Software for monitoring malware behaviour

[TwinHeadedEagle]

Could you recommend some good analysis tools...

I would like these tools to be easy for using and to produce easy understandable log...

I used regshot and sysinternals, but there are probably more tools

Waiting for your suggestions

 

[jamescv7]

Thread

Others like MJ registry watcher, tiny watcher, Registry Alert (on this thread )

 

[TwinHeadedEagle]

Thanks, but I was looking for software that creates full report what's happen when you execute some file...like malware, which process it creates, which files, registry entry and so on...

 

[Littlebits]

As far as I know there is no software that will create full logs when you run an executable. Most only create partial logs. However you can run an executable in Sandboxie with an empty sandbox and then explore contents and everything that was created can be easily viewed.

Thanks.

 

[TwinHeadedEagle]

Majority of malware have routines for detecting sandbox application...

But thanks anyway, I will try Sandboxie

 

[Prorootect]

Could you recommend some good analysis tools...

I would like these tools to be easy for using and to produce easy understandable log...

I used regshot and sysinternals, but there are probably more tools

Waiting for your suggestions

Have you asked the tools as:

Random's System Information Tool or RSIT (with info.txt and log.txt reports): http://en.kioskea.net/faq/4409-rsit-installation-and-first-use - download home page here: http://en.kioskea.net/download/download-11416-rsit

RogueKiller by Tigzy (with RKreport notepad text report): http://tigzy.geekstogo.com/roguekiller.php

 

[TwinHeadedEagle]

No no, RSIT and RK are tools for helpers helping cleaning out malware...

I needed tool that will monitor malware behaviour after executing dropper and writing that behaviour into log...

 

[Prorootect]

I had made Google search for: 'tool that will monitor malware behaviour after executing' ..

.. and found these links:

Read of TrendMicro about Behavior Monitoring with OfficeScan: http://docs.trendmicro.com/all/ent/officescan/v10.6/en-us/osce_10.6_olhsrv/ohelp/behavior/bmonit.htm

Malheur - Automatic Analysis of Malware Behavior: http://www.mlsec.org/malheur/

Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer: http://www.hindawi.com/journals/mpe/2013/402438/

Dynamic Sandboxing and Malware Analysis: http://www.threattracksecurity.com/enterprise-security/sandbox-software.aspx
This link directly on Google has all images OK.
Try maybe home link: ThreatTrack Security: http://www.threattracksecurity.com/
..

 

[Gnosis]

Don't forget PCHunter.

 

[Prorootect]

Don't forget PCHunter.

Yes! And PowerTool.

To see the events in the MBR, click on 'Report' tab in MBRScan (by eric_71): download link on the developer home page on security-x.fr/tools/ : http://security-x.fr/tools/
Look on our MBR thread called 'MBR check tools' : http://malwaretips.com/Thread-MBR-check-tools


Eagle, try WinCheck rc8.45 by Redp - on Redplait blog 'протез памяти' (вы все еще верите написанному кириллицей ?) : http://redplait.blogspot.fr/2013/04/wincheck-rc845.html

Command line tool (I never downloaded) ..

First look on our little topic: Redplait's (redp) Russian security blog is closed then went back : http://malwaretips.com/Thread-Redplait-s-redp-Russian-security-blog-is-closed-then-went-back

WinCheck doc: http://redplait.blogspot.fr/2011/11/wincheck-doc.html

How Rootkit.Avatar looks like in wincheck logs : http://redplait.blogspot.ru/2013/05/how-rootkitavatar-looks-like-in.html

WinCheck rc8.45 log with Rootkit.Avatar infection: http://pastebin.com/1xg9DRHQ


Then how Redp looks now .. how he looks now, we don't know ..

 

[Prorootect]

PyMal - The Malware Analysis Framework : on SecurityXploded.com: http://securityxploded.com/pymal.php
Version 1.0 : 5th June 2013 - First public release of PyMal

About PyMal:

PyMal is a python based interactive Malware Analysis Framework. It is built on the top of three pure python programes Pefile, Pydbg and Volatility.
The main aim of the project is to combine all the Malware Analysis related tools into a single interface for rapid analysis.
PyMal have several wrapper functions to manipulate Executable as well as running Processes. It also offers some advanced features like

Injected Code Detection
Hook Detection using Passive Image Referencing

For detailed view of the features and working, please check out the demonstration video ..


It works on all platforms starting from Windows XP to Windows 8.


Requirements:

You must have latest version (v2.6 or higher) of Python on your system.

 

[Prorootect]

.. and look on new software, called PEStudio: our topic here: http://malwaretips.com/Thread-PeStudio