SlideShare a Scribd company logo

Automating Malware Analysis

Download as PPTX, PDF
securityxploded
securityxploded

This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.

1 of 15
Automating Malware Analysis
 Execute malware in a controlled/monitored environment  Monitors file system, registry, process and network activity  Outputs the results in mutiple formats  Examples of Sandboxes ◦ Cuckoo Sandbox ◦ ThreatExpert ◦ Anubis ◦ CWSandbox
To determine:  The nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  To determine identifiable patterns
Reports Controller Reports Artifact s PCAPS Host Machine Analysis Machine (VM) Launch Sample Samples Submit Monitoring tools
 Automates static, dynamic and Memory analysis using open source tools  Written in python  Can be run in sandbox mode or internet mode  In sandbox mode it can simulate internet services (this is the default mode)  Allows you to set the timeout for the malware to run (default is 60 seconds)  Stores final reports, pcaps, desktop screeshot , and malicious artifacts for later analysis
 Takes sample as input  Performs static analysis  Reverts VM to clean snapshot  Starts the VM  Transfers the malware to VM  Runs the monitoring tools ( to monitor process, registry, file system, network activity)  Executes the malware for the specified time
 Stops the monitoring tools  Suspends the VM  Acquires the memory image  Performs memory analysis using Volatility framework  Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)
Automating Malware Analysis
Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem
Prevents the security products from running by looking for the security products and deleting its registry key value
The malware sends spam invitation mails to the some of the organizations
Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique
Hides the process from process explorer
Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process prolaco.exe (pid 1080) pslist psscan
Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden process

More Related Content

Automating Malware Analysis

  • 2.  Execute malware in a controlled/monitored environment  Monitors file system, registry, process and network activity  Outputs the results in mutiple formats  Examples of Sandboxes ◦ Cuckoo Sandbox ◦ ThreatExpert ◦ Anubis ◦ CWSandbox
  • 3. To determine:  The nature and purpose of the malware  Interaction with the file system  Interaction with the registry  Interaction with the network  To determine identifiable patterns
  • 4. Reports Controller Reports Artifact s PCAPS Host Machine Analysis Machine (VM) Launch Sample Samples Submit Monitoring tools
  • 5.  Automates static, dynamic and Memory analysis using open source tools  Written in python  Can be run in sandbox mode or internet mode  In sandbox mode it can simulate internet services (this is the default mode)  Allows you to set the timeout for the malware to run (default is 60 seconds)  Stores final reports, pcaps, desktop screeshot , and malicious artifacts for later analysis
  • 6.  Takes sample as input  Performs static analysis  Reverts VM to clean snapshot  Starts the VM  Transfers the malware to VM  Runs the monitoring tools ( to monitor process, registry, file system, network activity)  Executes the malware for the specified time
  • 7.  Stops the monitoring tools  Suspends the VM  Acquires the memory image  Performs memory analysis using Volatility framework  Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)
  • 9. Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem
  • 10. Prevents the security products from running by looking for the security products and deleting its registry key value
  • 11. The malware sends spam invitation mails to the some of the organizations
  • 12. Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique
  • 13. Hides the process from process explorer
  • 14. Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process prolaco.exe (pid 1080) pslist psscan
  • 15. Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden process