Code Analysis
In this article series, we will learn about malware behavioral and code analysis. For part 1, I will cover behavioral analysis of one of the specimens.
Behavioral analysis is analyzing malicious specimen behavior in an isolated fashion. It is a step by step approach where the analyst should run the specimen with normal and maximum privileges and notice any change.
Below tools will be used to observe malware behavior for this part:
- Process Hacker
- Process Monitor
- FakeDNS
- Wireshark
Let's start the analysis of a specimen named srvcp.exe (known malicious executable). Initially, we are running the program with normal privileges. Launch Process Hacker and then run the executable. We can see that srvcp.exe is a child process of explorer.exe which is normal since Explorer implements the GUI with which users interacts.
Side by Side, let's open process monitor (A beast of a tool but sometimes it is difficult to find information but nevertheless Filters works). Let's filter the output by filter: Process Name=srvcp.exe. We observe that the file is trying to read a file named gus.ini in System32. Straightaway we can conclude that this
Executable needs gus.ini for its operation. For now, we will continue to find all the information we can with normal privileges and without gus.ini.
Note: While performing code analysis, we will notice this decline with the result of CreateFile function output which is used for both creating and opening/reading a file. In this case, it is a read.
Now let's check if this specimen is trying to achieve some persistence my modifying some of the known registry keys. Guess what, this specimen is trying to achieve persistence but got "Access Denied." Reason: Running with normal privileges but at least we know what registry key it is modifying to achieve persistence.
Normally, specimen likes to create a channel back to its CnC server. Let's see what this specimen is trying to do. Looking at the network connection status via Network tab of Process Hacker, we found out that this specimen has started listening but from what?
To answer that question, let's use Wireshark to see the requests generated by the specimen. Below is the output.
OK, so looks like it is trying to find irc.mcs.net but since we are running in an isolated lab, this request is not fulfilled. Looking at the process monitor side looks like there are many threads created for srvcp.exe and it can be mapped to the requests being generated by them.
One of the important thing in the behavioral analysis is to feed the malware what it needs, step by step, to extract more information from malware. In this case, it needs to query a DNS, let's provide it one. We will use FakeDNS which will act as a required server with the IP of the host it is installed on.
As we can see, it has fulfilled irc.mcs.net request. Let's now see the packets in Wireshark. Below is the changed output.
As we can see the specimen got the response for the 'A' query. But wait, looks like it is trying to make a connection to 6667 and IRCs commonly use this port. Ok, again let's give it what it needs. We can do this with Netcat and but we can also use IRC stub. We will use the latter in this case. After this need of the malware is also satisfied, it started communicating with the IRC by trying to join a channel.
After following TCP stream for the packets, we observe the above commands used by the specimen to join IRC channel. Some strings have been darkened since they were profane. So we observe all this behavioral analysis. However, remember this is all under normal privileges and without gus.ini. Let's provide the system with both requirements and then observe the output.
Launch Process Hacker and Process Monitor and then run the specimen with admin rights and gus.ini in System32.
We observed that the CreateFile on gus.ini is now successful and also attempted registry change to achieve persistence is also successful.
After observing the Wireshark, there are completely new DNS requests being launched by the specimen. We again use FakeDNS to provide assistance to malware.
As you can notice, these are completely new IRC channel. Following TCP stream on these, we could see completely new commands to interact with IRC channel. These have some more commands which we will look while analyzing at code level because currently they are encrypted.
We can also see from Process Hacker's Network tab that the connection of this specimen is Established and that too on 6666.
So these are all very basic steps to perform behavioral analysis of a specimen. In Part Two of this article, we will take a look at another specimen and some more behavioral analysis techniques plus the major section on code analysis.
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Code Analysis
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis