Now, by the previous posts, we know that what are the artifacts can be identified by the using Static analysis and dynamic analysis of a malware. This is the time to learn how to use the tools to get those artifacts.
Before getting into the analysis, there are important precautions we have to take so that we shouldn’t miss anything and shouldn’t face any infection. So please make sure that we have followed below mentioned precautions.
Why we have to avoid using Sandbox in Production Network?.
There are many ways that malware can escape from the sandbox and it depends on who is building the malware. I can give little examples such as:
1. Malware might be constructed to check whether it is running on any VM/Sandbox. If yes, then it will try to exploit the vulnerabilities of the VM and then target host/Network.
2. If you have configured file share to have some reason, then it might target and use this to spread and escape to other systems.
Now we will see how to collect the artifacts from the tools and starting with Microsoft Sysinternals ProcMon or Process Monitor tool.
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Process monitor has the capability of monitoring, capturing and filtering all the artifacts. Below are the capabilities for the reference.
Below is the sample screenshot of Process Monitor to understand how the UI and what are default minimal options.
But the issue is, the tool is able to handle and capture the huge amount of data. So it is important to filter out the useless data from the haystack to identify the abnormal things and get the required artifacts.
There are already some filters are available as suggested by the Microsoft blog and the ready-made filters of Process Monitor for Malware Analysis. These filters are having many inclusions and exclusions to make the job easy. But it is recommended to use your own filter list based on your requirement and analysis because there will many malicious processes which is having legitimate windows process name. In this case, if you filter the windows process you might miss the malicious process activity.
TCP/UDP Send and Receive – any connections that malware may try to use while it’s running.
Load Image – DLL/Executable loading.
Create File – new files being created.
Write/ Delete/Rename File – any changes to files.
Registry activities – Run entries used for malware persistence.
Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools.
Disposition: Open – used to filter any call for create a file used to open a file rather than actually creating a file (See here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx).
Page File – In my opinion, the page file is less/not relevant when doing malware analysis.
Process Explorer: It is better to have Process Explorer along with the Process Monitor because Process Explorer provides some other features from which we can interact with the process to analyze the further behavior of the malicious process. Below are the capabilities of Process Explorer.
Along with these, it will give you some color coding to understand what type of process it is such as listed below:
If we use these filters, we can easily identify the anomaly activities which are making changes to system, memory and file systems.
If you wish to start from the basic on Process Monitor, I recommend you to go through the below tutorials which will help you lot on the tool.
Please give us the feedback and comment if you would like to add something or missing. Thank you!
Image & Content References: