Dynamic Analysis
Dynamic analysis is analyzing the sample by executing it. Dynamic analysis can be done to observe behavior or perform step by step reverse engineering. It’s especially useful when the sample is encrypted or encoded or when static analysis does not lead to enough information.
One item to analyze during dynamic analysis is the interaction with the system. Malware may read/write files, it may also modify the registry or even use built-in system features such as scheduling for persistence.
Regshot and Procmon are two great tools for monitoring registry changes. Regshot allows you to take a snapshot of the registry pre-infection and post-infection then compare. Procmon monitors registry amongst other things such as file operations, network connections, and processes and threads. For the visually inclined, the output from Procmon can be visualized using Procdot.
During dynamic analysis, you may also want to simulate the internet, to allow the sample to make web requests or connect to a simulated command and control server. This will allow observation of the sample’s networking capabilities. Inetsim, Fakenet, and Fakenet-ng provide some of these capabilities. Inetsim allows you to enable and simulate many different services and it runs on a separate virtual machine. Fakenet and Fakenet-ng run on the same system as the malware and are also able to capture some of the network requests that malware may make.
You can always run the sample and let it connect to the real C2 while also intercepting network data and collecting system data.
Sysinternals Suite comes with a lot of tools that can help with dynamic analysis.
In addition to all the things mentioned above, many organizations analyze malware samples in order to find what’s known as a kill switch. Malware authors often build in some specific things that would prevent the malware from running. This gives the authors or attackers control to prevent multiple versions of the malware from running or to prevent their tools from running in sandboxes or research environments. Often, the kill switch is as simple as checking for the existence of a particular file or if a particular file contains a specific thing. Both static and dynamic analysis can help researchers discover and share these kill switches. Nevertheless, be sure to practice good OpSec with this information as attackers could easily change the kill switch if it is known!