- Below are core steps in the behavioral analysis steps.
Steps:
- Activate monitoring tools
- Run malware in the virtual machine for a while
- Terminate the malicious tools
- Pause monitoring tools
- Observe logs for suspicious entries
Tools or Tactics:
- VMWare virtual machine, Sysinternals tool
- Process Monitor
- Filtering Process Monitor Logs: Native Filter
- Filtering Process Monitor Logs: Export to CSV and Filter in Excel
- Process Explorer
- Monitoring the Lab Network (network sniffer from linux)
- Wireshark
- tcpdump
- When Windows failed to resolve the hostname using DNS, malware attempted to query the hostname using the NetBIOS (NBNS) protocol.
- Redirecting Network Traffic
- Do not let the malware connect to the Internet
- Redirect traffic to a lab machine
- If malware uses a domain name:
- Modify local hosts file
-Windows: C:\WINDOWS\system32\drivers\etc\hosts
- Linux: /etc/hosts - Bring up a lab DNS server
- Modify local hosts file
- Give the malware what it wants (IRC server or HTTP server)
- "Follow TCP Stream" in Wireshark to for IRC/HTTP session Details
- Analyze the behavior!
No comments:
Post a Comment