Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Basic Dynamic Analysis of Malware

Download as PPTX, PDF
Natraj G
Natraj G

This document provides an overview of basic dynamic malware analysis techniques. It explains that dynamic analysis examines how malware behaves when executed by monitoring changes to the system, unusual processes, network traffic, and other behaviors. A number of tools are described that can be used for dynamic analysis, including sandboxes, process monitors, registry snapshots, network service emulators, and packet sniffers. Caution is advised to perform analysis safely in a isolated lab environment.

Related slideshows

Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
1 of 20
1 Basic Dynamic Analysis - malware by @x00itachi
2 Why and what is malware analysis ?  To gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network.  We can write,  Host-based signatures(HIPS), or indicators, are used to detect malicious code on victim computers.  Network signatures(NIPS) are used to detect malicious code by monitoring network traffic.  Malware Analysis types –  Static/Code Analysis  Dynamic/Behavioral Analysis
3 Brief intro on static analysis….  Taking a closer look at the suspicious file by examining its static properties.  Static properties include the strings embedded into the file, header details, hashes, embedded resources, packer signatures, metadata such as the creation date, etc.  This process also helps determine whether the analyst should take closer look at the specimen using more comprehensive techniques and where to focus the subsequent steps.
4 What is dynamic analysis ?  When performing behavioral analysis, look for changes to the system as well as any unusual behavior on an infected system.  Changes on the system that should raise a red flag include files that have been added and/or modified, new services that have been installed, new processes that are running, any registry modifications noting which modifications took place, and finally, if any systems settings have been modified.  Beside the behavior of the system itself, network traffic will also be examined.
5 Why dynamic analysis ?  Both types accomplish the same goal of explaining how malware works, the tools, time and skills required to perform the analysis are very different.  Behavioral analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs.  Both static and dynamic analysis should be performed to gain a complete understanding on how a particular malware functions.  Knowing how malware functions allows for better defenses to protect the organization from this piece of malware
6 Caution while doing!!!  you must set up a safe environment.  For the best protection of production networks, the malware lab should never be connected to any network.  Dynamic analysis techniques are extremely powerful & dynamic analysis can put your network and system at risk.
7 How we do it ?.....Use tools  Sandboxes  Process monitors  Registry snapshots  Network service faking tools  Domain faking tools  Packet sniffers
8 Tools & use case
9 Sandboxes  A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming “real” systems.  Ex: Norman SandBox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, and Comodo Instant Malware Analysis  Malware sandboxes do have a few major drawbacks.  Ex: the sandbox simply runs the executable, without command-line options.  The sandbox also may not record all events, because neither you nor the sandbox may wait long enough.  Malware may detect the virtual machine, and it might stop running or behave differently. Source: Arial 9pt.
10 Monitoring with Process Monitor  Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity.  Procmon monitors all system calls it can gather as soon as it is run. sometimes more than 50,000 events a minute. It can crash a virtual machine using all available memory. Source: Arial 9pt.
11 Processes with Process Explorer  The Process Explorer, free from Microsoft, is an extremely powerful task manager that should be running when you are performing dynamic analysis.  You can use Process Explorer to list active processes, DLLs loaded by a process, various process properties, and overall system information. Source: Arial 9pt.
12 Registry Snapshots with Regshot  Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. Source: Arial 9pt.
13 Faking a Network Using ApateDNS  Malware often beacons out and eventually communicates with a commandand-control server.  You can create a fake network and quickly obtain network indicators, without actually connecting to the Internet.  ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine.  It responds to DNS requests with the DNS response set to an IP address you specify. Source: Arial 9pt.
14 Source: Arial 9pt.
15 Using INetSim  INetSim is a free, Linux-based software suite for simulating common Internet services.  INetSim is the best free tool for providing fake services, allowing you to analyze the network behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP, and others.  INetSim does its best to look like a real server, and it has many easily configurable features to ensure success.  Ex: by default, it returns the banner of Microsoft IIS web server if is it scanned and INetSim can serve almost any file requested. Source: Arial 9pt.
16 Source: Arial 9pt.
17 Monitoring with Netcat  Netcat, the “TCP/IP Swiss Army knife,” can be used over both inbound and outbound connections for port scanning, tunneling, proxying, port forwarding, and much more. Source: Arial 9pt.
18 Packet Sniffing with Wireshark  Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network traffic.  Wireshark provides visualization, packet-stream analysis, and in-depth analysis of individual packets. Source: Arial 9pt.
19 Demo Source: Arial 9pt.
20 Source: Arial 9pt. THANKS TO :

More Related Content

What's hot

Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
shwetha mk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Data encryption
Data encryptionData encryption
Data encryption
Deepam Goyal
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
Sajid Hasan
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 

What's hot (20)

Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Data encryption
Data encryptionData encryption
Data encryption
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 

