Login  |  Register  |  Contact

Malware Analysis Quant: Metrics—Dynamic Analysis

Now that we have done what we can passively, through static analysis of the malware sample, it’s time to run it and see what happens. Fun! More detail on what that involves isin our process description of Dynamic Analysis.

There are three aspects of dynamic analysis: device analysis, network analysis, and proliferation analysis. When you run the malware you need to look for different indicators, depending on the type of analysis. Here is the entire process:

Dynamic Analysis

Variable Notes
Time to run malware against victim devices Match the file hash against database(s) of known malware files.

Device Analysis

Variable Notes
Time to capture and analyze volatile memory
Time to analyze configuration & registry changes
Time to assess and log file activity
Time to capture and analyze processes & services
Time to restart victim to test persistence
If no visible impact on VM, time to test against a physical machine Testing VM awareness generally requires a physical victim device, rather than a virtualized victim.

Network Analysis

Variable Notes
Time to capture network traffic
Time to search for suspicious destinations Using IP reputation and C&C analysis.
Time to analyze C&C traffic Determine what is being sent and where.
Time to analyze exfiltrated information If available.

Proliferation Analysis

Variable Notes
Time to set up another vulnerable victim This additional victim will be the target of any attempts by the malware to spread, pivot, or otherwise infect another device.
Time to capture network traffic (again) Rather than initial traffic patterns, you are now looking to see how the malware searches for devices and follows up.
Time to isolate reconnaissance traffic
Time to observe and assess proliferation activity Malware may use different tactics to compromise additional devices once established; so observe not just for the initial attack vector, but for anything else.

At this point, you have put in the effort to understand what the malware is doing, so the next step is to document those findings into a malware profile useful for other constituencies.

—Mike Rothman

Previous entry: Malware Analysis Quant: Metrics—Static Analysis | | Next entry: Malware Analysis Quant: Metrics—The Malware Profile

Comments:

Name:

Email:

Location:

URL:

Remember my personal information

Notify me of follow-up comments?