CTEC5807 Malware Analysis: An In-depth Investigation Report 2018-19
VerifiedAdded on 2023/04/22
|24
|7921
|295
Report
AI Summary
This report provides a detailed analysis of malware, focusing on both static and dynamic analysis methods. It begins by defining malware and illustrating its potential impact through a scenario involving botnets and spyware. The report then delves into malware analysis techniques, contrasting static analysis (examining software without execution) with dynamic analysis (observing malware in a runtime environment). Static analysis techniques such as file fingerprinting, string extraction, and disassembly are discussed, along with their limitations. Dynamic analysis is presented as a preferred method, highlighting its ability to reveal the actual behavior of malware during execution. The report also outlines approaches to dynamic analysis, including comparing system states before and after malware execution and runtime appearance observation. Finally, it mentions the tools used in malware analysis to generate reports that facilitate the removal of malicious software. Desklib provides similar solved assignments for students.
Abstract
Malware is a problem affecting most people. Most studies on the Internet shows that consequences
of it is getting worse and worse with time. There are two types of malware. The first one is analysis
using static method and the other one is dynamic analysis . Static analysis limits the one using it.
With that, we prefer dynamic malware analysis over the static malware analysis. We use some tools
while analyzing the malware using dynamic method. All the tools used here in analysis are
discussed below. Some malware can be developed from scratch while others are already developed.
Some of the developed malware softwares are; viruses, worms and spy-ware. In other words
malware can be defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as boot-net.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the Internet can attack several people in a short
duration of time.
Introduction
In the current society Internet has become basic thing to the most of the people around the globe.
Many services can be provided via the Internet and the services are increasing every time. As the
services increases day in day out most people increases on the utilization of the services available
via the network. The use of network has changed from normal mode of communication to being
major source of information to many people around the globe. It is also a market of the goods and
services used by many people over the Internet. One the commercial activities over the Internet is
the online banking. The other commercial activity over the Internet is advertising for goods and
services. The same way people try to enrich themselves in the real world, there are some people
over the Internet also who tries to enrich themselves whenever there is money exchange over the
Internet by the legitimate users. These users are helped by the malware softwares to carry out there
activities via the Internet. Some of the malware being used are; keylogger and Matploit.
What is malware?
Malware is a malicious software, developed to affect the function of the computer system without
owner noticing it. Some malware can be developed from scratch while others are already
developed. Some of the developed malware softwares are; viruses, worms and spyware. In other
words malware can be defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
Malware is a problem affecting most people. Most studies on the Internet shows that consequences
of it is getting worse and worse with time. There are two types of malware. The first one is analysis
using static method and the other one is dynamic analysis . Static analysis limits the one using it.
With that, we prefer dynamic malware analysis over the static malware analysis. We use some tools
while analyzing the malware using dynamic method. All the tools used here in analysis are
discussed below. Some malware can be developed from scratch while others are already developed.
Some of the developed malware softwares are; viruses, worms and spy-ware. In other words
malware can be defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as boot-net.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the Internet can attack several people in a short
duration of time.
Introduction
In the current society Internet has become basic thing to the most of the people around the globe.
Many services can be provided via the Internet and the services are increasing every time. As the
services increases day in day out most people increases on the utilization of the services available
via the network. The use of network has changed from normal mode of communication to being
major source of information to many people around the globe. It is also a market of the goods and
services used by many people over the Internet. One the commercial activities over the Internet is
the online banking. The other commercial activity over the Internet is advertising for goods and
services. The same way people try to enrich themselves in the real world, there are some people
over the Internet also who tries to enrich themselves whenever there is money exchange over the
Internet by the legitimate users. These users are helped by the malware softwares to carry out there
activities via the Internet. Some of the malware being used are; keylogger and Matploit.
What is malware?
Malware is a malicious software, developed to affect the function of the computer system without
owner noticing it. Some malware can be developed from scratch while others are already
developed. Some of the developed malware softwares are; viruses, worms and spyware. In other
words malware can be defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time.
