Malware Analysis Using ProcDot
Malicious software, sometimes referred to as malware, is examined and understood through the process of malware analysis. When malware is used by hackers to access computers without authorization, steal valuable information, or harm computer systems, this technique is crucial to recognizing and mitigating cyber risks.
There are primarily 2 types of analysis techniques:
Static analysis: Examining malware that hasn’t been triggered .This method allows us to identify libraries and hard coded strings. a certain malicious file is using
Dynamic Analysis: Investigating malware via executing it. This technique enables us to determine which processes, threads, and HTTP requests are produced by the infection.
A process’s execution and any accompanying activity, such as file and network traffic, may be visually mapped out by analysts using ProcDOT. The application displays this data using a visual method, making it easier for analysts to spot suspicious activity and comprehend the malware’s capabilities.
Tool Requirements:
(ALWAYS USE VIRTUAL MACHINES TO TEST MALWARES)
Configuration of ProcDot:
Test on Real Malware:
Setup ProcMon:
select the Thread Id and unselect Sequence number (if selected)
Select Resolved network address
Run any packet-capturing software now. I’m doing it with Wireshark.
Launch the malicious software while keeping an eye on the background programs procmon and wireshark.
save log file of procmon in CSV format.
Save the packets that Wireshark has now captured in the .txt format that ProcDot permits after some time.
Choose the procmon log file in ProcDot, then choose the malicious process you want to look at.
Choose the earlier-saved TXT pcap file after choosing the infected process.
For Graphical view, follow these steps:
Click on the “refresh”
Wait for a couple of seconds for the graph to be displayed.
The graph will provide a comprehensive view of all the processes, sub processes, registry edits, and other changes carried out by the malicious process.
By analysing this detailed report, you can gain a better understanding of how the malicious process operates and the extent of the damage it has caused. In addition, this information can be used to develop and implement more effective security measures to prevent similar attacks in the future.
In Above image we can able to see that malicious process creates new subprocess and then connects to some random IP address
After gathering details we can look into the pcap to see what detials are shared in the packets
Lets see the IP details on Virustotal to see reputation
IP is clean, lets see what community say about this IP:
So it is microsoft IP that means its safe but we can see all the IP addresses discovered in the graph or in pcap file
Lets see what all file created or deleted by this malware
With this technology, we have the ability to dynamically examine the behaviour of malware in our system or network architecture in real time. By doing so, we can detect and respond to threats more efficiently, ultimately improving the security of our organisation. Furthermore, the insights gained from analysing the malware behaviour can be used to strengthen our overall security posture, identifying potential vulnerabilities and areas for improvement. This technology provides us with a powerful tool in the fight against cyber threats, allowing us to stay one step ahead of attackers and protect our critical assets.
References:
