Here's a sample steps for malware analysis.
Setup:
- Running procmon and setting a filter one the malware executable name and clearing out all events just before running.
- Starting Process Explorer.
- Gathering a first snapshot of the registry using Regshot.
- Setting up your virtual network to your liking using INetSim and ApateDNS.
- Setting up network traffic logging using Wireshark.
Analysis:
- Examine ApateDNS to see if DNS request were performed.
- Review the procmon results for file system modifications. (CreateFile, WriteFile, or Closefile)
- Compare the two snapshots taken with Regshot to identify changes. (Registry)
- Use Process Explorer to examine the process to determine whether it creates mutexes or listens for incoming connections.
(Malware may created the mutex to ensure that only one version of the malware is running at a time. Mutexes can provide an excellent fingerprint for malware if they are unique enoough) - Review the INetSim logs for requests and attempted connections on standard services.
- Review the Wireshark capture for network traffic generated by the malware.
No comments:
Post a Comment