Time
8 hours 6 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers dynamic analysis, which allows us to study a program as it executes. Tools for dynamic analysis include: · Procmon · Process explorer · Regshot · ApateDNS In addition, participants learn about submitting virus information.

Video Transcription

00:03
blooming on from our general static analysis, we go two net step of dynamic analysis
00:11
and with static analysis, weaken studied the program without actually executing, so that that's what makes it step.
00:19
And then
00:20
the tools of the trade that we're going to use within the static analysis would want to have our disassemble hours. We're gonna have our d compilers. We're gonna look at the source code analyzers, and then we're gonna use basic utilities like strings and grab
00:36
all of those things we can use to ecstatically look at that file without actually having to execute it.
00:44
One of the advantages of static analysis has is that it can reveal out program would behave under unusual circumstances.
00:51
And by unusual I mean that we can examine parts of the program that would normally not execute. That helps us get more information about that file.
01:02
However,
01:03
those air unusual circumstances so dynamic analysis, we can study a program as it actually executes, and then with dynamic analysis, the tools of the trade that you're going to use for that dynamic analysis are going to be your deep buggers, your function called tracers,
01:23
your machine and new emulators
01:25
logic. analyzers and networks nippers, and the advantage of dynamic analysis is that it can also be fast and accurate. But it does have a lot of potential thio be destructive, especially if you're doing it on a system that is not a BM
01:42
or if you're doing it on the
01:45
a standalone laptop.
01:49
So some of the tools that we're gonna use for dynamic that analysis
01:53
our product monitor, process, monitor and Brockman is a free tool that's developed by Windows system internals. And it's used to monitor the Windows file system, registry and process activity real time.
02:07
So is your executing that malware You're going to be able to see some of those changes within that
02:15
within those processes?
02:19
The next thing that we're going to use for dynamic analysis is going to be our process explore
02:24
and with Process Explorer, it's going to monitor the running processes, and it will show you the handles and DLL ls there gonna be loaded for process. And that way you could kind of look at that and compare with your victim machine
02:40
and see if you can see find some of those commonalities with the handles on the D. L. Else that you might see on your test machine.
02:49
The next program that we're gonna talk about his red shot
02:53
and red shot is a open source utility to monitor your registry for changes and what's gonna happen. This is It's going to essentially take a snapshot of your registry
03:04
before you run this, uh,
03:07
this malware on your system. And then it's going to take a snapshot
03:12
as the malware runs. And that way you could compare foreign after and see what, if anything, has changed within your registry.
03:20
And then the last two were going to talk about
03:23
is a pate de NS but the pate de NS. It's a tool for controlling the NS responses on your system, and it's going to act a city in a server on. Then what? What that's gonna do is it will spook being. This response is generated by that malware. So those Air four programs that you can use
03:43
the rock that dynamic analysis to examine that file,
03:46
a zits being executed and to see exactly what it's going to do natively in the real world. And obviously again, you want to be doing this on your your V m and or your standalone machine?
04:03
Uh, one of the last things that we're gonna want to do after we have
04:10
kind of toward this file apart, examined at sea have seen what it does
04:15
is that you can kind of start to guard against these things. Essentially, can't fight something that you haven't defined or that you don't know exactly what it is, What it's not going to do.
04:26
Eso this whole
04:29
analyzing the processes of this malware from from the automated announce a static and dynamic you're getting information about that file on that information is gonna help you essentially determine what action you want to take next,
04:45
and and then that malware file that you're analyzing. It's also gonna help give you some type of idea about what may have done on your network.
04:55
Once you start the analysis process, you're gonna be able to find some commonalities with these malware files
05:03
that you're gonna look at that may have infected your network or machine on your network.
05:10
And some of those commonalities would include MP five ashes cold back I P addresses down motors, common file names, and then any of those you can configure your firewall to essentially block that.
05:24
So the more commonalities that you could find more specifically, you can protect your system to guard against those. Ah, lot of times I've seen, especially recently, malware writers will change a lot of the names of the flowers that they're sending.
05:43
They're gonna change the I P addresses
05:46
within the
05:47
the file itself. So it's gonna get a lot harder to try and block some of these things. So the analysis will help you try and identify very specific features and functions of this malware. That way, you could
06:04
set your configuration sittings in that fire, Walter, to catch it in the block it. Otherwise, you're gonna have to try and block 50 different email addresses. You're gonna have to block 50 different eye piece, and it's a lot of work.
06:20
So if you can analyze those files and get the specific information
06:26
that seems to be shared among all of those files, it will make your life a lot easier.
06:30
And then you can also send the files to your antivirus provider so you could receive updates to your antivirus definitions. But again, helping unpack that file, identify what you want tohave block and what you're trying to protect against
06:48
will also help your anti virus provider
06:51
create the right definition for you.
06:55
So this was a quick down and dirty of our malware analysis and malware remediation.
07:03
This is was not designed to essentially be a complete reverse engineering Mauer class. Uh, and I think we have one of those coming on the cyber website. So if you're interested in learning how to reverse engineer a marijuana, I would recommend definitely checking that out.
07:20
This was designed to provide you an overview
07:25
of what? Use an incident. Respond Ercan do toe look and analyze it. Some of that malware.
07:30
So what we talked about this from going from
07:35
least difficulty Most difficult, least difficult. It's going to be submitting that malware to an online
07:45
analysis tool like virus total, our malware dot com or some type of automated program that's gonna help identify what this piece of malware it's doing and that will help focus your efforts
07:59
moving up on that pyramid. We talked about static
08:03
analysis where you're kind of looking in that looking at that file for ways that it wouldn't necessarily run native
08:11
and what that will do that's going to help you identify some I p addresses. You are Els are some of the processes that might be created with that malware
08:22
above that level. We're going to have the dynamic analysis, and the dynamic analysis will help us look at the file as it actually runs on a system.
08:33
And the dynamic analysis will help us identify some of the changes that the program is going to make in the registry or some of the processes and dll that program's gonna forget.
08:45
So
08:46
all of those processes have their strengths and weaknesses, and those were some of the tools and techniques that you can use as you're beginning to investigate your malware.
08:56
And then once you find some of those commonalities for those Mauer files, you can then go about starting that remediation process, submitting those files to your antivirus providers and or changing or strengthening your firewall settings to try and prevent those files from coming in again.
09:16
So that concludes our section on malware analysis as it relates to incident response in advance. Forensics. I hope you enjoyed this course and come back next time. Our next video is going to talk about the remediation process for mountain,
09:35
so thank you. And I hope to see you again.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor