so moving on after we've done.
And the automated analysis, sir, if we choose not to do the automated analysis just so we could maintain some type of secrecy about the activities that we're doing,
we want to begin setting up a virtual machine so we can do our static in our dynamic analysis. So not to go too far. End up, down out of set up a virtual machine. But there's essentially too
the M providers. There's probably a lot more to your most common you're gonna have VM wear Virtual box
Virtual Box is going to be a free product that you've been used, and you can download that just by going to the the virtual boxing link
and with virtual box. It allows snapshot the use of your doing a lot of this malware analysis, and you find that the malware has done something to your machine. You can easily revert back to that initial installed state,
but the good thing about V. M B m. Just that the software allows for multiple machines, multiple OS is,
um and that you can essentially configure a network between those v EMS to figure out what that malware would do in a network environment. And then, as we talked about earlier, your PM's will allow for easy snapshots and rollbacks. Some case you mess something up for the virus
essentially tries to destroy one of your machines.
You can easily roll that back.
So after you've been stolen your virtual machine, the next thing you're gonna want to do is to find operating system.
So ideally, it's best to test your virus on the same operating system is your kind of your affected machines. That way, you can see exactly what's gonna happen on those machines when you start that testing process.
Now, essentially, what you're gonna have to do is you're gonna have to use a license from some of the software that you purchased either with dribble software Purchaser. You go to the Microsoft Developer Technologies website there, and they actually offer some free being EMS to test out.
There's also a paid version of Microsoft Developer Technologies. But if you're wanting to do this,
especially at home, just for some training and testing, you can go to that link and download a copy of
Have one of those operating systems, and I think it's good for three months,
and then also there are numerous open source of versions of Lennox that you can download on run some of these programs and as well.
But obviously Lennox may have some drawbacks that doesn't have necessarily all of the tools that we're going to discuss here today, but it is a viable option.
So the next thing we have to do is get a sample of the malware to our system so we can conduct our analysis. So, ideally, if it's possible, we want to refrain from sending the mount where across the network.
It just is easiest our best if we don't send them our across the network because it prevents accidents from occurring.
If we do have to send Mauer across, the network procedures I've seen happen is to essentially establish a network folder with right only provisions.
It allows users to submit mount where that prevents others from essentially executing the mouth were accident.
Another good, uh, T T P that uses that if you're going to be sending malware either to this colder are you're going to have to email sample the mall where you should essentially have a password to protect the file on example that is going to be a zip file of password protection
that way that just again to prevent someone from accidentally clicking
in opening that malware.
The best case for transferring malware is using some type of designated white media device to essentially download onto your controlled media and then transporting that to your forensic machine. However, if you've got a large networked environment and your spread across the United States spread across the globe,
that may not be possible. And you might have to
sin that malware over the network so strange. One of them is one of the first things that we're going to talk about in our static analysis and streams is a good way to get on idea about functionality of a program
and what strings and I helped identify. The functions of that file
on identifies the processes that are created by that file,
and it identifies the U R l. Ls that the files trying to connect.
So an example here that we could see on our next
is some of the the processes that this spy lt's essentially trying to create on. I've sort of those and red says you can see is going to start creating file a and then find next file A.
So those are some of the things that the file is essentially trying to do and to create
going on. We can see that it's trying to reach out to an I p address
on. We have that I p address there, and those are things that you can block essentially,
uh, using your firewall settings once directed by those I p addresses
and then moving on, we can see that it's essentially trying to connect to this. You are. L here
on those air also thinks that you can block within your firewall to prevent inbound and outbound traffic coming from those you are. Els.
So one of the next things that we're gonna talk about his act is unwrapping the mouth.
So a lot of times, when Mallory right writers do their code go on office, Kate, their codes of the files are harder to read.
So what are the other processes that we're gonna want to do is to essentially see it. That program has something that packs it and unpacks it on. When a packed programme runs a rapper program also runs. One could run around that program to unpack that file.
In normal, static analysis, packed files will not be readily apparent, However. There are tools that you can use, like P I D. That will be able to tell you whether or not the files are packed. And in this next slide, we have shows an example of
one of the files that we have for analysis,
and it shows the type of file system that that is packed with in that file.