Welcome back fellow hackers! In this article, we’ll be diving deep into advanced malware analysis techniques, specifically focusing on dynamic analysis. As red teamers and pen testers, we know that understanding malware is key to our success. The more we know about the malware we’re facing, the better equipped we are to defeat it.

Dynamic analysis is an essential tool in the malware analyst’s arsenal. It allows us to see what the malware is doing in real-time and can provide invaluable insights into its behavior. In this article, we’ll be covering several techniques for dynamic analysis, including debugging, memory analysis, and network monitoring.

Before we get started, let’s review some basics. Dynamic analysis is the process of running a malware sample in a controlled environment and observing its behavior. Unlike static analysis, which involves analyzing the code without running it, dynamic analysis allows us to see how the malware behaves in real-world conditions.

One of the main advantages of dynamic analysis is that it can provide us with a wealth of information about the malware. For example, we can observe what files the malware creates or modifies, what network connections it makes, and what processes it spawns. This information can be critical in understanding the malware’s capabilities and can help us identify potential weaknesses to exploit.

So, without further ado, let’s get into some advanced dynamic analysis techniques!

Debugging

Debugging is a technique that allows us to step through the code of a malware sample as it runs. By setting breakpoints at specific locations in the code, we can pause the execution of the malware and examine the state of its variables and memory.

There are several tools available for debugging malware, but one of the most popular is OllyDbg. OllyDbg is a powerful debugger that allows us to view and modify the memory of a running process, as well as set breakpoints and trace the execution of the code.

Let’s walk through an example of how we might use OllyDbg to analyze the WannaCry malware sample.

First, we’ll need to start OllyDbg and attach it to the WannaCry process. Once we’ve attached OllyDbg, we can start setting breakpoints in the code.

A breakpoint is a location in the code where we want the debugger to pause execution. In the case of WannaCry, we might set a breakpoint at the location where the malware creates a new process.

To set a breakpoint in OllyDbg, we can right-click on the code window and select “Toggle breakpoint”. We can also use the F2 key to toggle a breakpoint at the current location.

Once we’ve set the breakpoint, we can start the WannaCry sample and wait for it to hit the breakpoint. When the breakpoint is hit, OllyDbg will pause the execution of the malware, and we can examine the state of its memory.

For example, we might want to examine the parameters that were passed to the CreateProcess function. To do this, we can select the CreateProcess call in OllyDbg and view the values of the parameters in the “CPU” window.

Here’s an example of what the OllyDbg interface might look like when debugging the WannaCry malware sample:

00401000 >/$ 55             PUSH EBP
00401001  |. 8BEC           MOV EBP,ESP
00401003  |. 60             PUSHAD
00401004  |. 33C0           XOR EAX,EAX
00401006  |. B9 14E05A00    MOV ECX,5AE014
0040100B  |. 8D5424 18      LEA EDX,[ESP+18]
0040100F  |. 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00401015  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
00401017  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX
0040101B  |. 8B51 04        MOV EDX,DWORD PTR DS:[ECX+4]
0040101E  |. 8B79 08        MOV EDI,DWORD PTR DS:[ECX+8]
00401021  |. 890C24         MOV DWORD PTR SS:[ESP],ECX
00401024  |. 8B4D 0C        MOV ECX,DWORD PTR SS:[EBP+C]
00401027  |. 51             PUSH ECX
00401028  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
0040102B  |. 52             PUSH EDX
0040102C  |. 8B45 10        MOV EAX,DWORD PTR SS:[EBP+10]
0040102F  |. 50             PUSH EAX
00401030  |. 57             PUSH EDI
00401031  |. 56             PUSH ESI
00401032  |. E8 1B010000    CALL <JMP.&kernel32.CreateProcessA>

In this example, we see the assembly code for the CreateProcess function call. The parameters to the function call are pushed onto the stack before the call is made. We can examine the contents of the stack and the register values to determine the parameters that were passed to the function call.

Using OllyDbg, we can step through the code and examine the state of the memory at each step. This can be useful for understanding how the malware works and identifying potential vulnerabilities to exploit.

Debugging is an incredibly powerful technique for analyzing malware. By stepping through the code and examining the state of the memory, we can gain a deep understanding of how the malware works. In the case of the WannaCry malware, debugging can help us understand how the malware creates new processes and identify potential weaknesses in its code.

Memory Analysis

Memory analysis is another important technique for dynamic malware analysis. Memory analysis involves examining the contents of a malware sample’s memory as it runs. By analyzing the memory, we can learn more about the malware’s behavior and capabilities.

One popular tool for memory analysis is Volatility. Volatility is an open-source memory forensics framework that allows us to analyze the memory of a running process.

Let’s walk through an example of how we might use Volatility to analyze the memory of the TrickBot malware. For this example, we’ll assume that we have already dumped the memory of the TrickBot process using procdump.

First, we’ll use Volatility to display information about the memory dump:

volatility.exe -f trickbot.dmp imageinfo

This command displays information about the operating system and service pack version of the memory dump.

Next, we’ll use Volatility to identify any network connections made by the TrickBot malware:

volatility.exe -f trickbot.dmp --profile=Win10x64_18362 netscan

This command uses the “netscan” plugin in Volatility to scan the memory dump for open network sockets and displays information about each connection. This can be useful for identifying any command and control servers that the malware is communicating with.

Finally, we’ll use Volatility to look for any injected code in the TrickBot process:

volatility.exe -f trickbot.dmp --profile=Win10x64_18362 malfind

This command uses the “malfind” plugin in Volatility to scan the memory dump for suspicious code sections and displays information about each section. This can be useful for identifying any injected code that the malware may have used to evade detection.

Memory analysis can provide us with a wealth of information about a malware sample. By analyzing the contents of the memory, we can identify network connections, injected code, and other important details. In the case of the TrickBot malware, memory analysis can help us identify any command and control servers that the malware is communicating with, as well as any injected code that it may be using to evade detection.

Network Monitoring

Network monitoring is another important technique for dynamic malware analysis. Network monitoring involves observing the network traffic generated by a malware sample as it runs.

One tool that is commonly used for network monitoring is Wireshark. Wireshark is a network protocol analyzer that allows us to capture and analyze network traffic.

Let’s walk through an example of how we might use Wireshark to monitor the network traffic generated by the Emotet malware.

First, we’ll set up Wireshark to capture network traffic on our network interface. We can do this by selecting the appropriate interface in the “Capture” menu.

Next, we’ll start the Emotet malware and observe its network traffic. As the malware runs, we’ll see a lot of network traffic generated by the malware.

To filter the network traffic in Wireshark to show only the traffic generated by the Emotet malware, we can use a display filter. The display filter for Emotet might look something like this:

ip.src == <malware IP> || ip.dst == <malware IP>

This filter will show only the network traffic where the source or destination IP address matches the IP address of the Emotet malware.

As we observe the network traffic generated by the Emotet malware, we might see connections to command and control servers, as well as data being exfiltrated from the infected system.

For example, we might see the following HTTP request being sent by the Emotet malware:

POST /path/to/command-and-control HTTP/1.1
Host: <command-and-control IP>
User-Agent: Emotet/1.0
Content-Type: application/octet-stream
Content-Length: 1234

<encrypted data>

This request is an example of data being exfiltrated from the infected system. The data is encrypted and sent to the command and control server using HTTP.

Network monitoring is a powerful technique for analyzing malware. By observing the network traffic generated by a malware sample, we can identify potential command and control servers, as well as any data that is being exfiltrated. In the case of the Emotet malware, network monitoring can help us identify the IP address of the command and control servers, as well as the type of data that is being exfiltrated.

Conclusion

In this article, we’ve covered several advanced dynamic analysis techniques for analyzing malware. Debugging, memory analysis, and network monitoring are all powerful tools that can help us gain a deep understanding of how a malware sample works.

As red teamers and pen testers, understanding malware is essential to our success. By analyzing the behavior of malware samples, we can identify potential vulnerabilities to exploit and gain a better understanding of the threat landscape.

Remember, always use these techniques responsibly and ethically. As hackers, we have a responsibility to use our skills for good and to help protect against cyber threats. Happy hacking!