Basic Dynamic Analysis

Introduction

---

Basic Dynamic Analysis is the method of examining a malware while running. It is also known as Heuristic or Behaviourial analysis. It is a limited form of triage. It tells us a lot about the host and network indicators.

Host And Network Based Indicators

---

Host based Indicators are the actions the malware takes while modifying or interacting with the host. They can be pulled from the host based logs.

Example- Creating a file,modifying a service,etc.

Network based indicators are the action the malware takes when interacting with the network or the internet. They can be pulled from network logs.

Example- Downloading a second stage,uploading data,etc.

Hunting for network signatures

---

NOTE-

Before initial detonation, be sure to KEEP ALL REQUIRED TOOLS UP AND RUNNING . If the malware detects itself in a sandbox,it may try to sabotage the analysis which is detrimental to the triage.

Simulating a network-

Fire up Remnux vm which is in networked in the same network as the flarevm box.

Then start Inetsim on REMnux using the following command-

	inetsim

Confirm that intsim is up and running.

It is up and running.Now to capture network traffic generated by the malware,we need to setup wireshark on the REMnux box. Start it by typing-

	sudo wireshark

Now click on the desired network interface to capture traffic.In my case it is enp0s3. Here traffic will be seen. For more information on display filters,see - https://wiki.wireshark.org/DisplayFilters Now we can move on to analysis of the malware.

Detonation-

Change the file extension to .exe to make it a portable executable file. After detonation , we capture a request in wireshark.

The network signature of the malware.

Hunting for host based signatures

---

Procmon will be used to analyse host based signatures of the malware. The sysinternals utility set will be used heavily in signature detection of malwares.

Applying filter for malware executable

After detonation,we get a list of what the malware has done chronological wise.

Add a filter to monitor file changes-

We find all kinds of interesting changes done by the malware.For example, we see that the malware has created an executable named dat.exe .

Opening the file location :-

If inetsim isn't running,the malware deletes itself from the disk. We can capture that signature using these filters-

Internal network signatures on the host

In order to analyze the connections made by the malware internally, TCPview is used. It is a part of the sysinternals suite.

We need to look out for TCP artifacts such as open sockets or tcp connections.

We see that the malware has opened up a listening port on TCP : 5555. Thus we use netcat to connect to the port using the command-

	nc -nv 10.0.0.4 5555

What we concluded so far-

We have concluded so far that the above malware is a malware dropper a.k.a when run,it reaches for the real malicious malware ,downloads it and runs it on the system.