Practical Malware Analysis — Chapter 3— Basic Dynamic Analysis

Kamran Saifullah
5 min readAug 29, 2019

--

Basic Static Analysis is limited and most of the times does not provides crucial information regarding things being malicious as new malware are always packed, obfuscated and contains new techniques to hide their code. So the next step is to dynamically analyze the the malware and this is always the second step. We begin performing the Dynamic Analysis as soon as our Static Analysis comes to a dead-end.

Dynamic Analysis lets us observe the malware’s true functionality. All we need to remember is that when performing Dynamic Analysis, the malware is run on the system intentionally to have the infection and then to analyze it. At this moment if you do not have a secure environment then you are going to be messed up with the malware infection. Even you can infect your whole network and devices as well.

So better follow the Chapter 2 from the Book which covers the basics of Virtualization!

Sandboxes: The Quick & Dirty Approach

There are different all-in-one software products that can be used to perform dynamic analysis. The virtual environment that you will be creating for yourself is also a SandBoxed environment. This is all done in order to keep yourself secure while you run the malware in an isolated environment.

Tools include, GFI Sandbox, Norman SandBox, Anubis Joe Sandbox, ThreatExpert, BitBlaze and Comodo Instant Malware Analysis.

During my research for the tools i came across @ https://www.hybrid-analysis.com/ which allows you to run and analyze the malware in a sand-boxed environment.

Running Malware

The executable’s are really easy to run via double click but it would be difficult to run the DLL as the computer don’t really know how to run them automatically.

The program “rundll32.exe” is included in all modern versions of Windows and it provides the container for running a DLL’s

C:\>rundll32.exe DLLname, Export arguments

The export value must be the function name or ordinal value from the exported table in the DLL. PEview and PE Explorer can be used to view the Export Table. For example “rip.dll” has the following exports.

Install
Uninstall

The we can launch the malware as,

C:\>rundll32.exe rip.dll, Install

Running the malware using ordinal values

C:\>rundll32.exe xyzzy.dll, #5

The DLL frequently run most of their code in DLLMain and because DLLMain is executed whenever the DLL is loaded, we can get information dynamically by forcing the DLL to load using rundsll32.exe. Alternatively we can turn the DLL into an executable by modifying the PE header and changing its extension to force Windows to load the DLL and it would be an executable.

In order to modify the PE Header, wipre the ImAGE_File-dll flags from the IMAGE_FILE_HEADER. This change won’t run any imported functions, it will run the DLLMain method and can cause the malware to crash unexpectedly.

DLL Malware also need to be installed as a service, sometime a convenient export such as InstallService, as listed in ipr32x.dll

C:\>rundll32 ipr32x.dll,InstallService ServiceName
C:\>net start ServiceName

The ServiceName argument must be provided to the malware so it can be
installed and run. The net start command is used to start a service on a Windows system

Monitoring with Process Monitor

Process Monitor, or procmon, is an advanced monitoring tool for Windows
that provides a way to monitor certain registry, file system, network, process,
and thread activity. It combines and enhances the functionality of two legacy
tools: FileMon and RegMon.

Although procmon captures a lot of data, it doesn’t capture everything.

For example, it can miss the device driver activity of a user-mode component
talking to a rootkit via device I/O controls, as well as certain GUI calls, such
as SetWindowsHookEx. Although procmon can be a useful tool, it usually should not be used for logging network activity, because it does not work consistently across Microsoft Windows versions.

Monitoring with Process Explorer

The Process Explorer, free from Microsoft, is an extremely powerful task
manager that should be running when you are performing dynamic analysis.
It can provide valuable insight into the processes currently running on a
system.

You can use Process Explorer to list active processes, DLLs loaded by a
process, various process properties, and overall system information. You can
also use it to kill a process, log out users, and launch and validate processes.

Using Dependency Walker

Process Explorer allows you to launch depends.exe (Dependency Walker) on a running process by right-clicking a process name and selecting Launch Depends. It also lets you search for a handle or DLL by choosing Find Find Handle or DLL. The Find DLL option is particularly useful when you find a malicious DLL on disk and want to know if any running processes use that DLL. The Verify button verifies the EXE file on disk, but not every DLL loaded during runtime. To determine whether a DLL is loaded into a process after load time, you can compare the DLL list in Process Explorer to the imports shown in Dependency Walker.

Comparing Registry Snapshots with Regshot

Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. To use Regshot for malware analysis, simply take the first shot by clicking the 1st Shot button, and then run the malware and wait for it to finish making any system changes. Next, take the second shot by clicking the 2nd Shot button. Finally, click the Compare button to compare the two snapshots.

Faking a Network

It is important to to make sure that your environment is safe. Some malware do really need internet to complete their execution like the malware used for spam email, backdoors etc. all need internet access and we can’t really put everything on risk. So we need to make sure that we have sort of internet for the malware to which and to where it can easily communicate so that we can analyze it properly.

Common tools are used in the book.

  1. ApateDNS → https://www.fireeye.com/services/freeware/apatedns.html
  2. InetSIM → https://techanarchy.net/blog/installing-and-configuring-inetsim

3. Netcat → https://nmap.org/ncat/

4. WireShark → https://www.wireshark.org/download.html

Basic Dynamic Tools in Practice

Following are the key points for this chapter!

  1. Running procmon and setting a filter on the malware executable name
    and clearing out all events just before running.
  2. Starting Process Explorer.
  3. Gathering a first snapshot of the registry using Regshot.
  4. Setting up your virtual network to your liking using INetSim and
    ApateDNS.
  5. Setting up network traffic logging using Wireshark.

NOTE

I haven’t discussed the tools here in detail rather than just adding the theory. The reason is we are going to study the tools in detail with the labs.

Conclusion

Basic dynamic analysis of malware can assist and confirm your basic static
analysis findings. Most of the tools described in this chapter are free and easy
to use, and they provide considerable detail.

However, basic dynamic analysis techniques have their deficiencies, so
we won’t stop here. For example, to understand the networking component
in the msts.exe fully, you would need to reverse-engineer the protocol to
determine how best to continue your analysis.

--

--

Kamran Saifullah
Kamran Saifullah

Written by Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

No responses yet