CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Basic Dynamic Analysis
Task 1. Basic Static Analysis
Downloading and Extracting the Sample
Using Firefox, download this file:
key.7z from Google classroom
You need 7-zip to extract the file. If you don't have it installed, download and install the 64-
bit version from:
https://www.7-zip.org/
Right-click the key.7z file and click 7-Zip, "Extract Here". Enter a password of malware
The sample appears, named key.exe.
Using PEview
Open key.exe in PEview.
As shown below, if you expand "SECTION .rdata" and click "IMPORT Address Table", one of
the three DLL's imported is advapi32.dll.
As you scroll you will see functions such
as WriteConsoleW, GetConsoleWindow, WideCharToMultiByte, and GetStringType which
assist us in identifying what the exe is doing.
The other two DLLs are kernel32.dll, and user32.dll.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 1
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Using BinText
Examine the strings in key.exe and find these items, as shown below.
• log.txt -- A txt file
• key.exe -- The program name
• C:\windows\vmx32to64.exe -- An interesting file
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 2
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Scroll up and find the key definitions, including #SHIFT# and #CAPS_LOCK#, as shown
below. These look like strings used by a keylogger.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 3
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Task 2. Preparing for Dynamic Analysis
Dynamic analysis is simple: run monitoring tools, then run the malware, and let it have its
way with our virtual machine. This is a sloppy technique, trusting a system that is being
infected, but it usually works.
We will use these three programs to see what the malware does:
1. Process Explorer
2. Wireshark
3. Process Monitor
Install and Run Process Explorer
Download Process Explorer from https://docs.microsoft.com/en-
us/sysinternals/downloads/process-explorer
Extract the zip file and open procexp64
Process Explorer shows currently running processes, with far more detail than Task
Manager. It doesn't keep a log of them, so it's harmless to leave running.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 4
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Install and Run Wireshark
Go to https://www.wireshark.org/index.html#download and save/run the Windows
Installer (64-bit) file.
Install Wireshark with the default options
Start Wireshark and begin capturing packets from the interface that goes to the Internet, it
should be "Ethernet".
There will be a lot of traffic at the start because you are running RDP from your host machine
to the Windows cloud machine.
To filter out the RDP traffic, enter this into the Wireshark command line, replacing
192.168.10.10 with your host machine IP address:
!(ip.addr == 192.168.10.10)
Note: To get the ip of your host machine, Google search "What's My IP?
Once that command is entered, you can stop and start the capture again by clicking the red
box and the blue fin above the command line. Close any open web browsers to limit the
traffic.
Note: For this project, no web requests will be made by the malware, but it's a good idea to
monitor network traffic when running malware.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 5
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Install and Start Process Monitor
Process Monitor logs all the events in Windows Event Viewer, which will typically be
hundreds of thousands of events. Don't leave it running for too long or it will use up all the
RAM and crash.
It's best to start Process Monitor last, so you can exclude all the harmless processes the other
tools are using.
Go to https://docs.microsoft.com/en-us/sysinternals/downloads/procmon and download /
extract Process Monitor.
Launch Process Monitor. If a Security Warning box pops up, allow the software to run.
Agree to the license.
You see Process Monitor, with a lot of visible events, as shown below.
Excluding Harmless Processes
In Process Monitor, right-click the name of one of the visible processes, such as explorer.exe,
and click "exclude 'lsass.exe'", as shown below:
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 6
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Repeat the process until all current processes are hidden, as shown below.
There were a lot of processes to ignore, around 15 to 20.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 7
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Running the Malware
In File Explorer, right-click key.exe and choose Run as Administrator.
RUN THE MALWARE AS ADMINISTRATOR!
If you run it without Administrator privileges, the persistence mechanism will fail and you
won't be able to find flag 221.3 below.
Wireshark
No unusual traffic appears in Wireshark, because this sample doesn't use the Internet. Close
Wireshark.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 8
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Viewing the Running Malware in Process Explorer
In Process Explorer, in the top pane, find key.exe and click it.
Find the name of the exe covered in green in the image below. That is the flag.
Viewing the Running Malware in Process Monitor
Go to ProcMon and scroll until you get to key.exe. You can view the steps the malware is taking.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 9
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
This malware creates an executable file in the Windows directory.
The malware also creates persistence by modifying the run registry key for the current user (HKCU =
HKEY_CURRENT_USER). The programs referenced in this key will be executed when the user logs in.
Find the path of that key and take note of it.
The flag is the text covered in green.
Test out the keylogger
Open notepad and type some text.
In File Explorer, go to the folder where key.exe is, find log.txt and open it. You see the
captured keystrokes, as shown below.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 10
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis
Persistence Mechanism
In Process Explorer, right click key.exe and choose Kill Process.
This stops the keylogger for the current session. However, the malware has written itself into
the registry, so it will start back up at the next reboot.
Restart the machine and reconnect through RDP.
School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 11
Prepared by: Dr. Parag Shukla – Assistant Professor
[email protected]