Wednesday, 5 February 2014

Behavior Investigation Of Malware

Malware Analysis is too important, even we use any security tool attackers might be entered to our networks. Malware Analysis basically divides in to parts:

1. Behavioral Analysis
2. Code Analysis

This is the first part of Malware Analysis i.e: Behavioral Analysis, means we will analyse the behavior of the malware and monitor the activities by malware. So here is the list of tools you will need for Behavioral Analysis.

  • VMware server with XP installed
  • Regshot
  • Process Monitor
  • Process Explorer
  • Wireshark
  • CaptureBAT
  • Fake DNS

 Download them from here.

OK, let's start it right away.

First, take a snapshot of the state of the machine’s file system and the registry. This will allow you to quickly see what major changes have occurred on the system after you infect it. For this you have to use "Regshot". To use it, enable the “Scan dir1” option, and in the corresponding window type “C:\”. Click “1st shot”.

After Regshot take the snapshot, run the malware program as "Administrator" privileges to allow the program to get the highest privileges. Now interact with the program a bit to make it functioning. Then end the malicious program and click on the 2nd shot from Regshot and click on compare. Now you’ll see a report that describes the major changes to the system’s state. In this case, we see that a few files were added to the system.

The two files that appeared on the system after we infected it are pas.txt and msnsettings.dat. Take a look at them using notepad. It looks like pas.txt has captured the logon credentials we used when logging into the malicious executable.The msnsettings.dat file looks like a configuration file of some sort.

Let us understand how the malicious program interacts with the file system and the registry with the help of  Process Monitor. To use Process Monitor, run it while infecting the system. Process Monitor records API calls that deal with file system, registry and other local activities. In the screen shot on this slide, you see attempts by our malware specimen to create pas.txt file and to locate the msnsettings.dat file.

Reverse-engineering malware can help you become better at incident response and forensic analysis. In our scenario, we have already discovered that Windows Live Messenger trojan makes use of the msnsettings.dat file. Now you know to look for it on the compromised system, even if you didn’t initially realize that this file was important.

Once you have a copy of msnsettings.dat, you can open it to see whether it reveals additional details about the program. As shown in the figure:

One is a string “test,” which we may be able to use later when trying to understand how the trojan processes the msnsettings.dat file. Another line, “” specifies an SMTP mail server; this suggests that our specimen has the ability to send email. The file also includes an email address, “[email protected]”. This may be the recipient of the information that the trojan might attempt to send out. 

Another tool which is very helpful in Malware Analysis is CaptureBat.

CaptureBAT is similar to Process Monitor in that it records local processes’ interactions with their environment. CaptureBAT’s logs tend to be less noisy than those created by Process Monitor. This is because CaptureBAT comes with filters that eliminate the majority of standard, non-malicious activities from the logs.

If you launch CaptureBAT with the “-c” parameter, it will capture any files deleted in the background, allowing you to look at and restore even those files that the Windows Recycle Bin cannot capture.

Launching CaptureBAT with the “-n” parameter tells the tool to capture network traffic, like a sniffer would, saving the result into a local .cap file. As you can see in the picture, CaptureBAT confirmed our earlier findings about the malware specimen.


You can load the .cap file created by CaptureBAT into a full-feature network sniffer, such as Wireshark.

As you can see in the picture, the sniffer shows that the infected system has issued a DNS query, attempting to resolve the hostname “”. The “smtp” in the hostname suggests that the malware specimen is looking for a mail server to connect to, reinforcing our earlier theory of how the trojan might use this hostname.
To confirm how the specimen wishes to use “”, allow the trojan to resolve this hostname. Once it can resolve it, it will presumably attempt connecting to it, and you will be able to use a network sniffer to see what service the specimen is trying to access.To set up name resolution, insert an entry for the hostname into the “hosts” file on the infected system. A faster alternative is to use a tool called ApateDNS.

ApateDNS is a DNS server that you can configure to answer any DNS query with a single IP address of your choice. I usually suggest picking an IP address of some system in your lab on which you can run the service that malware may look for. This will redirect the connection to the host where you’d set up the listener, allowing the connection to be completed so you can learn about its purpose.

In our example, captured in the above picture, the network sniffer now confirmed that the infected system is attempting to connect to TCP port 25 on “”. 

FakeNet automatically redirects network traffic, so there is no need to modify the hosts file or use ApateDNS with this tool. FakeNet emulates various common services, including HTTP and SMTP.

In our example, illustrated in the picture, FakeNet pretends to be a mail server, intercepting the email message that our trojan attempts to send though “”.

Now you can see the contents of the message that the trojan is mailing to the attacker. As highlighted on this slide, the message includes the victim’s Windows Live Messenger username and password. We also see that the exfiltrated data is directed to “[email protected]”.

So this was the Behavioral Analysis of our malware. In this article we just analyzed the behavior of malware, processes, network services etc. to get the details about the malware. So as far we found these things:

1. Malware creates 2 files after launching, those files are: pas.txt and msnsettings.dat

2. It sends the Live messenger's credentials of user to the following mail server: 

Attacker's Mail server:

Attacker's email id: [email protected]

After this article I'm working on Code Analysis of Malwares. I will do the code analysis of the same application that was used in this tutorial. So you can say this one is the first part of malware analysis. Second part will come soon.

About the Author: 

This article has been posted by Kislay Bhardwaj, He is a security researcher and specialized in Penetrating Testing, Cyber forensic, Linux security and other Security Assessments and Training.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer