Dynamic Analysis - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki

Dynamic analysis is the obsevation of malicious programs. This approach helps detect activities that static analysis cannot, such as network connections, file modifications, registry changes, and process creation.

Basic Dynamic Analysis

Basic Dynamic analysis is the surface analysis of the behaviour of malware. This behaviour is observed by registry comparison before and after malware is run and process monitoring as the malware is executed. Network analysis can also be used for basic dynamic analysis.

Common Tools

  1. Netwok Analysis
  • Wireshark - Network Traffic Analysis.
  • INetSim - Simulating networks for malware to attempt to use.
  • FakeNet-NG - Another dynamic network analysis tool for malware analysis.
  1. Process Monitoring
  • Process Explorer - Windows process monitoring.
  • Procmon - Used for monitoring Windows in real-time, monitoring file system, Registry and process/thread activity.
  • Regshot - Used for taking snapshots of Windows Registry before and after malware is executed.

Advanced Dynamic Analysis

Common Tools

1. Disassembly, Reverse Engineering & Debugging

  • IDA Pro – Industry-standard disassembler and decompiler for analyzing binary code.
  • Ghidra – Open-source reverse engineering tool developed by the NSA, offering powerful decompilation features.
  • OllyDBG - OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.

Workflow

What a common workflow in basic and advanced dynamic analysis might look like and what question to answer to help with the analysis.

Basic Dynamic Analysis

Before runingn the malwre makre sure to take a shot of the registry using the Regshot tool and also have process monitor and/or process expolorer. Some malawre may be able to dectect these tool open so it doesn't hurt to alternate between tools.

1. Running the malwre

  • Are there any obvious behaviors that have changes in the computer that has had the malwre run on ?

2. Regshot

Using Regshot take the second shot and use the compare feature.

  • What keys are created and what keys have been modified ?
  • Are there any keys modified/created relating to programs to launch on startup ?

2. Process Monitor

If possible, filter for the malware that was laucnhed and any process it created.

  • Did it lauch any processes ? What are they ?

    Why did it launch these processes ?

  • What are key registry entries did it modify/add ?
  • Where there any files created ? (Example of host based signature)
  • Did it delete any files ?

3. Network Activity

Monitoring the network activity on the other VM.

  • Is there any network commnication ?
  • What protocols is it trying to use ?
  • What innforamtion can you find in the body of any of the requests ?

Advanced Dynamic Analysis

Debugging

  1. Stepping through the programmes execution, are there anything of interest such as decyrption of strings, potentially malicous use of windows API calls or memoery managment?

  2. Waht security vulnerabilities is the malicious software trying to potentaully exploit ?

Credits and References

The workflow follows a similar guidline to the textbook Practical Malware Analysis by Michael Sikorski, Andrew Honig February 2012 labs.