Malware Analysis Dynamic Analysis of a random malware using SysAnalyzer [Advanced Mode: OFF]

L

LabZero

Thread author
Hello.

This is a simple malware analysis performed in dynamic mode using Sandboxie and SysAnalyzer.

Honestly, as the title, the malware that I have chosen is not "random" because first to analyze it, I tested in Sandboxie at least a dozen of samples.
The problem is that these samples using anti-virtualization and anti-sandboxing routines.
In this case, the malware recognises the sandbox and start Itself for 1 second and then it terminates the processes, remaining dormant.
This technique is widely used to prevent or make difficult the analysis and the purpose of the malicious code is infecting the real/physical machine.
The purpose of this thread is to show that to analyze a malware is not always necessary to have advanced knowledge or sophisticated tools.

As always, I remind everyone to use a virtual environment for malware testing.
In this case, I run Sandboxie, which offers a good security level, although to perform specific and complex analysis, I use a VM.


File Details

File Name: 02bb3774d0fa83d86239ab5d10f7bcd0.exe
File Size: 163840 bytes
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 02bb3774d0fa83d86239ab5d10f7bcd0

Online analysis: Malwr - Malware Analysis by Cuckoo Sandbox


Containment: Sandboxie 5.0.10 x64
OS: Windows 7 Pro x64 SP1
Tools: SysAnalyzer


Description from source: SysAnalyzer - aldeid

SysAnalyzer is an automated mal-code run time analysis application that monitors various aspects of system and process states and It was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system.

SysAnalyzer can automatically monitor and compare:

- Running Processes
- Open Ports
- Loaded The Drivers
- Injected Libraries
- Key Registry Changes
- APIs called by a target process
- File Modifications
- HTTP, IRC, and DNS traffic

SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks:

- Create a memory dump of target process
- Parse memory dump for strings
- Parse strings output for exe, reg, and url references
- Scan memory dump for known exploit signatures


Full GPL source for SysAnalyzer is included in the installation package.


Starting SysAnalyzer, it is necessary to indicate the location of the sample and press START.

Cattura.PNG


Be careful, the malware is executed after a countdown of 30 seconds

Cattura2.PNG


Cattura1.PNG


In the main interface, we see "debug log" that indicates all the operations performed by the tool: enumerating processes, open ports, drivers, reg keys and running the malware, the subsequent operations.

Cattura3.PNG


It is interesting to note: the "memory dump of target process".

Any file is stored on disk in the form of a sequence of bytes, so in the form of binary values of 8 bit, for this reason, the files that are stored on the disk are defined generically, a binary file.
High level's programming languages, however, distinguish between binary files and text files, but this distinction is formal.
This particular type of view of the binary information present on any storage media (hard disk, RAM, etc), is also called memory dump.

Cattura5.PNG


Without doubt the most interesting information: "contacted URLs", "registry keys" that refer to QQBrowser and "exe references" that show probably a dropped file.
The latter information is important because we can try to really understand what actions the malware performs on the system.
In this case, by analyzing the network communication, we can note that they are different from those analyzed by Malwr.
Probably the reason is that SysAnalyzer has analyzed only the main sample as a "container" that contact the URLs in our analysis.
Considering that this container drops another executable, the Malwr analysis may detect other connections generated by this last.
Moreover, the behavior of a malware can change on different OS about routines, algorithms.

Cattura7.PNG


In short, according to my analysis this samples is a classic trojan that seems to run the adware that opens ads pages, but it drops one or more malicious .exe that might steal personal information or other.

Of course this is a very simple analysis, understandable to everyone, but it is useful to try to understand how a malware works.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top