Malware analysis
It is the way of defining the expected work of the available malware program given that is given for
a test. This step is always necessary for most of the people to in analyzing the suspected malicious
code. It is also the important step to consider while developing tools to flush out the malware on the
computer system. In the recent past malware analysis has been a little bit difficult task and
consumes a lot of time. In the current situation the number of system to be analyzed and tested is
always increasing. With that dynamic analysis is the process of identifying it’s analysis during the
execution.
Types of malware analysis
a) Static malware analysis
Analysis using static method is the way of analyzing software without executing it on the system. 3
Also it can be used in binary representation in a program. The normal process of compiling the
source code into binary for execution can lead to the loss of the information. Analyzing this lost
information can be a little bit task if we do it in a manual way. In this scenario we can use the
source code to analyze the information given when translating to binary executable from the source
code.
Techniques used in static analysis
a) Finger printing of a file – This involves examining of the information on the file level which
involves cryptographic hashing of the binary to differentiate it from others present. It also verifies
that the file has not been modified in any way.
b) Extracting of the hard corded string values – All softwares always prints out the strings for
example the error messages which is turn to readable text message. Taking note of this allows one
to have a conclusion of the binary that is embedded.
c) Formatting of file – This is normally used in unix system to define the file type as well as the
breaking down the information of the file system itself.
d) Detection packer – In most occasions messages are being encrypted before sending them to the
desired user. This encryption or compression is achieved through the use of packer. The algorithms
can be used for modifying files inside the system.
e) Disassembly – This is the major part of the static analysis is to disassembling. It also does the
reverse of the code to the assembly language to the machine code. Always the process is normally
carried out using some tools such as ollydbg. In general static analysis is always safe as compared
to the dynamic analysis as in the static analysis the source code is not always executed.
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time.
Malware analysis
It is the way of defining the expected work of the available malware program given that is given for
a test. This step is always necessary for most of the people to in analyzing the suspected malicious
code. It is also the important step to consider while developing tools to flush out the malware on the
computer system. In the recent past malware analysis has been a little bit difficult task and
consumes a lot of time. In the current situation the number of system to be analyzed and tested is
always increasing. With that dynamic analysis is the process of identifying it’s analysis during the
execution.
Types of malware analysis
a) Static malware analysis
Analysis using static method is the way of analyzing software without executing it on the system. 3
Also it can be used in binary representation in a program. The normal process of compiling the
source code into binary for execution can lead to the loss of the information. Analyzing this lost
information can be a little bit task if we do it in a manual way. In this scenario we can use the
source code to analyze the information given when translating to binary executable from the source
code.
Techniques used in static analysis
a) Finger printing of a file – This involves examining of the information on the file level which
involves cryptographic hashing of the binary to differentiate it from others present. It also verifies
that the file has not been modified in any way.
b) Extracting of the hard corded string values – All softwares always prints out the strings for
example the error messages which is turn to readable text message. Taking note of this allows one
to have a conclusion of the binary that is embedded.
c) Formatting of file – This is normally used in unix system to define the file type as well as the
breaking down the information of the file system itself.
d) Detection packer – In most occasions messages are being encrypted before sending them to the
desired user. This encryption or compression is achieved through the use of packer. The algorithms
can be used for modifying files inside the system.
e) Disassembly – This is the major part of the static analysis is to disassembling. It also does the
reverse of the code to the assembly language to the machine code. Always the process is normally
carried out using some tools such as ollydbg. In general static analysis is always safe as compared
to the dynamic analysis as in the static analysis the source code is not always executed.
Limitation of static malware analysis
One problem with static analysis is that the source code is not always readable. With that it reduces
the use of static analysis method. There are some challenges that also come with analyzing binary
representation. If we use self modified code in binary representation disassembling occurs in such a
programs. Also some malware can be relying on the values that are not statically produced which
make the work of static analysis more difficult at all times. We should consider all these when
creating malware analysis so that we can finally have the best result based on the conditions given
there. This is the major part of the static analysis is to disassembling. It also does the reverse of the
code to the assembly language to the machine code. Always the process is normally carried out
using some tools such as ollydbg. In general static analysis is always safe as compared to the
dynamic analysis as in the static analysis the source code is not always executed. Analysis using
dynamic method is preferred as compared to analysis using static method.
Dynamic Malware analysis
This is a process whereby the malware is executed in a given environment so that and taking note of
all it’s actions. The malware analysis is always carried out during the runtime thus it avoids the
challenges of the static malware analysis. So, it is easy to see the actual outlook of the program in
the dynamic analysis. Dynamic analysis can also be automated in such a manner that it assists in
large scale analysis of malware. The problem with dynamic analysis is the incomplete coding
whereby we can only examine the running program meaning it must be completed and running with
no bugs for it to be examined via dynamic analysis. With third party systems there should be a
given environment for the dynamic analysis to take place otherwise it can cause a lot of problems
on the whole system. Although, malware samples can lead to the stoppage of a program at any point
in time. Some malware can be developed from scratch while others are already developed. Some of
the developed malware softwares are; viruses, worms and spyware. In other words malware can be
defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time.
Approach of dynamic malware analysis
a) Difference between given points. Whenever there is a malware analysis to be carried out in a
certain period of time the outcome of the program after analysis should be compared with the initial
state. With that we can get the behavior of the program through the comparison of the state before
and the state after.
b) Runtime appearance. In this scenario malicious activities found in the program are taken note by
the analysis.
One problem with static analysis is that the source code is not always readable. With that it reduces
the use of static analysis method. There are some challenges that also come with analyzing binary
representation. If we use self modified code in binary representation disassembling occurs in such a
programs. Also some malware can be relying on the values that are not statically produced which
make the work of static analysis more difficult at all times. We should consider all these when
creating malware analysis so that we can finally have the best result based on the conditions given
there. This is the major part of the static analysis is to disassembling. It also does the reverse of the
code to the assembly language to the machine code. Always the process is normally carried out
using some tools such as ollydbg. In general static analysis is always safe as compared to the
dynamic analysis as in the static analysis the source code is not always executed. Analysis using
dynamic method is preferred as compared to analysis using static method.
Dynamic Malware analysis
This is a process whereby the malware is executed in a given environment so that and taking note of
all it’s actions. The malware analysis is always carried out during the runtime thus it avoids the
challenges of the static malware analysis. So, it is easy to see the actual outlook of the program in
the dynamic analysis. Dynamic analysis can also be automated in such a manner that it assists in
large scale analysis of malware. The problem with dynamic analysis is the incomplete coding
whereby we can only examine the running program meaning it must be completed and running with
no bugs for it to be examined via dynamic analysis. With third party systems there should be a
given environment for the dynamic analysis to take place otherwise it can cause a lot of problems
on the whole system. Although, malware samples can lead to the stoppage of a program at any point
in time. Some malware can be developed from scratch while others are already developed. Some of
the developed malware softwares are; viruses, worms and spyware. In other words malware can be
defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time.
Approach of dynamic malware analysis
a) Difference between given points. Whenever there is a malware analysis to be carried out in a
certain period of time the outcome of the program after analysis should be compared with the initial
state. With that we can get the behavior of the program through the comparison of the state before
and the state after.
b) Runtime appearance. In this scenario malicious activities found in the program are taken note by
the analysis.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
In the first scenario malware is executed in the first analysis using the windows operating systems
rather than using the virtual environment. After executing the program the program is restarted and
executed into bootable Linux image. The linux operating system then uses the windows on
extraction of data. Finally we reset the windows to it’s initial state and everything is up and running
now. One should observe the current running behavior of the program in order to carry out the
dynamic analysis. A runtime environment can be partitioned into different partitions in order to
have a different environment of carrying out the dynamic analysis.
