UNIVERSITY OF DANANG

VNUK – INSTITUTE FOR RESEARCH & EXECUTIVE EDUCATION

COMPUTER SCIENCE AND ENGINEERING

DISASSEMBLY TOOL AND APPLICATIONS IN MALWARE ANALYSIS

LAB ANALYSIS

Student Name: Student ID:

Nguyễn Thị Ngọc Ngân 20020003

Nguyễn Tuấn Dũng 20020011

Hoàng Gia Uy 20020014

Da Nang, 2023
 Faculty of Computer Science and Engineering

1. Introduction:
- Malware and cybersecurity threats have been around since the early days of computing.
In the 1970s, the first computer viruses were created as experiments by researchers rather
than malicious attacks. However, as computers became more prevalent in the 1980s,
malware and cyber threats began to evolve and become more widespread.

- In the 1990s, the internet boom led to a significant increase in malware and
cybersecurity threats. The Melissa virus in 1999 was one of the first major internet-based
worms, spreading through email attachments. This was followed by the notorious
ILOVEYOU worm in 2000, which caused billions of dollars in damages.

- As technology continued to advance, so did the types of malware and cyber threats. The
early 2000s saw the rise of mass-mailing worms, which spread through email and
infected entire networks. In 2003, the Slammer worm caused massive disruption by
exploiting a vulnerability in Microsoft's SQL servers.

- In the late 2000s and early 2010s, malware and cyber threats became more sophisticated
and targeted. This included the emergence of ransomware, which encrypts a user's files
and demands payment for their release. In 2017, the WannaCry ransomware attack
affected over 200,000 computers in over 150 countries.

- Today, the evolution of malware and cyber threats continues with the rise of social
engineering attacks, such as phishing and smishing, and the use of artificial intelligence
by cyber-criminals. As technology advances, cybercriminals will find new and creative
ways to exploit vulnerabilities and compromise systems. Individuals and organizations
need to stay vigilant and up-to-date with cybersecurity measures to protect against these
evolving threats.

2. The Nature of Malicious Code:

- Malicious code, also known as malware, is any type of software or code that is designed
to harm or exploit a computer system without the user's consent. There are many different
types of malware, including viruses, worms, trojans, ransomware, spyware, and adware.

1
 Faculty of Computer Science and Engineering

- Viruses are one of the most well-known types of malware. They are self-replicating
programs that attach themselves to clean files and spread from one computer to another
when the infected file is opened or executed. This can cause widespread damage to
systems and networks.

- Worms are standalone programs that do not need a host file to spread. They can
replicate themselves and spread through networks, usually through email attachments or
through vulnerabilities in software.

- Trojans are often disguised as legitimate software, but once installed, they can perform
malicious actions such as stealing sensitive information, deleting files, or damaging
systems.

- Ransomware is a type of malware that encrypts a user's files and demands payment for
their release. It can cause significant financial losses and disrupt operations for
individuals and organizations.

- Spyware and adware are typically installed on a user's system without their knowledge
and can collect sensitive information or display unwanted advertisements.

- The nature of malicious code is constantly evolving, and it is becoming more

sophisticated and difficult to detect. It is essential for individuals and organizations to
have strong cybersecurity measures in place to protect against these threats.

3. Disassembly Tools Overview:

- Disassembly tools are software programs designed to reverse engineer machine code
into assembly code or higher-level languages. They are commonly used in the field of
cybersecurity to analyze and understand the behavior of malware and other malicious
code.

- One of the most commonly used disassembly tools is IDA Pro, which allows users to
disassemble and analyze binary code in multiple formats, including Windows, Linux, and
macOS.

- Another popular disassembly tool is Ghidra, which was developed by the National
Security Agency and released to the public in 2019. It is a free and open-source tool that
supports multiple languages and platforms.

2
 Faculty of Computer Science and Engineering

- OllyDbg is a disassembly tool specifically designed for debugging and analyzing

Windows executables. It offers a user-friendly interface and advanced features such as
debugging plugins and code analysis.

- Other commonly used disassembly tools include Hopper, radare2, and Binary Ninja.
Each tool has its unique features and capabilities, and researchers and analysts need to
have a good understanding of them to effectively analyze and understand malicious code.

4. Basic Concepts of Disassembly:

- Disassembly is the process of converting machine code, which is the series of binary
instructions that a computer understands, into assembly code, which is a human-readable
representation of those instructions. This is typically done using a disassembly tool, as
mentioned previously.

- When a program is compiled, it is converted from a high-level language into machine

code, which is specific to the computer's architecture and operating system. Disassembly
allows researchers and analysts to understand the logic and behavior of the compiled
code.

- Disassembly can also reveal potential vulnerabilities or hidden functionality in a

program, making it an important tool for cybersecurity professionals. However, it can be
a complex and time-consuming process, and it requires a good understanding of assembly
language and the specific disassembly tool being used.

5. Applications in Malware Analysis:

In the comprehensive examination of malware within the context of my report on
malware analysis, a pivotal aspect is the exploration of specific methodologies employed
by analysts when utilizing disassembly tools. Disassembly tools are fundamental
components of the malware analyst's toolkit, allowing for an in-depth inspection of the
binary code of malicious software. Analysts often employ techniques such as static
analysis, dynamic analysis, and code reversing to dissect and understand the intricacies of
the malware's functionality. Static analysis involves the examination of the code without
executing it, providing insights into the structure, logic, and potential vulnerabilities.

3
 Faculty of Computer Science and Engineering

Dynamic analysis, on the other hand, involves executing the malware in a controlled
environment to observe its behavior in real-time, aiding in the identification of malicious
activities and functionalities. Additionally, code-reversing techniques, including
disassembly and decompilation, are crucial for translating machine code into a more
human-readable form, facilitating a clearer understanding of the malware's operations.
This section of the report delves into the nuances of these methodologies, emphasizing
their significance in unraveling the complexities of malicious code and enhancing the
overall efficacy of malware analysis practices.

Another pivotal aspect explored in the "Applications in Malware Analysis" section of the
report is the discussion on how disassembly tools significantly contribute to the
identification and comprehension of the functionality of specific malware types. In the
realm of ransomware, for instance, disassembly tools play a crucial role in dissecting the
encryption mechanisms employed by the malware to render files inaccessible. Analysts
utilize these tools to trace the code responsible for encryption, enabling a deeper
understanding of the ransomware's tactics and potential avenues for decryption.

When it comes to rootkits, disassembly tools assist analysts in uncovering the stealthy
techniques used by these malware types to evade detection and establish a persistent
presence on compromised systems. Through code analysis, analysts can identify the
rootkit's hooks into the operating system, revealing its efforts to manipulate system
functions and conceal its presence.

In the case of polymorphic malware, disassembly tools are instrumental in unraveling the
dynamic and shape-shifting nature of the code. Analysts can trace the code
transformations and variations, enabling a more adaptive and proactive approach to
counteract the ever-evolving strategies employed by polymorphic malware to evade
traditional signature-based detection methods.

This section of the report meticulously explores how disassembly tools serve as
indispensable assets in the analysis of distinct malware types, offering valuable insights
into their functionality, behavior, and evasion techniques. The nuanced understanding
gained through these tools empowers analysts to develop robust countermeasures and
fortify cybersecurity measures against evolving and sophisticated threats.

6. Dynamic Analysis vs. Static Analysis:

4
 Faculty of Computer Science and Engineering

6.1. Dynamic Analysis vs. Static Analysis:

- In the realm of malware analysis, the juxtaposition of dynamic and static analysis serves
as a cornerstone for comprehensive threat understanding. While dynamic analysis
involves the execution of malware in a controlled environment to observe its behavior in
real-time, static analysis centers around the examination of the malware's code without
execution. The synergy between these two approaches proves most effective in certain
scenarios.

6.2. Exploring Synergies:

- In scenarios where the behavior of a malware specimen is contingent upon specific
environmental triggers or conditions, a combined approach of dynamic and static analysis
proves particularly potent. Dynamic analysis reveals the malware's actions during
execution, offering insights into its evasion techniques and interaction with the host
system. Simultaneously, static analysis, facilitated by disassembly tools, allows analysts
to scrutinize the code structure, identify potential vulnerabilities, and understand the logic
governing the malware's actions. This integrated approach enhances the overall
comprehension of the threat, providing a more holistic view of its capabilities and
potential impact.

6.3. Crucial Role of Static Analysis in Malware Cases:

- Static analysis, driven by disassembly tools, has played a pivotal role in elucidating the
intricacies of various malware threats. For instance, in the case of sophisticated
polymorphic malware, static analysis enables analysts to unveil the underlying code
variations and transformations. Disassembly tools aid in translating the machine code into
human-readable form, allowing for a detailed examination of the code's logic and
functions.

- Moreover, in instances where rapid identification and understanding of a threat are

imperative, static analysis can offer quick insights. The ability to dissect the code
structure and identify signature patterns through disassembly tools facilitates swift threat
categorization, aiding in the formulation of timely countermeasures.

- This section of the report delves into the synergies between dynamic and static analysis,
emphasizing the nuanced scenarios where their combination proves most effective.
Furthermore, it highlights real-world examples where static analysis, driven by
disassembly tools, has been instrumental in unraveling the complexities of malware
threats.

5
 Faculty of Computer Science and Engineering

7. Obfuscation and Anti-Analysis Techniques:

- Obfuscation and Anti-Analysis Techniques in Reverse Engineering

- Obfuscation: The art of making code intentionally difficult to understand and analyze.
This is used to protect intellectual property, complicate debugging, and hinder reverse
engineering.

- Disassembly Tools: Software like IDA Pro, Ghidra, and Binary Ninja help reverse
engineers understand assembly code generated from compiled languages. These tools are
crucial in deobfuscating code by providing:

* Visual representation of instructions: Disassemblers display assembly instructions in a

human-readable format, making it easier to identify patterns and logic.
* Control flow analysis: Tools can map out the flow of execution within the code,
revealing hidden jumps and branches.
* Data analysis: Disassemblers can identify and analyze data structures, strings, and
constants within the binary.
* Decompilation: Some tools attempt to reconstruct the original high-level source code
from the assembly, offering a deeper understanding of the program's logic.

- Exploring Obfuscation Techniques:

* Control Flow Obfuscation: This hides the actual execution path by adding jumps,
branches, and loops that don't contribute to the program's functionality. Disassembly
tools can help visualize the control flow and identify suspicious patterns.
* Data Obfuscation: Variables, constants, and strings are disguised using techniques like
encryption, encoding, or splitting. Disassemblers can analyze data structures and identify
suspicious operations on data.
* Instruction Reordering: Rearranging instructions can make the code appear more
complex and obscure its logic. Disassembly tools can identify common reordering
patterns and help reconstruct the original order.
* Anti-Debugging Techniques: Code can detect and bypass debuggers, making analysis
difficult. Disassemblers can provide information about debugger detection routines and
help identify their behavior.
* Virtualization and Packers: Obfuscation can be layered by running the code within a
virtualized environment or using packers to compress and encrypt the binary.
Disassembly tools can often identify and unpack these layers to reveal the underlying
code.

6
 Faculty of Computer Science and Engineering

- Emerging Trends in Obfuscation:

* Machine Learning-based Obfuscation: Techniques like code morphing and instruction

substitution use machine learning to generate complex and unpredictable obfuscation
patterns. Disassembly tools are evolving to incorporate machine learning and statistical
analysis to identify these patterns.
* Dynamic Obfuscation: Code changes its behavior at runtime to evade static analysis.
Disassembly tools are adopting dynamic analysis techniques to observe and understand
the behavior of the code in different execution scenarios.
* Obfuscation-as-a-Service: Online services offer pre-built obfuscation tools, making it
easier for developers to implement these techniques. Disassembly tools need to stay
updated to analyze the output of these services.

- Evolution of Disassembly Tools:

* Improved pattern recognition: Tools are becoming better at identifying common
obfuscation patterns and automatically deobfuscating them.
* Integration with other analysis tools: Disassemblers are being integrated with
debuggers, decompilers, and memory analysis tools to provide a comprehensive view of
the program.
* Machine learning-assisted analysis: Some tools are incorporating machine learning to
analyze code behavior and identify suspicious patterns, even in new and complex
obfuscation techniques.

- Conclusion: The arms race between obfuscation and deobfuscation is ongoing.

Disassembly tools are crucial in this battle, providing reverse engineers with the
necessary tools to understand and analyze even the most heavily obfuscated code. As
obfuscation techniques become more sophisticated, disassembly tools will need to adapt
and evolve to stay ahead of the curve.

