# Dynamic Analysis Dynamic analysis involves observing malware behavior in a controlled environment by executing the malware and logging its activities. This approach allows us to see real-time changes to the system, unlike static analysis, where we examine the malware without execution. #### Key Steps in Dynamic Analysis 1. **Environment Setup**: * Create an isolated virtual machine (VM) to safely execute malware without risk to the broader network. Mimic real-world systems, including common applications, user data, and network configurations. 2. **Baseline Capture**: * Take a system snapshot before executing malware. Record details on system files, registry states, running processes, and network configurations to use as a reference for changes introduced by the malware. 3. **Tool Deployment (Pre-Execution)**: * Use monitoring tools like **ProcMon** (Process Monitor) from Sysinternals for logging system events (file access, registry changes, etc.). * Additional tools include **Wireshark** and **tcpdump** for network traffic, **Regshot** for registry snapshots, and simulators like **INetSim**, **FakeDNS**, or **FakeNet-NG**. 4. **Malware Execution**: * With logging tools active, execute the malware sample within the VM. Allow it to run long enough to record meaningful behavioral data. 5. **Observation and Logging**: * Monitor and log malware actions, focusing on process creation, file and registry modifications, and network traffic. 6. **Data Analysis**: * After stopping the malware and logging tools, compare the system's post-execution state with the baseline to identify modifications. #### Dynamic Analysis with Noriben **Noriben** simplifies dynamic analysis by acting as a Python wrapper for ProcMon, filtering and categorizing output to focus on suspicious behaviors. #### Steps for Using Noriben 1. **Setup Noriben**: * Open the command line, navigate to `C:\Tools\Noriben-master`, and launch Noriben: ``` C:\Tools\Noriben-master> python .\Noriben.py ``` 2. **Launch ProcMon**: * Noriben initiates ProcMon with preconfigured filters to reduce irrelevant data and highlight malicious indicators. 3. **Execute the Malware**: * Run the malware sample (e.g., `shell.exe` in `C:\Samples\MalwareAnalysis`). Allow it to execute, then terminate it after logging activity. 4. **Stop Logging**: * End the session in the Noriben Command Prompt with `Ctrl+C`, which stops ProcMon and saves data. 5. **Review Report**: * Noriben produces a `.txt` report summarizing suspicious activity by categorizing file, process, registry, and network interactions. #### Using ProcMon Directly for Detailed Insights Sometimes, Noriben’s filtering may omit certain details. In such cases, manually run ProcMon with a broader configuration to capture all activities: 1. **Open ProcMon**: * Launch **ProcMon** from `C:\Tools\sysinternals` and configure it with a default, inclusive setup. 2. **Set Filters**: * Use `Ctrl+L` to open the filter settings. For example, filter for `Process Name` as `shell.exe` to isolate its actions. 3. **Execute Malware**: * Re-run `shell.exe` and allow ProcMon to log its activity. 4. **Examine Detection Techniques**: * Review the ProcMon output. Malware may attempt sandbox detection by querying the registry for items like **VMware Tools** (e.g., registry keys indicating a virtual machine). #### Additional Dynamic Analysis Tools * **Sandboxes**: Automated analysis tools like **Cuckoo Sandbox**, **Joe Sandbox**, or **FireEye’s Dynamic Threat Intelligence** cloud for behavior reports. * *Note*: Some advanced malware can detect sandbox environments and may alter its behavior to evade detection. #### Example Commands and Configurations **Start Noriben**: ``` python Noriben.py ``` **Run ProcMon with default configuration**: 1. Launch ProcMon. 2. Apply filter (`Ctrl+L`): Set Process Name to `shell.exe` and click `Apply`. 3. Observe results for malware behavior, such as registry queries that may reveal sandbox detection attempts.