[EN] Dynamic Malware Analysis
Hello everyone, in previous part we created a lab environment for analyzing malwares. Now, It is time for analyzing a malware using dynamic analysis techniques. I will share the malware sample with you but don’t execute this sample on your personal device.
As you remember, I showed INetSim configurations and usage of FakeDNS in the previous part. Let’s run these tools in remnux distro again.
After running these tools, let’s open windows 7 machine and run Process Explorer, Process Monitor and Wireshark programs.
Using the filtering feature of Process Monitor(procmon), we can easily analyze malware’s activities . You can watch out these steps for filtering; Filter > Filter or CTRL + L in procmon.
Architecture is used to indicate the architect of the operating system. Operation shows the procedure and the PID indicates processes ID value. Process Name is used for pointing out the name of the process. In addition Process is named to applications running on your machine. For instance when we run a executable or another file, in background other processes starts. Threads are structures that runs under processes. All process should have an id number because of the communication between operating system and processes.
When you click the button near filtering option you will see a combobox. Let’s mention features in this combobox. It will list the same option(s) that is selected after when we use is condition. Contains condition will list the option(s) that is selected after choosing this condition. For begin with case, It will list the condition(s) that is starting with options after this case. Lastly ends with lists the options that finishes with option that comes after itself.
Using this software, we could monitor any network that device send and receive packets. It sniffs the requests and shows to user momentarily. In addition, user could analyze these network connections after with saving these connections.
Dynamic Analysis -1
Before executing malware, make sure that you opened programs for malware analysis. We should filter shell.exe using Procmon to monitor what executable file(malware) do.
From the image above, you could see that malware creates a connection using FTP protocol(port:21).
We should follow these steps; Filter Operation – contains – TCP Disconnect for analyzing other connections that malware creates.
You can see the connections that malware creates from the image below. Malware sends connection requests but these requests are timing out. It use FTP, HTTP and HTTPS protocols.
Let’s have a look using Wireshark. We should write ftp in filterbox for filtering FTP connections.
Using Procmon and Process Explorer, we learned how to filter connections. While analyzing FTP connections, we could find username and password of ftp server with > Follow > TCP stream.
As you can see from the image, username and pass of this ftp server are pwnlab.me:we_are_starting
Let’s move with Remnux. Using Fake DNS we could find malware’s c&c(command and control center).
When we look at INetSim after executing malware, we could see FTP server’s login details.
We created a fake server and forwarded all requests to that server(Remnux) but malware stopped working after a while because malware couldn’t got all requests correctly. You can also analyze this malware from the download link above but do not forget to delete Remnux machine’s ip adress from DNS configuration of malware sample.
Thank you for your attention, take care!
Source material: SOME’ler İçin Ağ ve Malware Analizi (Book)
Translated from; https://pwnlab.me/tr-malware-dinamik-analizi-part-2/