Malware analysis tools
In this page we have the tools and approaches that are used to analyze the suspected malicious
software in the system. The tools used generate analysis report which helps in disseminating the
information down to a useful one so that we can remove the malicious software. The reports
generated gives inner understanding of what is going on here and how the malicious software can
be eliminated.
a) Anubis. This performs analysis of the unknown binaries. This is executed under a windows
operating system known as windows XP. The actions performed involves monitoring the windows
XP api functioning. There are some parameters passed to these functions which are always
examined and get to know what there are doing with the program in analysis.
b) CWSandbox. This is executed under a sample either in virtual environment or under the windows
XP operating system. Hook functions helps in the analysis implementation and in the api level
monitoring. Also there is implementation of monitoring call system which is under the api level.
This system is designed in such a manner that it can capture the operating system behavior in
regards to file system, network, communication and registry.
c) Norman Sandbox. It is a dynamic analysis which is carried out either in the virtual environment
or the windows XP operating system. This programs simulate a computer that is the host and as
well as the local area network surrounding that place. All the required should be available to
convince the system that is running on a real system rather than the virtual environment. It focuses
on the malware that are available on the email. Also it focuses on the viruses that goes over the
internet. It also tries to capture other techniques that are available via the internet.
d) JoeBox. Whenever there is any performance concerning the malware analysis JoeBox stores all
the log information including file system, communication, networking and all the system activities
going on in the system. It is developed in such a manner that it supports real hardware alone and not
the virtual environment when carrying out the malware analysis. It also has a single controller
which coordinates all activities being carried out in the malware analysis. Analysis system collects
all the data used in the malware analysis process.
Some malware can be developed from scratch while others are already developed. Some of the
developed malware softwares are; viruses, worms and spyware. In other words malware can be
defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
rather than using the virtual environment. After executing the program the program is restarted and
executed into bootable Linux image. The linux operating system then uses the windows on
extraction of data. Finally we reset the windows to it’s initial state and everything is up and running
now. One should observe the current running behavior of the program in order to carry out the
dynamic analysis. A runtime environment can be partitioned into different partitions in order to
have a different environment of carrying out the dynamic analysis.
Malware analysis tools
In this page we have the tools and approaches that are used to analyze the suspected malicious
software in the system. The tools used generate analysis report which helps in disseminating the
information down to a useful one so that we can remove the malicious software. The reports
generated gives inner understanding of what is going on here and how the malicious software can
be eliminated.
a) Anubis. This performs analysis of the unknown binaries. This is executed under a windows
operating system known as windows XP. The actions performed involves monitoring the windows
XP api functioning. There are some parameters passed to these functions which are always
examined and get to know what there are doing with the program in analysis.
b) CWSandbox. This is executed under a sample either in virtual environment or under the windows
XP operating system. Hook functions helps in the analysis implementation and in the api level
monitoring. Also there is implementation of monitoring call system which is under the api level.
This system is designed in such a manner that it can capture the operating system behavior in
regards to file system, network, communication and registry.
c) Norman Sandbox. It is a dynamic analysis which is carried out either in the virtual environment
or the windows XP operating system. This programs simulate a computer that is the host and as
well as the local area network surrounding that place. All the required should be available to
convince the system that is running on a real system rather than the virtual environment. It focuses
on the malware that are available on the email. Also it focuses on the viruses that goes over the
internet. It also tries to capture other techniques that are available via the internet.
d) JoeBox. Whenever there is any performance concerning the malware analysis JoeBox stores all
the log information including file system, communication, networking and all the system activities
going on in the system. It is developed in such a manner that it supports real hardware alone and not
the virtual environment when carrying out the malware analysis. It also has a single controller
which coordinates all activities being carried out in the malware analysis. Analysis system collects
all the data used in the malware analysis process.
Some malware can be developed from scratch while others are already developed. Some of the
developed malware softwares are; viruses, worms and spyware. In other words malware can be
defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time. It is the way of defining the expected work of the available malware program
given that is given for a test. This step is always necessary for most of the people to in analyzing the
suspected malicious code. It is also the important step to consider while developing tools to flush
out the malware on the computer system. In the recent past malware analysis has been a little bit
difficult task and consumes a lot of time. In the current situation the number of system to be
analyzed and tested is always increasing. With that dynamic analysis is the process of identifying
it’s analysis during the execution.
