3 hours 41 minutes
in this session. Let's examine dynamic malware analysis.
Okay, so a quick review here. Now, when we perform dynamic analysis where running malware in a sandbox environment to view what type of changes the malware is going to be making tow our host. You can usually perform this process in a couple of ways, right? You could upload your target filed to an online sandbox like virus total or hybrid analysis.
Or you can build a sand box of your own and observe the changes
in your lab, which is what we'll do here
now, in general, during the dynamic analysis process,
we're on the lookout for changes to the system such as modifications. The file system changes to the registry,
utilization of the network and changes in what processes air running. But remember, this list doesn't really end here, right? Using dynamic analysis, we can view data within files looking network sockets, packet data and a P I function parameters. No, later on, we're going to see practical examples of how to use dynamic analysis to view decrypted data.
Now, the methodology we used to detect changes to the system
this is gonna largely depend on your analysis schools But usually we follow a five step approach, which includes reverting to a clean snapshot on your virtual host. We're gonna want to set up and run our dynamic analysis tools. Then, of course, you'll want to run your target malware on your system.
And then after we let our malware run for a little while, we're going to stop those tools and we're going to analyze the results and record our findings.
Now, once we record our findings and we find that we need to make changes to the system, we can rinse and repeat this process. Now I like to repeat this process few times because it allows me to make changes to the analysis environment based on what I see.
For instance, if I see now we're making a connection to a particular port, I might make changes to give them our what it requires to run.
Alright, So let's run some malware in our lab and view the changes that it's making