Dynamic analysis

Dynamic analysis is a type of analysis that requires live execution of the code. In static analysis, the farthest we can go is with deadlisting. If, for example, we encounter a code that decrypts or decompresses to a huge amount of data, and if we want to see the contents of the decoded data, then the fastest option would be to do dynamic analysis. We can run a debug session and let that area of code run for us. Both static analysis and dynamic analysis work hand in hand. Static analysis helps us identify points in the code where we need a deeper understanding and some actual interaction with the system. By following static analysis with dynamic analysis, we can also see actual data, such as file handles, randomly generated numbers, network socket and packet data, and API function results.

There are existing tools that can carry out an automated analysis, which runs the program in a sandbox environment. These tools either log the changes during runtime, or in between snapshots:

  • Cuckoo (open source) – This tool is deployed locally. It requires a host and sandbox client(s). The host serves as a web console to which files are submitted for analysis. The files are executed in the sandbox, and all activities are logged and then sent back to the host server. The report can be viewed from the web console.
  • RegShot (free) - This tool is used to take a snapshot of the registry and file system before and after running a program. The difference between the snapshots enables the analyst to determine what changes happened. The changes may include changes made by the operating system, and it is up to the analyst to identify which changes were caused by the program.
  • Sandboxie (freemium) - This tool is used in the environment where the program will be run. It is claimed that internally, it uses isolation technology. In essence, the isolation technology allocates disk space, to which disk writes will only happen at the time the program is executed by Sandboxie. This enables Sandboxie to determine changes by looking only at the isolated space. A download link and some more information about Sandboxie can be found at https://www.sandboxie.com/HowItWorks.
  • Malwr (free) - This is a free online service that uses Cuckoo. Files can be submitted at https://malwr.com/.
  • ThreatAnalyzer (paid) - Originally known as CWSandbox, this is the most popular sandboxing technology used in the security industry for automating the extraction of information from a piece of running malware. The technology has improved a lot, especially with its reporting. In addition, it reports descriptive behaviors found, including a cloud query about the submitted file. It can cater to customized rules and flexible Python plugins to bring up behaviors seen by the analyst.
  • Payload Security's Hybrid Analysis (free) - One of the most popular free online services, like Malwr, with report contents similar to that of ThreatAnalyzer. 

Submitting files to online services reduce the need to set up a host-sandbox environment. However, some would still prefer to set up their own, to avoid having files shared to the community or an online service.

For malware analysis, it is advisable to do automated analysis and network information gathering at the time the file was received. Sites from which malware retrieve further data might not be available if authorities act fast enough to take such sites down.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.41.214