Part 1: Basic malware analysis
1) Social Engineering
Social engineering has been used to lure any user to launch the folder on there computer. The
malware takes the personal information from one’s system. It tells one to install it as a software.
2) After Opening
The computer slows down in activity functioning and performance. It also has some pop up
messages on the screen. Unusual messages also pops up on the screen. There are also unusual error
messages popping up on the window. Apart from all these everything seems to work as it has been.
3) Steps of extracting the malware
(i) It request for the password to extract it.
(ii) Key in “infected”
(iii) Requesting for installation
(iv) Installation complete
4) Static Analysis
The normal process of compiling the source code into binary for execution can lead to the loss of
the information. Analyzing this lost information can be a little bit task if we do it in a manual way.
It uses different tools and techniques to analyze whether the file is infected or not. It also takes the
information about it’s indicators and the expected functionality on the system. You run the
suspected malicious software via several softwares to get the solution and the expected functionality
of that malware.
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time. It is the way of defining the expected work of the available malware program
given that is given for a test. This step is always necessary for most of the people to in analyzing the
suspected malicious code. It is also the important step to consider while developing tools to flush
out the malware on the computer system. In the recent past malware analysis has been a little bit
difficult task and consumes a lot of time. In the current situation the number of system to be
analyzed and tested is always increasing. With that dynamic analysis is the process of identifying
it’s analysis during the execution.
Part 1: Basic malware analysis
1) Social Engineering
Social engineering has been used to lure any user to launch the folder on there computer. The
malware takes the personal information from one’s system. It tells one to install it as a software.
2) After Opening
The computer slows down in activity functioning and performance. It also has some pop up
messages on the screen. Unusual messages also pops up on the screen. There are also unusual error
messages popping up on the window. Apart from all these everything seems to work as it has been.
3) Steps of extracting the malware
(i) It request for the password to extract it.
(ii) Key in “infected”
(iii) Requesting for installation
(iv) Installation complete
4) Static Analysis
The normal process of compiling the source code into binary for execution can lead to the loss of
the information. Analyzing this lost information can be a little bit task if we do it in a manual way.
It uses different tools and techniques to analyze whether the file is infected or not. It also takes the
information about it’s indicators and the expected functionality on the system. You run the
suspected malicious software via several softwares to get the solution and the expected functionality
of that malware.
Finding strings
Strings can help you identify the intended functionality of the program. Microsoft assists us in
searching for the strings as it has a utility called “string”
Example 1
Below I have extracted some keywords from the malicious file. The strings give us good
information like “FindNextFile”, “FindFirstFile”.
Strings can help you identify the intended functionality of the program. Microsoft assists us in
searching for the strings as it has a utility called “string”
Example 1
Below I have extracted some keywords from the malicious file. The strings give us good
information like “FindNextFile”, “FindFirstFile”.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Example 2
Below is another extraction of the file that is suspected to be suspicious. “CreateProcessA” will
create a process or processes
5) Dynamic analysis
Dynamic analysis can affect your system functionality. This normally done in the virtual machines
or the dedicated systems for testing suspicious malware. For carrying out malware analysis using
the dynamic method, we will not be requiring internet connection since the tools there simulate that
it has been connected to the internet. For may case we will be executing the malware using the
virtual machine in my windows XP operating system. Although I will be executing the malware on
virtual though it is not safe as the developers try new means of exploiting each and every time.
Tools that I used in analyzing the malware;
(i) Procmon
Below is another extraction of the file that is suspected to be suspicious. “CreateProcessA” will
create a process or processes
5) Dynamic analysis
Dynamic analysis can affect your system functionality. This normally done in the virtual machines
or the dedicated systems for testing suspicious malware. For carrying out malware analysis using
the dynamic method, we will not be requiring internet connection since the tools there simulate that
it has been connected to the internet. For may case we will be executing the malware using the
virtual machine in my windows XP operating system. Although I will be executing the malware on
virtual though it is not safe as the developers try new means of exploiting each and every time.
Tools that I used in analyzing the malware;
(i) Procmon
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
This is a windows developed software and it is a free tool to use in dynamic analysis. It is used to
do the following;
a) Check on the file system.
b) Registry checking.
c) Activities that are currently going on in the system.