8. Automation and Scripting:

Automation and Scripting with Disassembly Tools:
Disassembly tools like IDA Pro, Ghidra, and Binary Ninja are essential for reverse
engineering tasks, but manual analysis can be tedious and time-consuming. Automation
scripts can significantly improve efficiency and objectivity in various ways:

Practical Examples:

7
 Faculty of Computer Science and Engineering

8.1. Function identification: Scripts can parse assembly code to identify function
prologues and epilogues, saving analysts from manually sifting through instructions.
Examples include:
* IDA Pro Python plugin: `idapython print_func()`: Automatically prints extracted
function signatures.
* Ghidra Script: `identify_functions.py`: Identifies functions based on call instructions
and stack manipulation.

8.2. Cross-referencing: Analyzing how different parts of the code interact is crucial.
Scripts can:
* Identify references to specific variables, functions, or data structures.
* Generate call graphs to visualize function interactions.
* Tools like IDA Pro's `xref` plugin, or Ghidra's "References" window can be
automated.

8.3. Pattern matching: Quickly discover specific code patterns indicative of known
vulnerabilities, encryption algorithms, or obfuscation techniques.
* Regular expressions or dedicated pattern-matching engines like IDA Pro's
"idc.find_binary()" can be used.

8.4. Data extraction: Automate the extraction of specific data types like strings, constants,
or network resources from the binary.
* IDA Pro scripts can directly access memory regions and extract data based on size
and type information.
* Ghidra scripts can utilize APIs like `Memory.getData()` for targeted data extraction.

8.5. Deobfuscation assistance: Certain scripts can automate tasks like constant decoding,
control flow flattening, or unpacking to simplify manual analysis.
* IDAPython plugins like `hexrays.dbg_decompiler` can assist with decompilation and
control flow analysis.
* Ghidra scripting allows custom deobfuscation logic to be implemented using Java.

Balancing Manual and Automated Analysis:

Both manual and automated approaches have their strengths and weaknesses, and a
balanced approach is key to efficient and effective reverse engineering:

Manual Analysis:

8
 Faculty of Computer Science and Engineering

* Advantages:
* Provides a deeper understanding of the code logic and intent.
* Can identify subtle nuances and context missed by scripts.
* More flexible for adapting to unexpected situations.
* Limitations:
* Time-consuming and prone to human error.
* Repetitive tasks can be tedious and demotivating.
* Can be biased by preconceived assumptions.

Automated Analysis:

* Advantages:
* Faster processing and reduced workload.
* Objective and consistent results.
* Can handle large datasets and complex patterns.
* Limitations:
* Requires careful script development and testing.
* Can miss important details or misinterpret context.
* Script errors can lead to false positives or missed vulnerabilities.

Finding the right balance involves:

* Understanding the target binary and its complexity.

* Matching the automation level to the task at hand.
* Using scripts as tools to enhance, not replace, manual analysis.
* Validating and cross-checking automated results.

By combining the strengths of both approaches, reverse engineers can significantly

improve their efficiency, accuracy, and understanding of complex software systems.

Remember, automation scripts are valuable tools, but they are not a magic bullet. They
should be used strategically and with a solid understanding of the underlying technical
concepts.

9. Challenges and Opportunities:

9
 Faculty of Computer Science and Engineering

- The field of malware analysis faces many challenges and requires innovative solutions
to strengthen dismantling tools against evolving threats. In this essay, we address the
complexity of these challenges while highlighting the promising opportunities that lie
ahead.

- Challenges usually involve obfuscation techniques. The continued use of obfuscation

techniques by malware authors poses a significant challenge. Traditional disassembly
tools deal with dead code injection, register reallocation, and instruction manipulation,
making seamless analysis and detection of malware variants difficult.

- Evasion Techniques is Malware employing evasion techniques to discern controlled

environments introduces complexity. Disassembly tools reliant on controlled
environments for feature extraction may falter in the face of dynamically altering
malware behavior, mimicking benign activities, and eluding detection.

- Zero-day malware is the ascent of zero-day malware that poses a significant hurdle.
Disassembly tools grounded in past information struggle to detect previously unseen
malware, particularly when attackers continuously refine their strategies, diminishing the
efficacy of signature-based approaches.

- Redundancy and irrelevant behavior are the presence of redundant and irrelevant
features in malware datasets, which pose a challenge for machine learning-based
dismantling tools. Effective management of these capabilities is essential to increase the
accuracy of malware detection models.

- False positive/negative rates are an ongoing problem. Achieving a balance between

false positive and false negative rates remains an ongoing challenge. Malware authors
cleverly create threats that mimic legitimate behavior, making it difficult for dismantling
tools to detect them without compromising accuracy.

- Incremental Learning is a rapidly evolving malware landscape that requires continuous

improvement in dismantling tools. Taking historical trends into account when collecting
samples is difficult and affects the ability of instruments to detect current and historical
malignant behavior.

- Data protection In the context of the focus on malware detection, data protection
governance appears to be a central issue in malware analysis. Addressing this issue is
critical to maintaining user trust and ensuring compliance with ever-evolving privacy
regulations.

10
 Faculty of Computer Science and Engineering

- About the opportunities, Advanced Machine Learning leverages advanced machine

learning techniques, including open set recognition and deep learning, and offers a
transformative opportunity. These approaches enhance the flexibility and scalability of
anti-malware systems, overcoming the limitations of traditional rule-based methods.

- Graph-Based Malware Analysis exploring graph-based representations presents a

promising avenue. By capturing relationships between samples and contextual
information, disassembly tools can potentially enhance their ability to trace malware
genealogy in diverse settings.

- Bio-inspired anti-malware is Bio-inspired techniques, such as biological immune

systems and genetic algorithms, provide a lightweight and scalable alternative.
Integrating these methods into deep neural networks is a promising path for more
effective anti-malware solutions.

- Defense in Depth Against Malware Adopting a defense-in-depth strategy ensures

reliability through multiple layers of protection. This approach, combined with active and
adaptive defenses, creates opportunities to strengthen the system's overall resilience to
evolving malware threats.

- Big Data Malware Analysis is a fascinating opportunity. Addressing the challenges of

big data in malware analysis represents an exciting opportunity. The development of
comprehensive feature selection techniques and the exploration of synchronous parallel
processing can significantly increase the effectiveness of anti-malware tools.

- Adversarial Learning in Malware Analysis Studying adversarial learning in malware

analysis is crucial. Understanding the vulnerabilities of machine learning
countermeasures and developing techniques to make them more effective in conflict
situations can help you better protect yourself against malware.

- The performance evaluation framework is essential. It is important to establish a

standard evaluation framework for malware analysis. Such a framework would facilitate
comparison between existing and future methods, taking into account various aspects
such as error rates related to security and privacy.

- Interdisciplinary Research Promoting interdisciplinary research is crucial to the

development of anti-malware techniques. Collaboration between fields such as machine

11
 Faculty of Computer Science and Engineering

learning, human psychology, and computer engineering could lead to more robust and
widely used removal tools.

10. Emerging Trends in Malware Analysis:

- In the rapidly evolving field of malware analysis, constant technological advancements
and corresponding changes in the cyber threat landscape create a dynamic environment
that requires constant adaptation and innovation. In this essay, we address the
multidimensional nature of malware threats, examine the challenges and expected trends
that will shape the future of malware analysis, and highlight the irreplaceable role that
dismantling tools play in proactively responding to emerging threats.

- The complexity and diversity of malware threats are increasing at an unprecedented

rate, requiring a comprehensive understanding of their complex nature. As technology
advances, the cyber threat landscape becomes increasingly complex, requiring
cybersecurity professionals to not only respond to existing threats but also proactively
anticipate emerging threats. This forward-looking approach is particularly important in
the digital age, where the consequences of Cyberattacks are omnipresent and can have
far-reaching consequences. One of the cornerstones of effective malware analysis is a
careful study of future challenges and trends that could impact the evolution of the
industry. As cybersecurity ecosystems face the daunting task of keeping pace with
increasingly sophisticated threat actors, analysts are at the forefront of developing
innovative methods that not only deter existing threats but also proactively address
potential new threats. This proactive approach highlights the key role of
decommissioning tools.

- As an essential tool in the cybersecurity professional's toolbox, removal tools play a key
role in detailed malware analysis. These tools allow analysts to uncover the complexity of
malicious code and gain a detailed understanding of its inner workings. By analyzing and
understanding the inherent complexity of malicious code, analysts can identify patterns,
characteristics, and potential vulnerabilities to formulate targeted and effective
countermeasures. Integrating removal tools into the arsenal of cybersecurity professionals
goes beyond the scope of reactive threat response. Rather, it puts them in a strategic
position to anticipate, adapt, and mitigate emerging threats with the precision necessary
to strengthen their defensive positions. Cyber security experts therefore make a
significant contribution to the continuous development of malware analysis practices,
ensuring their relevance and effectiveness in an ever-evolving digital landscape.

12
 Faculty of Computer Science and Engineering

- As an essential tool in the cybersecurity professional's toolbox, removal tools play a key
role in detailed malware analysis. These tools allow analysts to uncover the complexity of
malicious code and gain a detailed understanding of its inner workings. By analyzing and
understanding the inherent complexity of malicious code, analysts can identify patterns,
characteristics, and potential vulnerabilities to formulate targeted and effective
countermeasures. Integrating removal tools into the arsenal of cybersecurity professionals
goes beyond the scope of reactive threat response. Rather, it puts them in a strategic
position to anticipate, adapt, and mitigate emerging threats with the precision necessary
to strengthen their defensive positions. Cyber security experts therefore make a
significant contribution to the continuous development of malware analysis practices,
ensuring their relevance and effectiveness in an ever-evolving digital landscape.

11. Case Studies and Examples:

- In the ongoing battle against cyber threats, the effectiveness of malware analysis tools is
critical, especially as the repertoire of sophisticated malware continues to expand. In this
essay, we examine a series of case studies that highlight the diversity of malware types
and highlight the irreplaceable role of dismantling tools. Through before-and-after
analysis, these case studies illuminate the transformation path from an encrypted or
obfuscated state to an understandable code, demonstrating the versatility of disassembly
tools in diverse and complex scenarios. An illustrative case study involves a polymorphic
variant of malware that dynamically changes its code to evade detection by traditional
signature-based antivirus solutions. Disassembly tools are useful for removing complex
layers of obfuscation and revealing underlying patterns and features. The transformative
power of elimination becomes clear as analysts navigate the complex maze of obfuscated
code to ultimately reveal the true nature of the malware and formulate targeted
countermeasures. In another scenario, a lifeless malware strain that can only reside in
system memory presents a unique challenge to traditional analysis methods. Disassembly
tools that can analyze an application's runtime behavior provide a nuanced perspective.
Through detailed analysis of malware activity, dismantling tools uncover the hidden
operations of fileless malware and provide cybersecurity professionals with critical
insights to strengthen their defenses against these elusive threats. The ransomware case
study highlights the adaptability of dismantling tools. By examining the encrypted
ransomware payload, the uninstaller facilitates the recovery of the decryption process,
thereby providing the key to unlock the malicious encryption. This transformative
capability not only makes it easier to recover encrypted data but also contributes to the

13
 Faculty of Computer Science and Engineering

development of decryption tools that can counter the effects of ransomware on a larger
scale. The versatility of dismantling tools is illustrated using a case study of a rootkit that
hides its presence in an operating system. By dismantling it, analysts decipher the
rootkit's hidden mechanisms and expose its hooks in the system kernel. This before-and-
after analysis not only uncovers rootkit tactics but also enables cybersecurity
professionals to develop effective detection and removal strategies.

- Overall, these case studies demonstrate the irreplaceable role of dismantling tools in the
dynamic landscape of malware analysis. By providing information about the encrypted or
obfuscated state of various types of malware, disassembly tools act as a crutch to
decipher their complexity. Before-and-after analyses show how dismantling tools
transform seemingly impenetrable code into an understandable format, enabling
cybersecurity professionals to proactively understand, mitigate, and protect against an
ever-evolving range of cyber threats. In summary, the case studies presented here
demonstrate the valuable contribution of dismantling tools to deciphering the complex
structure of modern malware. As the cyber threat landscape continues to evolve, these
tools remain a cornerstone of cybersecurity professionals' arsenal, enabling them to
navigate the complexities of different types of malware and strengthen their defenses
against the ever-evolving tactics of malicious actors.

