Dulan Security Config

Status
Not open for further replies.
Dulan

Dulan

Level 1
Thread author
Jun 15, 2017
9
Hi,

I would like to get some information from you guys regarding the malware analysis. I'm still a newbie in to it.At this moment I'm only looking to identify the changes that the malware does to a system without going in to the code level. I use following monitoring tools.

-Process Explorer
-Autoruns
-Process Monitor
- Windows inspection tool set.

I would like to get any recommendation for registry monitoring tool which can actually track all the registry changes made by the malware process. I tried Regmon but it's quite difficult to isolate only the registry changes made by the malware. Also I would like to know a good tool identify the exact tcp connection the malware process make to the outside. Also a good file motioning tool might be helpful as well.

Mean time I'm going through the threads and checking out the tools you guys are using.

Any help here would be much appreciated.
 
  • Like
Reactions: Rengar, hd35 and Deletedmessiah
Dulan

Dulan

Level 1
Thread author
Jun 15, 2017
9
I do agree with you but I believe Veeam is not free. I think I can easily use windows backup and do a baremetal backup. But if Veeam is free that would be awesome as it is one of the best backups in the market.
 
  • Like
Reactions: hd35 and Deletedmessiah
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
About registry monitoring tool I suggest you RegShot, I used it and I can say that it is a good solution.

From Softpedia:

"RegShot is a handy little tool that enables you to view the exact changes made in the Windows registry entries, by taking snapshots at different moments and comparing the “before” and “after” registry log files."

RegShot Download
 
  • Like
Reactions: S3cur1ty 3nthu5145t, Rengar, hd35 and 3 others
frogboy

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Dulan said:
I do agree with you but I believe Veeam is not free. I think I can easily use windows backup and do a baremetal backup. But if Veeam is free that would be awesome as it is one of the best backups in the market.
Click to expand...
Just use Macrium free and reliable for you to use. ;)

Thanks for sharing your config. :)
 
  • Like
Reactions: JM Safe, Rengar, hd35 and 3 others
Dulan

Dulan

Level 1
Thread author
Jun 15, 2017
9
Winter Soldier said:
About registry monitoring tool I suggest you RegShot, I used it and I can say that it is a good solution.

From Softpedia:

"RegShot is a handy little tool that enables you to view the exact changes made in the Windows registry entries, by taking snapshots at different moments and comparing the “before” and “after” registry log files."

RegShot Download
Click to expand...

Hi Winter Soldier,

Is there a way that you can use it to monitor changes made only by a specific process or application? before and after snapshots includes so much details and at this moment I'm not good at identifying what I really want.
My actual requirement is to identify all the registry changes done by a specific malaware and I don't want to have that mixed with other processes registry changes. I'm still newbie in to this, forgive me if it sounds stupid. Thanks.
 
  • Like
Reactions: hd35 and Winter Soldier
Deletedmessiah

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
  • Like
Reactions: hd35, frogboy, Winter Soldier and 1 other person
Winter Soldier

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Dulan said:
Hi Winter Soldier,

Is there a way that you can use it to monitor changes made only by a specific process or application? before and after snapshots includes so much details and at this moment I'm not good at identifying what I really want.
My actual requirement is to identify all the registry changes done by a specific malaware and I don't want to have that mixed with other processes registry changes. I'm still newbie in to this, forgive me if it sounds stupid. Thanks.
Click to expand...
I got your point and with the obvious limitations RegShot can be a good point of reference.
Just close all the possible active applications that could write to the registry, do a snap before, then start the malware and do a snap after that.
Reading the log you should find the changes made by the malware with a good approximation.
 
  • Like
Reactions: JM Safe, S3cur1ty 3nthu5145t, hd35 and 2 others
a1nn

a1nn

Level 2
Verified
Jun 5, 2017
50
Hi, Dulan, some things that I suggest you do are to:
  • Backup system images
  • Install some more second-opinion scanners (HitmanPro, Zemana Anti-Malware, Norton Power Eraser)
  • Get HTTPS Everywhere (optional???)
Thanks for sharing your configuration! (◕‿◕)
 
  • Like
Reactions: Deletedmessiah and frogboy
S3cur1ty 3nthu5145t

S3cur1ty 3nthu5145t

Level 6
Verified
May 22, 2017
251
Other then the mentioned System Back up being needed, looks good to me, nothing to add.

p.s.
Regshot is your best bet for taking a snapshot of registry changes running malware.

-Drop regshot and the malware pack onto the system, take a snapshot
-Take a snapshot with Regshot, execute one sample while recording the changes, take the second snapshot with Regshot to compare
-Reset the Guest Machines snapshot and start the process over with the next sample in line

effectively testing one sample at a time and resetting the snapshot each time, will give you less to dig through in comparing both the initial snapshot and the secondary one.
 
  • Like
Reactions: Winter Soldier and Deletedmessiah
JHomes

JHomes

Level 7
Verified
Well-known
Jul 7, 2016
339
No Backup - No Luck!

You need to back up your system, and I can see wanting to keep costs down. Disk imagers require storage media of some sort, and there's the added pressure of not knowing how big your disk images will be.

Recommend Rollback Rx Home. Its free which I'm sure you'll like. It's limited compared to paid version but it will do the job. You can always grab Rollback Pro and Drive Cloner when you can for added coverage but that's a personal preference.
 
Status
Not open for further replies.

Similar threads

Adrian Ścibor
    • +Reputation
    • Like
    • Applause
AVLab.pl Summary of the Advanced In-The-Wild Malware Test – September 2024
Replies
4
Views
446
Security Statistics and Reports
simmerskool
simmerskool
Brownie2019
Free Reboot Restore Rx
Replies
1
Views
159
Backup and recovery
Bot
Bot
Victor M
    • Like
  • Poll
Serious Discussion Malware or Hacking ?
Replies
0
Views
428
General Security Discussions
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top