It captures on all data but only the filtered and important data are displayed to the user.
(ii) Process explorer
do the following;
a) Check on the file system.
b) Registry checking.
c) Activities that are currently going on in the system.
It captures on all data but only the filtered and important data are displayed to the user.
(ii) Process explorer
It is also a free tool distributed and developed by Microsoft. It is used for Malware analysis in
dynamic mode. It is used to manage all processes running in the system.
(iii) Regshot
It is a open source software for monitoring the registry on what is changing at a particular time. The
screen shot above is the current state and my windows XP operating system. This software allows
you to check on all changes made on your registry after the malware software is installed.
6) Sandbox and VM detection
In malware analysis we use virtual environment or sandboxes to analyze the treat of the suspicious
software. In the same manner all organizations uses VM or sandboxes to execute a code before
moving it to the real organization’s network. For developers of malware they design there softwares
to bypass the isolated environment which makes it more difficult to analyze it in the isolated
environment. Once the malware detects that it is in isolated environment it might fail to run or do
not expose the malicious code. Virtual machines are always design to have the real hardware part of
the machine but in
a different
environment so
that it cannot
affect the code
functioning.
i) Checking CPU
instructions.
dynamic mode. It is used to manage all processes running in the system.
(iii) Regshot
It is a open source software for monitoring the registry on what is changing at a particular time. The
screen shot above is the current state and my windows XP operating system. This software allows
you to check on all changes made on your registry after the malware software is installed.
6) Sandbox and VM detection
In malware analysis we use virtual environment or sandboxes to analyze the treat of the suspicious
software. In the same manner all organizations uses VM or sandboxes to execute a code before
moving it to the real organization’s network. For developers of malware they design there softwares
to bypass the isolated environment which makes it more difficult to analyze it in the isolated
environment. Once the malware detects that it is in isolated environment it might fail to run or do
not expose the malicious code. Virtual machines are always design to have the real hardware part of
the machine but in
a different
environment so
that it cannot
affect the code
functioning.
i) Checking CPU
instructions.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
To execute such you use instruction EAX = 1 to be an input value. In the 31st of the ECX on the
machine system will be equal to 0 while when we are on VM or sandboxes it is equal to 1.
ii) Checking Mac Addresses
Mac addresses are found in the network adapter vendor. It can be retrieved in different ways.
iii) Registry Keys
The registry keys shown in the screen shot below shows the presence of virtualization environment.
iv) Sandbox Evasion Techniques
Organizations should know all tactics to evade so that there security can be harden. They should
also employ there basic knowledge to get to know how to evade VM detection. There are modern
technologies that are more difficult to detect when using your virtual environment.
machine system will be equal to 0 while when we are on VM or sandboxes it is equal to 1.
ii) Checking Mac Addresses
Mac addresses are found in the network adapter vendor. It can be retrieved in different ways.
iii) Registry Keys
The registry keys shown in the screen shot below shows the presence of virtualization environment.
iv) Sandbox Evasion Techniques
Organizations should know all tactics to evade so that there security can be harden. They should
also employ there basic knowledge to get to know how to evade VM detection. There are modern
technologies that are more difficult to detect when using your virtual environment.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7) Sample about to do network wise
When we creates a virtual environment the malware detects that we are no longer on the real part of
the machine. The malicious malware detected that it is in virtual environment thus failing to run and
having the malicious part not displaying anything that can be suspected.
8) Runtime dependencies
Developers continue to improve their code to avoid running on the virtual environment or in the
sandboxes. This involves making sure that the target program is executed at appropriate place and
not just any other virtual environments.
What is it trying to download?
The malicious software is trying to download another software on the internet. When it is running it
request the user to accept the software to be downloaded from the internet. The downloaded
software is to take the important information from one’s computer. It also affects on the functioning
of the system as it slows down the activities in the system.
