Since malware is predominantly involved in Cyberattack, it is required to understand and analyze it, in various ways. As I have mentioned in the previous blog post, the static analysis is the primary method to see what are all artifacts we might get without executing it. Now, it is not sufficient to have the only static analysis which will not let you know how malware behaves. So next way of finding out the behavior is Dynamic malware analysis.
Dynamic malware analysis is the way or method of finding out the behavior and indicators of compromise by executing a malware. Executing malware might put your system in risk and it is like allowing thief in a home and observing him. So Dynamic malware analysis starts with many prerequisites, restrictions and risk mitigations. Let see these things in brief.
Risks involved in performing Dynamic Malware Analysis:
As you all aware, it is a bad idea to test the malware in a live machine which is used for day in day out work. If you use your own laptop and executing malware in host operating system, malware might infect your system which cannot be recovered because some of the malware infects the system in boot level or the kernel level and it may lead to losing your confidential information, data loss or it might infect whole your network. To avoid these risks there is a concept called Sandboxing.
Sandbox is an isolated system environment which is not connected to any of the networks. And also It should contain virtual environment and other analysis tools with the restore capabilities.
What are the artifacts can be identified by using dynamic malware analysis are many as mentioned below.
Registry keys or the entries: which got created to change the Operating system behavior. Such as allowing an operating system to run malware as a startup process which launches after the boot and using the privileged services etc.
The file system: It is important to identify the file system which was used by malware and in what are location malware and its component will get loaded. Normally the malware will be executed in Temp, AppData or in roaming profiles.
Network info: Many of the malware will have the functionality to spread over the network and infect systems which are there. Many malware targets vulnerable SMB versions or uses sockets or the mailing services.
Process: Finding the main process, it’s payloads and other system components which it uses are also important. Many malware use system legitimate services to have the stability and execute its intentions.
Threads: Threads will give us the information about what are functions or the components used by the malware. Like to spread over the network it might use SMB service or have persistence it might register the services and keep the track of the executions.
These all artifacts can be identified using the Process Monitoring tool and can be downloaded here.
To identify malware which came as software infection, below artifacts can be considered.
Sign info: This is necessary to identify whether the process is signed. If it is signed and still having malware behaviors then we can mark it as malicious.
Strings: Strings are the source code which shows us the flow of malicious functions and what is the malware function flow. There are many keywords and functions will give clues for malicious activities. It can be Assembly code or any other code based on the malware process. These artifacts can be identified using Process Explorer or Process Hacker tools.
Here is the interesting part of malware functionality and behavior detection.
There is much malware which targets the services such as FTP, SMTP etc for transferring data from the victim machine and other services can be used to complete the successful attacks.
For example, Ransomware target network to spread itself to other systems using SMB vulnerabilities and SMTP service will be used by many keyloggers. In this case, if the sandbox is not configured with services to check what data it is collecting and sending. Then we can use INetSim tool which provides fake services on the system and allows malware to use the required services. Based on these we can identify what are the patterns we can match and block on the required devices.
INetSim: Simulating services for letting malware execute code to find out the intention. Download here.
The extended level of analysis will include reviewing packets and which will give us much useful information such as what type of connections it is making, what process, resource and protocols it is using etc. This can be monitored using the Wireshark tool and download here.
For Dynamic Malware Analysis, we can use many automated frameworks which provides all the required artifacts or IOCs with POCs. Please don’t miss my next blog on what are the freeware frameworks are available, what are the features, which one is effective.
Do not forget to share this and waiting for your feedback and questions.