14
 Faculty of Computer Science and Engineering

Lab Analysis
1. Introduction
- To give a better understanding of how malware works, we are going to analyze Lab03-03.exe by
using basic dynamic analysis tools

2. What do you notice when monitoring this malware

with Process Explorer?
2.1 Real-time Monitoring

- Real-time monitoring is a crucial aspect of malware analysis, allowing analysts to capture

dynamic behaviors and interactions as they unfold. Process Explorer excels in this
domain by offering a real-time view of active processes, their resource usage, and the
relationships between them. By closely monitoring the system in real-time, analysts can
identify anomalies, unexpected process relationships, and potential indicators of
compromise (IOCs).

2.2 Observations in Malware Analysis

- In the specific case of Lab03_3, notable observations can be made when monitoring the
malware with Process Explorer:

2.2.1 Brief Spawning of svchost Processes

15
 Faculty of Computer Science and Engineering

- When monitoring this malware with Process Explorer, one prominent observation is the
brief spawning of svchost processes. Both processes vanish shortly after being spawned,
indicating a potentially evasive behavior.

2.2.2 Process Replacement (Process Hollowing)

- Upon closer inspection of the memory strings associated with the running svchost
processes, it becomes evident that the malware has employed process replacement,
commonly known as process hollowing. This technique allows the malware to execute
under the guise of a legitimate svchost process, making its presence more challenging to
detect.

2.2.3 Dynamic Analysis of Process Relationships

- Process Explorer's real-time monitoring capabilities enable dynamic analysis of process

relationships. Observing the transient nature of the spawned svchost processes and
understanding the process replacement technique employed by the malware provides
valuable insights into its stealthy execution and attempts to evade detection.

- In summary, Process Explorer proves instrumental in unveiling the malware's tactics, such
as process replacement and evasive behaviors, during real-time monitoring. These
observations contribute significantly to the overall understanding of the malware's
runtime behavior and aid in the identification of potential countermeasures.

3. Can you identify any live memory modifications?

3.1 Detection of Live Memory Alterations

- The identification and analysis of live memory modifications are paramount in the
thorough examination of malware, offering valuable insights into the dynamic behaviors
of malicious processes. In the context of Lab03_3, specific observations about live
memory alterations have been carefully noted.

3.2 Monitoring Techniques Employed

- In our malware analysis endeavors, a noteworthy technique for monitoring live memory
changes revolves around an in-depth examination of the strings within the live memory
of the svchost process. This meticulous scrutiny enables analysts to discern discrepancies

16
 Faculty of Computer Science and Engineering

between the content in memory and its corresponding data on disk, thereby uncovering
any significant deviations.

3.3 Implications Analysis

3.3.1 Notable Disparities in Memory Strings

- Upon a meticulous examination of the live memory associated with the svchost process,
a discernible finding emerges—significant disparities exist between the strings residing in
memory and their counterparts on disk. This incongruity strongly suggests active
modification or code injection into the svchost process during runtime.

17
 Faculty of Computer Science and Engineering

3.3.2 Indication of Code Injection

- The discerned variance between the live memory and disk-resident strings clearly
indicates a potential code injection technique employed by the malware. Code injection
allows the malicious entity to execute its deleterious code within the legitimate context of
a process, such as svchost, thereby augmenting the complexity of detection and analysis.

3.3.3 Evasion and Stealth Strategies

- Live memory modifications, particularly those involving code injection, often serve as
sophisticated evasion and stealth mechanisms for malware. The dynamic alteration of
code within memory enables the malware to elude static analysis techniques and security
measures reliant on examining file structures on disk.

4. Malware’s host-based indicators

- We can see both in memory and on disk that the malware creates a file called
practicalmalwareanalysis.log, a malware host-based indicator. They are characteristics or

18
 Faculty of Computer Science and Engineering

artifacts that can be found on the infected system, indicating the presence of malware.
These can include file names, registry keys, and system changes made by the malware.
Host-based indicators can be used to detect and analyze malware and identify potential
weaknesses and vulnerabilities in the system.

5. What is the purpose of this program?

- By opening Wordpad and typing out some content, we can then open up
practicalmalwareanalysis.log and see that it has logged all of our keystrokes. From this,
we can conclude that this uses process hollowing to run a keylogger on the infected
machine through svchost.exe. By hollowing, the malware can hide its malicious activities
by injecting its code into a legitimate process, such as svchost.exe. This allows the
malware to evade detection and continue its malicious activities, such as logging
keystrokes. This is why it is important to regularly monitor and analyze system logs for
any unusual or suspicious activities.

19
Faculty of Computer Science and Engineering

20