Dynamic Analysis

Dynamic analysis involves observing malware behavior in a controlled environment by executing the malware and logging its activities. This approach allows us to see real-time changes to the system, unlike static analysis, where we examine the malware without execution.

Key Steps in Dynamic Analysis

1. Environment Setup:

   • Create an isolated virtual machine (VM) to safely execute malware without risk to the broader network. Mimic real-world systems, including common applications, user data, and network configurations.

2. Baseline Capture:

   • Take a system snapshot before executing malware. Record details on system files, registry states, running processes, and network configurations to use as a reference for changes introduced by the malware.

3. Tool Deployment (Pre-Execution):

   • Use monitoring tools like ProcMon (Process Monitor) from Sysinternals for logging system events (file access, registry changes, etc.).

   • Additional tools include Wireshark and tcpdump for network traffic, Regshot for registry snapshots, and simulators like INetSim, FakeDNS, or FakeNet-NG.

4. Malware Execution:

   • With logging tools active, execute the malware sample within the VM. Allow it to run long enough to record meaningful behavioral data.

5. Observation and Logging:

   • Monitor and log malware actions, focusing on process creation, file and registry modifications, and network traffic.

6. Data Analysis:

   • After stopping the malware and logging tools, compare the system's post-execution state with the baseline to identify modifications.

Dynamic Analysis with Noriben

Noriben simplifies dynamic analysis by acting as a Python wrapper for ProcMon, filtering and categorizing output to focus on suspicious behaviors.

Steps for Using Noriben

1. Setup Noriben:

   • Open the command line, navigate to C:\Tools\Noriben-master, and launch Noriben:

   C:\Tools\Noriben-master> python .\Noriben.py

2. Launch ProcMon:

   • Noriben initiates ProcMon with preconfigured filters to reduce irrelevant data and highlight malicious indicators.

3. Execute the Malware:

   • Run the malware sample (e.g., shell.exe in C:\Samples\MalwareAnalysis). Allow it to execute, then terminate it after logging activity.

4. Stop Logging:

   • End the session in the Noriben Command Prompt with Ctrl+C, which stops ProcMon and saves data.

5. Review Report:

   • Noriben produces a .txt report summarizing suspicious activity by categorizing file, process, registry, and network interactions.

Using ProcMon Directly for Detailed Insights

Sometimes, Noriben’s filtering may omit certain details. In such cases, manually run ProcMon with a broader configuration to capture all activities:

1. Open ProcMon:

   • Launch ProcMon from C:\Tools\sysinternals and configure it with a default, inclusive setup.

2. Set Filters:

   • Use Ctrl+L to open the filter settings. For example, filter for Process Name as shell.exe to isolate its actions.

3. Execute Malware:

   • Re-run shell.exe and allow ProcMon to log its activity.

4. Examine Detection Techniques:

   • Review the ProcMon output. Malware may attempt sandbox detection by querying the registry for items like VMware Tools (e.g., registry keys indicating a virtual machine).

Additional Dynamic Analysis Tools

• Sandboxes: Automated analysis tools like Cuckoo Sandbox, Joe Sandbox, or FireEye’s Dynamic Threat Intelligence cloud for behavior reports.

  • Note: Some advanced malware can detect sandbox environments and may alter its behavior to evade detection.

Example Commands and Configurations

Start Noriben:

python Noriben.py

Run ProcMon with default configuration:

1. Launch ProcMon.

2. Apply filter (Ctrl+L): Set Process Name to shell.exe and click Apply.

3. Observe results for malware behavior, such as registry queries that may reveal sandbox detection attempts.