Malware Analysis Series 0x4

Hello You. Today will expand our knowledge about basic dynamic analysis with the use of popular tools like Procmon, Process Explorer, and others

Let’s dive in

Basic Dynamic Analysis

We start this type of analysis when we reach a dead end in static analysis, and it simply involves examining the artifices of the malware when it is running. For example, the files it edits on, the processes it creates, the network connections it creates and many others.

The book author gave a good example if we have a malware which type is keylogger using dynamic analysis we can locate the keylogger's log file on the system (the file that stores the keystrokes you type)

Sandbox

the quick and dirty way, simply a sandbox is a virtual machine that emulate a real environment, by doing things like simulating a network service to ensure that the malware will function correctly.

There is a lot of sandboxes out there, but on of the most popular ones is Cuckoo. you can read its documentation right here. I Personally use Hybrid Analysis.

NOTE: Even though the sandboxes are automated, you might choose not to submit malware that contains company information to a public website.

Sandbox drawbacks

Some of the drawbacks are:

1. When malware requires arguments to run properly, sandboxes may struggle because they execute the executable without any command-line inputs.
2. If the malware has some nasty Sleep functions, the sandbox may not be able to patch them to reduce the waiting time.

Running the malware

It’s easy to run an EXE file, but what if it’s a DLL what will you do then huh?

Luckily you are reading this article, so by default Windows doesn’t know how to run a DLL automatically. But we can use rundll32.exe to run it

Per Microsoft “rundll32 loads and runs 32-bit dynamic-link libraries (DLLs). You must run the rundll32 command from an elevated command prompt.”

• rundll32 syntax

C:\> rundll32.exe DLLname, Export arguments

Let’s say that we have a malicious DLL called m.dll and it has some export functions that we found in dependency walker called install & uninstall, to install we’ll do the following

C:\> rundll32.exe m.dll, install 

DLL malware may also need to be installed as a service. sometimes there will be an export function like InstallService and hence the name you know what it will do

C:\> rundll32 m.dll, installService ServiceName
C:\> net start ServiceName

The use of net start here is just to start a service in Windows OS

Note: The ServiceName argument must be provided to the malware so it can be installed and run.

Rundll32.exe is not the only way to run a DLL file, we can patch the file using PEviewer and wipe the IMAGE_FILE_DLL (0x2000) flag from the characteristics field in the IMAGE_FILE_HEADER. this change won’t run any imported functions but it will run DLLMain, which is the function that is called from the DLL entry point and it is executed whenever the DLL file is called.

Procmon

Procmon or process monitor is one of the sysinternal tools that is super powerful in malware analysis, it shows real-time file system, registry and process/thread activity. It is a must to have within our malware hunting toolkit.

You have to be careful when using it, especially when using a virtual machine with limited resources. Because it will exhaust the RAM and that is because it collects all the events that happens in your system and stores them in the RAM (it can collect 100 thousands of logs in less than a minute)

That’s why we need to learn some Procmon tricks

1. CTRL + E or FILE > CAPTURE EVENTS to stop it from logging new events
2. CTRL + X or EDIT > CLEAR DISPLAY to clear all events

This is how Procmon looks like, you can see from this picture the number of events and the number showed events. And there is a Filter option, this is your go-to option when using Procmon because it collects so many events that it freaking hard to go through them all.

Filtering in Procmon

We can set Procmon to filter on one executable running on the system. You can also filter on individual system calls such as RegSetValue, CreateFile, WriteFile or other suspicious destructive calls.

Note: when Procmon filter is turned on, it filters through recorded events only. All recorded events are still available even though the filter shows only a limited display. so setting up a filter won’t prevent the Procmon from exhausting your RAM and crashing your VM :3

• Now, let’s learn how to set a filter:

You can use CTRL + L to open the filter option or just by click on it, do whatever you like. It will present you with this screen

where you can select the thing you are looking for. For example Process Name

Then we select the condition

Then we provide the name of the process

and if you want to include | exclude, after applying the filter and starting Processhacker.exe, this is what we will see

• Procmon provides another filter on its toolbar

1. Registry activity — by examining registry operations, you can tell how a piece of malware installs itself in the registry
2. File system activity — exploring file system interaction can show all file that the malware creates or configuration files it uses.
3. Network activity — identifying network connections can show you any ports on which the malware is listening
4. Process and thread activity — investigating process activity can tell you whether the malware spawned additional processes

respectively as show in the picture.

Analysis of procmon’s recorded events takes practice and patience, since many events are simply part of the standard way that executables start up. The more you use procmon, the easier you will find it to quickly review the event listing.

Process explorer

It is a super enhanced alternative of task manager, that is also a part of the sysinteral tools that is written by Mark Russinovich, useing this tool we can see all active processes, DLLs loaded by a process, various process properties.

We can use it to kill a process, log out users, and launch and validate processes

Let’s discuss the colors:

1. Services are highlighted in pink
2. Processes in blue
3. New processes in green
4. Terminated processes in red

green and red highlights are temporary

Process explorer verify feature

By double clicking on any of the processes, you will be presented with this windows

By clicking on the verify button on the Image tab, it will verify that image on disk and check if it is a Microsoft signed binary. Because Microsoft uses digital signatures for most of its core executables, when Process explorer verifies that a signature is valid, you can be sure that the file is actually the executables from Microsoft. but there is a tiny problem that Process explorer checks the image on the disk not in memory so if that process is injected with a malicious code (which is called Process replacement) it will also be verified if the attacker injected a verified image.

Comparing Strings

This one of the ways to check if a process is injected or not, by comparing the strings of the image on disk and in memory, and you can do so by toggling between Image & Memory buttons in the Strings tab

In this image we can see that the strings in memory differ than the one on disk, so that is an indicator of Process replacement

in the next article I’ll talk about Regshot & wireshark when doing basic dynamic analysis, I hope you enjoy reading this article cya