Basic Dynamic Analysis
Static Analysis Process Hollowing ???
If see multiple Not run in doss, could mean multiple files
SOFTWARE\Microsoft\ - Commonly in the regedit
Problems with static analysis
- Only shows us what is in the program
- Not how it is used
- Might see a potential filename - but what is happening to it
- Does it get used every time the program is ran or only certain situations
- No idea of the sequence of events
Programs = Data Structures + Algorithms
- All programs (including malware) are a series of instructions
- Get executed by the CPU
- Those instructions have an effect - they do stuff
- Observing these instructions as they run
Internal Actions
- Some of the instructions will cause things to happen within the program
- Only affecting data within the program
Examples of external actions
- Network access
- Manipulate files
- Manipulate registry
- Input/output
- Calls the Win32API
Running the Malware
- Most of the time is a .dll, can be ran with
rundll32.exeto start and specify the export to call. - As a last resort, you can force the
.dll
Observing a program
- Let the program run, see what changes afterwards
- Monitor the program as it runs
- Explore a process memory space
Need to preserve the state of the system before so can compare
Comparison
- Full snapshot or just a limited section
- Can use file hashes to quickly tell if a file has changed
- Walk the file systems after and compare the hashes to reveal changed files
Limitations
- Can only show the changes between start and end