Labs
06: Malware Analysis I
Lab 2: Analyzing System Interactions

Lab 2: Analyzing System Interactions

Overview

💡

Dynamic analysis is the act of learning about code by interacting with it while it runs. We’ve seen an example of this by using GDB and strace on Linux to step through a program and see how it interacts with the operating system. In this lab you will use standard tools to monitor system events on Windows in order to dynamically analyze a malicious binary.

Goals:

  • Learn how to set up and use fakenet-ng to imitate network connectivity.
  • Practice using procmon to monitor a program for system events.
  • Learn to use regshot to watch for changes to the Windows Registry.

Estimated Time: 45 Minutes

Instructions

Start fakenet

First run the fakenet program found in the Tools folder on your Desktop.

Question
After you’ve started fakenet browse to a fake domain like http://evil-domain.com in a browser.

What happens? What does this tell you about what fakenet does?

Start procmon and pause capture

Start by running the procmon program, found in the Utilities section of the Tools folder.

When you open it, you should start seeing events immediately. Pause the capture so we can filter events to the specific program we care about.

Setup wannacry filter

Detonate the malware

At this point you should be ready to start a capture and run the malware to see what it does.

After the malware runs, make sure to stop the procmon capture to preserve system resources.

Question
Does it seem like anything happened when the malware ran? Most malware does not want you to know it’s running.

Use the quick filter buttons

Procmon has some buttons in the top ribbon that you can use to quickly filter for specific types of events:

  • Windows Registry
  • Filesystem
  • Networking
  • Performance Events

Toggle the buttons on/off to see how this hides certain events from the trace. Filter out everything but the network events.

Question
Does the malware make any network connections?

What IP address and port does it reach out to?

Review the fakenet PCAP in Wireshark

To stop fakenet, click on the terminal window where it is running and press Ctrl+C. It will take a second to shut everything down.

Then, open the PCAP located in the fakenet directory in C:\Tools\.

Question
Find the packets associated with the connections you saw in procmon and include a screenshot.

Capture events without fakenet

The next step is to see what happens when you run the malware without faking the network events.

Create a text file on the Desktop to use as a test to see if the malware encrypts it. You can use whatever method you want but here is an example in Windows PowerShell:

PowerShell
echo "Hello, world!" | Out-File ~/Desktop/test.txt

Then clear all the events in procmon and detonate the malware again.

Question
Can you see events that show how the malware behavior changed from the original run?

What files or folders does this malware access?

Analyze the Windows Registry

For this part you might not get good results unless you restore your vm to a clean snapshot before monitoring for registry changes. Rather than take valuable class time to do that, you can put that you don’t see anything interesting in the question below.

Follow the screenshots to use regshot to compare the Windows registry at two points in time.

Note

Sorry about the size for the above image. Forgot to zoom in when taking it.

Question
What key(s) changed after running the malware?

Solutions

Click to reveal…

Fakenet Chrome Test

PCAP Results

Malware results without fakenet

Registry Results

Submission

📝
Submit a markdown file with any code you wrote and the answers to questions to ELMS.
Lab 1: Malware Triage