Similar to Basic Dynamic Analysis of Malware

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
Tara Hardin
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
Anthony Hasse
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
Ave Nawsh
 
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro MagazinePentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
CyberPro Magazine
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Security measures for networking
Security measures for networkingSecurity measures for networking
Security measures for networking
Shyam Kumar Singh
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
Gary Mendonca
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
Momita Sharma
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
scanning and analysis tools Fuzz testing
scanning and analysis tools Fuzz testingscanning and analysis tools Fuzz testing
scanning and analysis tools Fuzz testing
maryjanebataluna19
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
SUBHI7
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
Tiffany Sandoval
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
Varun Mithran
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
Alexander Kot
 

Similar to Basic Dynamic Analysis of Malware (20)

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro MagazinePentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
Pentesting Tools to Find Bugs Before Hackers | CyberPro Magazine
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Security measures for networking
Security measures for networkingSecurity measures for networking
Security measures for networking
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Honeypots.ppt1800363876
Honeypots.ppt1800363876Honeypots.ppt1800363876
Honeypots.ppt1800363876
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
scanning and analysis tools Fuzz testing
scanning and analysis tools Fuzz testingscanning and analysis tools Fuzz testing
scanning and analysis tools Fuzz testing
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...Incident handling is a clearly defined set of procedures to manage and respon...
Incident handling is a clearly defined set of procedures to manage and respon...
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 

Recently uploaded

SuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptxSuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptx
nitishjain2015
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptxFIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Alliance
 
Blue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failureBlue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failure
Dexbytes Infotech Pvt Ltd
 
Getting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptxGetting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptx
Swaminathan Vetri
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
pubgnewstate1620
 
Planetek Italia Corporate Profile Brochure
Planetek Italia Corporate Profile BrochurePlanetek Italia Corporate Profile Brochure
Planetek Italia Corporate Profile Brochure
Planetek Italia Srl
 
The Maritime Security. OSINT [EN] .pdf
The Maritime Security. OSINT [EN] .pdfThe Maritime Security. OSINT [EN] .pdf
The Maritime Security. OSINT [EN] .pdf
Snarky Security
 
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
wromeetup
 
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
NguynThNhQunh59
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptxFIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Alliance
 
Flame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptxFlame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptx
VaishnaviChavan206944
 
The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...
maricrismontales
 
Easy Compliance is Continuous Compliance
Easy Compliance is Continuous ComplianceEasy Compliance is Continuous Compliance
Easy Compliance is Continuous Compliance
Anchore
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptxFIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Alliance
 
Informatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptxInformatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptx
OkyPrayudi
 
The Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdfThe Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdf
Sara Kroft
 
Leading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online RetailersLeading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online Retailers
SynapseIndia
 
Multimodal Embeddings (continued) - South Bay Meetup Slides
Multimodal Embeddings (continued) - South Bay Meetup SlidesMultimodal Embeddings (continued) - South Bay Meetup Slides
Multimodal Embeddings (continued) - South Bay Meetup Slides
Zilliz
 
Scientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis ReportScientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis Report
SelcukTOPAL2
 
TribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeftTribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeft
Dimpy Adhikary
 

Recently uploaded (20)

SuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptxSuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptx
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptxFIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
 
Blue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failureBlue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failure
 
Getting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptxGetting Started with Azure AI Studio.pptx
Getting Started with Azure AI Studio.pptx
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
 
Planetek Italia Corporate Profile Brochure
Planetek Italia Corporate Profile BrochurePlanetek Italia Corporate Profile Brochure
Planetek Italia Corporate Profile Brochure
 
The Maritime Security. OSINT [EN] .pdf
The Maritime Security. OSINT [EN] .pdfThe Maritime Security. OSINT [EN] .pdf
The Maritime Security. OSINT [EN] .pdf
 
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
 
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptxFIDO Munich Seminar FIDO Automotive Apps.pptx
FIDO Munich Seminar FIDO Automotive Apps.pptx
 
Flame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptxFlame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptx
 
The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...
 
Easy Compliance is Continuous Compliance
Easy Compliance is Continuous ComplianceEasy Compliance is Continuous Compliance
Easy Compliance is Continuous Compliance
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptxFIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptx
 
Informatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptxInformatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptx
 
The Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdfThe Challenge of Interpretability in Generative AI Models.pdf
The Challenge of Interpretability in Generative AI Models.pdf
 
Leading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online RetailersLeading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online Retailers
 
Multimodal Embeddings (continued) - South Bay Meetup Slides
Multimodal Embeddings (continued) - South Bay Meetup SlidesMultimodal Embeddings (continued) - South Bay Meetup Slides
Multimodal Embeddings (continued) - South Bay Meetup Slides
 
Scientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis ReportScientific-Based Blockchain TON Project Analysis Report
Scientific-Based Blockchain TON Project Analysis Report
 
TribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeftTribeQonf2024_Dimpy_ShiftingSecurityLeft
TribeQonf2024_Dimpy_ShiftingSecurityLeft
 

Basic Dynamic Analysis of Malware

  • 1. 1 Basic Dynamic Analysis - malware by @x00itachi
  • 2. 2 Why and what is malware analysis ?  To gain an understanding of how a specific piece of malware functions so that defenses can be built to protect an organization’s network.  We can write,  Host-based signatures(HIPS), or indicators, are used to detect malicious code on victim computers.  Network signatures(NIPS) are used to detect malicious code by monitoring network traffic.  Malware Analysis types –  Static/Code Analysis  Dynamic/Behavioral Analysis
  • 3. 3 Brief intro on static analysis….  Taking a closer look at the suspicious file by examining its static properties.  Static properties include the strings embedded into the file, header details, hashes, embedded resources, packer signatures, metadata such as the creation date, etc.  This process also helps determine whether the analyst should take closer look at the specimen using more comprehensive techniques and where to focus the subsequent steps.
  • 4. 4 What is dynamic analysis ?  When performing behavioral analysis, look for changes to the system as well as any unusual behavior on an infected system.  Changes on the system that should raise a red flag include files that have been added and/or modified, new services that have been installed, new processes that are running, any registry modifications noting which modifications took place, and finally, if any systems settings have been modified.  Beside the behavior of the system itself, network traffic will also be examined.
  • 5. 5 Why dynamic analysis ?  Both types accomplish the same goal of explaining how malware works, the tools, time and skills required to perform the analysis are very different.  Behavioral analysis is how the malware behaves when executed, who it talks to, what gets installed, and how it runs.  Both static and dynamic analysis should be performed to gain a complete understanding on how a particular malware functions.  Knowing how malware functions allows for better defenses to protect the organization from this piece of malware
  • 6. 6 Caution while doing!!!  you must set up a safe environment.  For the best protection of production networks, the malware lab should never be connected to any network.  Dynamic analysis techniques are extremely powerful & dynamic analysis can put your network and system at risk.
  • 7. 7 How we do it ?.....Use tools  Sandboxes  Process monitors  Registry snapshots  Network service faking tools  Domain faking tools  Packet sniffers
  • 9. 9 Sandboxes  A sandbox is a security mechanism for running untrusted programs in a safe environment without fear of harming “real” systems.  Ex: Norman SandBox, GFI Sandbox, Anubis, Joe Sandbox, ThreatExpert, BitBlaze, and Comodo Instant Malware Analysis  Malware sandboxes do have a few major drawbacks.  Ex: the sandbox simply runs the executable, without command-line options.  The sandbox also may not record all events, because neither you nor the sandbox may wait long enough.  Malware may detect the virtual machine, and it might stop running or behave differently. Source: Arial 9pt.
  • 10. 10 Monitoring with Process Monitor  Process Monitor, or procmon, is an advanced monitoring tool for Windows that provides a way to monitor certain registry, file system, network, process, and thread activity.  Procmon monitors all system calls it can gather as soon as it is run. sometimes more than 50,000 events a minute. It can crash a virtual machine using all available memory. Source: Arial 9pt.
  • 11. 11 Processes with Process Explorer  The Process Explorer, free from Microsoft, is an extremely powerful task manager that should be running when you are performing dynamic analysis.  You can use Process Explorer to list active processes, DLLs loaded by a process, various process properties, and overall system information. Source: Arial 9pt.
  • 12. 12 Registry Snapshots with Regshot  Regshot is an open source registry comparison tool that allows you to take and compare two registry snapshots. Source: Arial 9pt.
  • 13. 13 Faking a Network Using ApateDNS  Malware often beacons out and eventually communicates with a commandand-control server.  You can create a fake network and quickly obtain network indicators, without actually connecting to the Internet.  ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine.  It responds to DNS requests with the DNS response set to an IP address you specify. Source: Arial 9pt.
  • 15. 15 Using INetSim  INetSim is a free, Linux-based software suite for simulating common Internet services.  INetSim is the best free tool for providing fake services, allowing you to analyze the network behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP, and others.  INetSim does its best to look like a real server, and it has many easily configurable features to ensure success.  Ex: by default, it returns the banner of Microsoft IIS web server if is it scanned and INetSim can serve almost any file requested. Source: Arial 9pt.
  • 17. 17 Monitoring with Netcat  Netcat, the “TCP/IP Swiss Army knife,” can be used over both inbound and outbound connections for port scanning, tunneling, proxying, port forwarding, and much more. Source: Arial 9pt.
  • 18. 18 Packet Sniffing with Wireshark  Wireshark is an open source sniffer, a packet capture tool that intercepts and logs network traffic.  Wireshark provides visualization, packet-stream analysis, and in-depth analysis of individual packets. Source: Arial 9pt.