Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies
  3. Dynamic Analysis

Analyzing Files with Regshot, Process Monitor, and Wireshark

1. Using Regshot

  • Purpose: Regshot takes snapshots of the system registry and file system before and after running a sample to identify changes.

  • Steps:

    • Initial Snapshot: Configure Regshot to include both registry and file system (e.g., drive C).

    • Take First Shot: Click on First Shot to capture the initial state.

    • Run Sample: Execute the sample file.

    • Take Second Shot: Click on Second Shot to capture the state after execution.

    • Compare Snapshots: Click on Compare to view changes.

  • Results: Analyze the output for changes like new files (e.g., badfile.exe) and registry modifications.

2. Using Process Monitor

  • Purpose: Process Monitor logs real-time file system, registry, and process activities.

  • Steps:

    • Setup: Clear existing logs before running the sample (click the Clear button).

    • Run Sample: Execute the sample file.

    • Stop Logging: Once execution is complete, stop capturing events.

    • Filter Logs:

      • Use the Process Tree tool to view child processes of re_whatami.exe.

      • Add re_whatami.exe and its children to the filter to isolate relevant events.

  • Analysis:

    • Process Injection: Look for unexpected child processes (e.g., badfile.exe created by calc.exe).

    • Operations: Focus on Process Create and Create File operations to trace behavior.

3. Using Wireshark

  • Purpose: Wireshark captures and analyzes network traffic.

  • Setup:

    • Run FakeNet: Simulates network services to intercept and log network activity.

    • Capture Traffic: Start capturing network packets during sample execution.

  • Analysis:

    • Inspect Traffic: Look for suspicious connections or data transfers initiated by the sample.

Summary

  • Regshot: Effective for detecting changes in file system and registry. Useful for identifying new files and registry entries.

  • Process Monitor: Essential for tracking real-time process activities and detecting process injection or unexpected file operations.

  • Wireshark: Crucial for monitoring and analyzing network traffic related to the sample.

These tools combined offer a comprehensive approach to analyzing the behavior of executable files, identifying both system and network changes.

PreviousDynamic Analysis Tools/MethodsNextAnalyzing calc.exe and Network Activity

Last updated 9 months ago