Advanced Malware Analysis - Dynamic Analysis Techniques

Greetings, comrades in digital arms! Today, we are delving into the enticing world of dynamic analysis techniques, a fascinating topic that every red team member, pen tester, or cybersecurity aficionado should master. As we’re talking about advanced malware analysis here, I’ll assume you already have a decent grasp on the basics of static analysis. If you haven’t already, please go back and check out our previous articles in this series to get up to speed. Alright, let’s dive in!

What is Dynamic Analysis?

Dynamic analysis involves inspecting malware in a running state. It’s like peeking under the hood of a car while the engine is running - dangerous, yet highly informative. With static analysis, we scrutinize the code to understand its potential behavior. With dynamic analysis, we observe malware in action to understand its actual behavior, giving us an accurate picture of what it does when executed.

Setting Up the Analysis Environment

Before you get started, ensure you have the right environment setup. Running a potentially harmful code on your regular system is a terrible idea. Hence, setting up an isolated, virtual environment is essential.

I suggest using a virtual machine (VM) for this purpose. Tools like VirtualBox or VMware Workstation are great for this task. I prefer to use a snapshot-friendly VM running a version of Windows, since it’s the most common target for malware.

# Install VirtualBox on Ubuntu
sudo apt update
sudo apt install virtualbox

Always remember to isolate your VM from your host machine and the internet, unless specifically necessary. Also, ensure you’ve a clean snapshot of your VM before executing the malware. This allows you to revert to a safe state post-analysis.

Tools of the Trade

Our arsenal includes a variety of tools that assist with dynamic analysis. We’ll explore a few popular ones:

Process Monitor (ProcMon): This powerful Sysinternals tool gives us real-time file system, registry, and process activity.
Process Explorer: Another Sysinternals gem, it’s like a souped-up Task Manager, providing in-depth information about running processes.
Wireshark: This network protocol analyzer captures and investigates network traffic.
ApateDNS: A simple DNS responder that lets us divert DNS requests, thereby controlling network traffic.
Regshot: A lightweight tool to take a snapshot of the registry before and after the malware execution, and compare them.
FakeNet-NG: A dynamic network analysis tool that simulates network responses to trick and capture malware traffic.

ProcMon in Action

Let’s begin with ProcMon. Launch the tool and start the malware executable. ProcMon will start logging events. Now, this is where it gets interesting.

You can use ProcMon to observe real-time changes, but for malware analysis, you’d usually save the logs and peruse them at leisure. One fantastic feature of ProcMon is the ability to filter out noise. You can focus on your malware process and hide the rest.

Here’s an example of a filter to isolate activity from our malware (let’s assume it’s called bad.exe):

Process Name -> is -> bad.exe -> Include

This filters out anything that isn’t related to bad.exe. Now, you can scrutinize process activity, registry changes, and file operations made by the malware. This hands-on analysis will reveal the nitty-gritty details of the malware’s behavior.

Diving into Network Analysis with Wireshark

A malware analysis wouldn’t be complete without looking at the network traffic. For this, Wireshark is our best buddy.

Start capturing packets before you run the malware. Pay particular attention to any strange domain names, IP addresses, or unusual protocols. Be aware of beaconing - regular, automated network traffic, often used by malware for command and control (C2) communication.

Remember Stuxnet? That groundbreaking piece of malware used a variety of sophisticated techniques, including C2 communication. Here’s what the traffic might have looked like in Wireshark:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       10.0.2.15             88.198.66.58          TCP      66     50222 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
      2 0.188389       88.198.66.58          10.0.2.15             TCP      66     80 → 50222 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=1024
      3 0.188527       10.0.2.15             88.198.66.58          TCP      54     50222 → 80 [ACK] Seq=1 Ack=1 Win=65792 Len=0
      4 0.189783       10.0.2.15             88.198.66.58          HTTP     479    GET /index.php?data=JHFjfiYxi83ruioJNFkjf98uhfi4h HTTP/1.1
      5 0.381902       88.198.66.58          10.0.2.15             TCP      60     80 → 50222 [ACK] Seq=1 Ack=426 Win=31232 Len=0
      6 0.402226       88.198.66.58          10.0.2.15             HTTP     60     HTTP/1.1 200 OK  (text/html)

By examining this traffic, we can see that the malware made a GET request to 88.198.66.58/index.php, passing some encoded data as a parameter. This could be a part of its C2 communication, exfiltrating data or requesting instructions.

Embracing ApateDNS and FakeNet-NG

But what if we don’t want the malware to reach its real C2 server? Enter ApateDNS. It can impersonate the DNS service and divert all DNS requests to an IP of our choice. This way, we maintain control and prevent possible harm.

Similarly, FakeNet-NG can simulate network protocols and capture the malware’s network activity. It’s especially handy when dealing with unknown or undocumented protocols, like those used by the infamous Flame malware. Flame used a custom C2 protocol, and tools like FakeNet-NG could have been instrumental in its analysis.

Regshot - The Registry Specialist

Last but not least, let’s look at Regshot. Malware often modifies registry keys to ensure persistence, disable security controls, or simply mess with the system.

Regshot allows us to take a ‘before’ snapshot of the registry, run the malware, and then take an ‘after’ snapshot. The comparison of these two states highlights the changes made by the malware.

For instance, let’s say we have a registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\evil added by our malware. This key ensures that the malware starts every time Windows boots, thus ensuring its persistence. Regshot would highlight this addition in its report, which might look something like this:

Keys added:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\evil

Wrapping Up

Alright, my fellow warriors, we have covered a lot today. Remember, dynamic analysis is about observing and understanding malware behavior in real-time. It allows us to see the true nature of the beast. Tools like ProcMon, Wireshark, ApateDNS, FakeNet-NG, and Regshot are indispensable for our exploration.

But never forget - analysis requires patience and practice. Not all malware samples will reveal their secrets easily, especially those employing advanced evasion techniques. However, equipped with the knowledge and tools we’ve discussed, you are now ready to face these challenges head-on.

Remember, knowledge is power. Continue exploring, continue learning, and keep pushing the boundaries of what you know about the world of malware. Until next time, happy hunting!

“The only true wisdom is in knowing you know nothing.” - Socrates, probably after his first encounter with malware.

What is Dynamic Analysis?¶

Setting Up the Analysis Environment¶

Tools of the Trade¶

ProcMon in Action¶

Diving into Network Analysis with Wireshark¶

Embracing ApateDNS and FakeNet-NG¶

Regshot - The Registry Specialist¶

Wrapping Up¶