runs the tool called “schtasks.exe” belonging to
Windows Task Scheduler (PID 1388) and then runs its own malware (3768 PID) again.
Now we need to examine the schtasks.

we see that a scheduled task named "Updates\VbxFiQYCyFDgGL" has been created. However,
the information of the scheduled task except for its name is in the XML file located at the
following path:

“C:\Users\Amanda\AppData\Local\Temp\tmpCCF2.tmp”.

You can see what action will run on the Actions tab. You can see on the above screenshot that
the malicious software named “VbxFiQYCyFDgGL.exe” prepared by the attacker will run when
this scheduled task runs.
We detected malware processes (3716-1388-3768 PIDs)
Network Activities
After running the malware, you can see that the process named “722ef401….” on Fiddler
communicates with the domain “5gw4d[.]xyz”.

File Activities
Now we need to know the file activities and if there is a new drop file.

You can enter a filter with Operation=CreateFile to see file creation activities.
When we examine the logs, we see that an executable file named "VbxFiQYCyFDgGL.exe" is
written under the "C:\Users\Amanda\AppData\Roaming\" directory.

When we examine the file activities further, we see that the malware reads the files to steal
information from applications such as Firefox, Chome, Thunderbird. We have determined that
the malware we have is information stealer.
Another Malware analysis
Registry Activities

As we see, the malware uses persistence at the -run


RegShot
To see registry activities before running the malware and after running the malware.

Network activities
You can access this directory by pressing the “Win ​+ R” key combination and typing the
following command afterward:

%TEMP%
shell:startup
shell:common startup

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy