Dynamic Malware Analysis - Nico's Knowledge Base

# What is Dynamic Malware Analysis When Malware is run and examined in secure environments. The behavior is analyzed by examining network and file changes within secure environments. Analysis via Dynamic is faster than static, but less thorough. Various sandboxes can perform automated dynamic analysis ## Pros of Dynamic Analysis - faster than static - automated analysis is possible with sandboxes - requires less technical knowledge than static analysis ## Cons of Dynamic Analysis - the full capacity of the malware cannot be analyzed as it may perform differently in different environments - cannot analyze advanced malware with dynamic analysis alone, in these cases couple with static analysis # Importance of Dynamic Malware Analysis for SOC Analysts SOC Analysts race against time. The faster harmful situations are detected, the faster action can be taken. Dynamic can produce results much faster than static. May seem simple, but can be a dangerous and difficult analysis method for inexperienced individuals # Which Tools and Software ## Virtualization Software Don't do this on systems not designed to be wiped and contained. NOTE: since VMs are software, it is possible that vulnerabilities exist that allow malware to escape. **Keep Virtualization Software up to date!** - VMWare Workstation - VMWare Fusion - Oracle Virtualbox Ideally, isolated dynamic analysis consists of completely separate physical device and a separate network. Not necessary to begin with. ## Utility Software Useful software to include within VMs are applications that are commonly targeted. - Microsoft Office - Adobe Reader - Browsers - WinRAR - Text Editor Attackers are familiar with dynamic analysis method. Check when frequently used software is installed or not to determine if malware is running on VM before performing malicious activities. ## Debuggers Software used by programmers to test code and catch errors. See instructions of a process and change flows of programs. Used to learn the working structure of malware and disable prevention mechanisms by making changes to malware code. - Ollydbg - x64dbg - windbg - radare2 ## Network Monitoring Tools Since network connections are often attempted/established by malware, the addresses and how it communicates should be reported as result of malware analysis. - wireshark - fiddler - burp suite ## Process Monitoring Tools Task Manager is the default for Windows, but does not offer the same flexibility and in-depth analysis as the following: - process hacker - process explorer (sysinternals) - procmon (sysinternals) ## File Activity Monitoring Tools One of the first activities that should be done in dynamic analysis. Malware can read files to gather information, write components of the malware to the filesystem, and move itself to the startup folder to ensure the persistence. Malware can be involved in various activities for these and other reasons. - Sysmon ## Other Tools - SysInternal Tools - CFF Explorer - PEView - TriDNet - BinText - PEiD - Regshot - HashMyFiles # Create a Virtual Machine for Dynamic Analysis ## Install Virtualization Software I'm installing Virtualbox because I found it easier to maintain and transfer images opposed to VMware, and a few years ago VMware was bought by Broadcom and [changed a few things about their licensing that I really wasn't a fan of](https://www.schneider.im/vmware-by-broadcom-portfolio-simplification-and-transition-to-subscription/), which led me to work more with Oracle's Vbox and Proxmox. ## Installing OS Windows ISO's can be grabbed from the official Microsoft Website. Various Linux ISO's can be obtained on their respective websites. I operate the following: - Windows 10 - Windows 11 - Ubuntu 22 LTS - Ubuntu 24 LTS - Debian - Red Hat Linux When on my main workstation, I give the VM double the minimum recommended resources, and a very minimal amount of storage, typically between 10-20GB. ## Modifying VMs 1. Install target software 2. Install analysis tools 3. Turn off anti-malware solutions 1. disable windows defender 4. Turn off auto updates 5. Disable Hidden Extensions 6. Show Hidden Files and Folders 7. Disable ASLR (Windows) 1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management 2. Create a “REG_DWORD” type key named "MoveImages" 8. Disable Firewall 9. Mimic End-User System 1. install browsers 2. leave files in directories, such as Downloads 3. change default desktop background 10. Change Network Settings 1. Custom Network Adapter 2. Prevent access to internal network ## Take Snapshot Since VM is intended to be compromised and unusable after malware has been analyzed, we need a way to reset to "0". All VM software now allows snapshots. After setting up and modifying the VM, take a snapshot of the vulnerable (but clean) system to return to after analysis of malware is completed. # What to Pay Attention to When Conducting Dynamic Analysis ## Process Activities When malware runs, it creates a process of its own like other applications. Operations on any operating system are carried out via process. The following are of primary importance at this stage: - New Child Processes - DLLs imported - User the process is run by Process Hacker can be used to examine the above. It lists processes in a hierarchical view, so child processes are easy to identify. Malware can inject itself into different processes, so all processes belonging to and used by the malware should be analyzed. - for example, if injected into excel.exe after it runs, all activities that excel creates after injection need to be analyzed ## Network Activities Look specifically for C2 servers and for attempts to jump to other devices within the network. Wireshark can meet all analyzing network needs. However, Fiddler can be used when malware is known to communicate especially over the http protocol. ## Registry Activities Registries are hierarchical databases used for data storage in Windows OS, used by hackers to steal data and ensure persistence. Common keys to attack are the following: - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce **Regshot** is a tool that can detect changes made to Registries - effectively takes snapshots (manually) before and after running malware - compare button makes it simple to compare changes ## File Activities Fileless malware helps prevent detection. Temp directories store temporary files, which are typically made by applications to store volatile files that are unneeded to store permanently. Malware often copies itself here. In order to achieve persistence, malware is often copied to the startup directory, which contains applications that run automatically, you guessed it, on startup. # Example 1 1. Start tools 1. Process Hacker to view children 3744 5136 2. Procmon to view file activities 3. Regshot to view registry activities 4. Wireshark/Fiddler/Both to record network activities 2. Analyze 1. detect all processes belonging to malware with process hacker 1. use procmon to see if any children were created then terminated via 'process tree' 2. # Example 2 # What To Do When Malware Doesn't Act ## Wait Longer Sometimes malware add sleep functions to prevent detection after running immediately, typically 3-5 minutes. this allows it to reach the end user. ## Execute as Administrator try to run non-active malware as authorized user to 'prevent the malware from terminating itself when not run at high privileges' ## Change Language Settings Targetted attacks are becoming increasingly common. Malware may not run unless the environment contains features that the malware can control, such as OS, system language, location information, timezone information. May all need to match depending on the target of the malware to ensure it displays malicious activities ## Use Different Network Enable device to access the internet via different countries' IP via VPN tools to emulate targetted country/location. ## Other Methods Change Screen Resolution Perform user activities on operating system while malware is running to mimic an endpoint device.