9) IP addresses
When the malware is installed it tries to get updates through the command and control so that it can
get instructions on what else to be done. Most systems firewalls do not allow for external IP to
When we creates a virtual environment the malware detects that we are no longer on the real part of
the machine. The malicious malware detected that it is in virtual environment thus failing to run and
having the malicious part not displaying anything that can be suspected.
8) Runtime dependencies
Developers continue to improve their code to avoid running on the virtual environment or in the
sandboxes. This involves making sure that the target program is executed at appropriate place and
not just any other virtual environments.
What is it trying to download?
The malicious software is trying to download another software on the internet. When it is running it
request the user to accept the software to be downloaded from the internet. The downloaded
software is to take the important information from one’s computer. It also affects on the functioning
of the system as it slows down the activities in the system.
9) IP addresses
When the malware is installed it tries to get updates through the command and control so that it can
get instructions on what else to be done. Most systems firewalls do not allow for external IP to
connect with internal connection. Command and control wait for the firewall to connect with an IP
so that it can update, instruct the program on what to do and finally and time that it can be back
again to check for the same updates and give instructions.
Domain reputation is the most accurate and getting be used by more and more of people. The
deducted domain is compared with the domains that have good reputation.
10) System Configuration
The system used in analyzing the malware has it’s certificate being revoked. These certificates are
used to sign in to a large number of softwares in the windows XP operating system. The malware is
suspicious to the developers of the windows XP operating system. This can eventually affect the
developer’s PC.
Some malware can be developed from scratch while others are already developed. Some of the
developed malware softwares are; viruses, worms and spyware. In other words malware can be
defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time.
Part 2: Ransomware disassembly
1) Basic analysis
Static analysis is the process of analyzing software without executing it on the system. This can be
used in different parts of the program. Whenever the source code is available, static analysis can
help in restoring the memory that is corrupted and also identifying the model number of the system
being used there. Also it can be used in binary representation in a program. The normal process of
compiling the source code into binary for execution can lead to the loss of the information.
Analyzing this lost information can be a little bit task if we do it in a manual way. In this scenario
we can use the source code to analyze the information given when translating to binary executable
from the source code. The malware is packed when you extract it to your system.
so that it can update, instruct the program on what to do and finally and time that it can be back
again to check for the same updates and give instructions.
Domain reputation is the most accurate and getting be used by more and more of people. The
deducted domain is compared with the domains that have good reputation.
10) System Configuration
The system used in analyzing the malware has it’s certificate being revoked. These certificates are
used to sign in to a large number of softwares in the windows XP operating system. The malware is
suspicious to the developers of the windows XP operating system. This can eventually affect the
developer’s PC.
Some malware can be developed from scratch while others are already developed. Some of the
developed malware softwares are; viruses, worms and spyware. In other words malware can be
defined as software that has a purpose of fulfilling attackers intention.
Here is an example of the scenario that involves distribution of the malware and the consequences
that comes with it. There is a bot which is remotely controlled and has already affected several
computers. The so called bot also allows the external feature known as boot master to take control
of the systems remotely. All the systems that are in control by this malware are known as bootnet.
The boot master present in this situation is can sell it to those advertisers so that it can sending the
mails to the systems regularly. The said emailed send can contain links to various websites. The
sites can installs spyware to the visitor’s computer. The spyware in turn can collect personal
information about the visitor. These personal information includes credit and and debit cards
number and pin, mail pin and any other sensitive information that can be used to extract the user.
All this information is now under the hands of the attacker which he or she can misuse it. With the
increase of the host and number of visitors to the internet can attack several people in a short
duration of time.
Part 2: Ransomware disassembly
1) Basic analysis
Static analysis is the process of analyzing software without executing it on the system. This can be
used in different parts of the program. Whenever the source code is available, static analysis can
help in restoring the memory that is corrupted and also identifying the model number of the system
being used there. Also it can be used in binary representation in a program. The normal process of
compiling the source code into binary for execution can lead to the loss of the information.
Analyzing this lost information can be a little bit task if we do it in a manual way. In this scenario
we can use the source code to analyze the information given when translating to binary executable
from the source code. The malware is packed when you extract it to your system.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 24
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.