Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies

Dynamic Analysis

PreviousStatic Analysis of Sample FilesNextDynamic Analysis Tools/Methods

Last updated 1 year ago

Dynamic analysis involves observing the behavior of the malware while it is running. Here are the key steps and important parameters to consider:

  • Environment Setup: Before executing the malware, it's crucial to set up a controlled environment. This is often a virtual machine configured to prevent the malware from causing harm to the analyst's system or network. Tools like Cuckoo Sandbox can be used to automate this process.

  • Execution and Monitoring: The malware is then executed within the controlled environment and its behavior is monitored. This can involve observing changes made to the system, such as file creation, registry changes, and network communication. Tools like Process Monitor, Regshot, and Wireshark can be used to track these changes.

  • Network Traffic Analysis: By monitoring network traffic, analysts can identify any remote servers the malware communicates with, as well as the nature of this communication. This information can be crucial in understanding the purpose of the malware and potentially identifying its controller.

  • Persistence Mechanism Identification: Many types of malware attempt to ensure they remain on the system after reboot, known as persistence. Identifying these mechanisms can be crucial in fully removing the malware from an infected system.

  • Behavior Documentation: The malware's behavior is documented for future reference and for sharing with other researchers. This documentation can include the malware's actions, any changes made to the system, and any network communication.

  • Results Analysis: The results of the dynamic analysis are then analyzed to understand the malware's purpose and behavior. This can involve comparing the observed behavior with the findings from the static analysis.

Dynamic analysis can provide valuable insights into a malware's behavior that might not be apparent from static analysis alone. However, it also carries more risk, as it involves executing the malware. Therefore, it should always be performed in a controlled environment.

Never judge a malware based on response of 1 Anti-Virus. Using VirusTotal is a nice option since it has a variety of antivirus.