IT321

Malware Analysis
PROJECT

Submitted To: Name: Vansh Vig

Ms. Bhawna Kashyap Roll No:2K22/EE/293
 1.Introduction

1.1 Oracle Virtual Machine (Oracle VM) is a powerful tool for conducting malware analysis
in a secure and isolated environment. It allows analysts to create virtual instances of
different operating systems, replicate real-world scenarios, and execute potentially
harmful code without damaging the host system. This paper delves into the functionality
of Oracle VM in the context of malware analysis, its role in enabling safe exploration,
and its varying impact on different operating systems.

Oracle VM is a robust virtualization platform that enables users to run multiple virtual
machines (VMs) simultaneously on a single physical system. Each VM operates as an
independent instance, complete with its own operating system (OS), applications, and
network settings. Oracle VM supports several OS types, such as Windows, Linux, and
macOS, providing flexibility for diverse testing environments.

1.2 VMware Overview

- VMware is a leading software in virtualization technology, allowing users to run multiple
operating systems on a single physical machine. It abstracts hardware resources such as CPU,
memory, and network interfaces, enabling the creation of isolated environments known as
Virtual Machines (VMs).

- Importance in Malware Analysis: Malware analysis often requires a secure environment

where malware can be executed and studied without the risk of infecting the host machine.
VMware provides such an environment by allowing analysts to run malware within a
controlled and isolated virtual machine, ensuring that the malware does not affect the actual
system or network.

1.3 CPU-Z Overview

- CPU-Z is a freeware that gathers detailed information about the system’s hardware
components, such as the CPU, memory, and motherboard. It is lightweight and offers real-
time data on hardware status, crucial for understanding the system's current state.

- Relevance in Malware Analysis: During malware execution, it’s crucial to monitor system
resources (CPU, RAM) to detect any abnormalities caused by malicious software. CPU-Z
allows analysts to observe how malware interacts with the hardware, particularly if the
malware causes an increase in resource usage, changes CPU frequencies, or affects system
stability.

2.Fundamentals

2.1 Oracle Virtual Machine Fundamentals

The key features of Oracle VM that make it an ideal platform for malware analysis include:
 Isolation: The virtual environment is completely isolated from the host, preventing
malware from affecting the primary system.
 Snapshotting: Analysts can take snapshots of the VM state at different points in time.
This allows for quick rollback to a previous state in case of malware execution or
system failure.
 Customizable Network Settings: The VM’s network configuration can be adjusted,
such as enabling or disabling internet access, to study malware behaviour under
different network conditions.
 Scalability: Multiple VMs can be run simultaneously, providing a testbed for
analysing malware that spreads through networks or affects multiple systems.

2.2 Virtual Machines in Malware Analysis

- Virtualization Concept: VMware creates virtual environments that replicate the
functionality of physical hardware, making it possible to run multiple operating systems
on a single physical machine without interference between them. This feature is critical
for malware analysis because analysts can safely execute suspicious files in a VM without
risking the integrity of the host system.

- Safe Environment: By using VMs, malware can be executed, observed, and reversed-
engineered in a protected environment. Analysts can closely monitor how the malware
behaves, what changes it makes to the system, and what data it attempts to access or
exfiltrate.

- Examples: An analyst might use a VM to execute a ransomware sample. By isolating it

within a VM, the analyst can safely observe its encryption process without risking actual
file loss.

2.2.1 Snapshot Functionality

- Snapshot: VMware allows users to take a snapshot of the VM's current state at any
point. This feature is vital for malware analysis because it enables analysts to revert the
virtual machine to a previous state if the malware causes catastrophic changes to the
system.

- Use in Analysis: Analysts can take a snapshot before executing the malware, and after
analysis, they can roll back to the clean state. This process can be repeated as needed to
test various malware behaviours, or to observe changes after applying patches or security
software.

- Example: If a malware variant modifies the Windows registry or installs rootkits, the
analyst can restore the VM to its pre-infection state and repeat the analysis with different
tools.

2.2.2 Network Isolation

- Isolated Networks: VMware allows analysts to create completely isolated network
environments where the malware can communicate without connecting to the real
network. This feature is important when analyzing network-based malware, such as
worms or malware that requires command-and-control (C2) servers to function.

- Host-only Networking: VMware provides options like host-only networking, where the
VM can only communicate with the host machine. This ensures that the malware's
network activities are confined to the virtual environment, allowing for secure
observation.

- Example: A researcher analyzing a botnet malware can use VMware to set up an isolated
network where the malware attempts to contact its C2 server. By using network
monitoring tools like Wireshark within this isolated network, the analyst can study how
the malware communicates with the server and what data it attempts to send.

2.2.3 Integration with Malware Analysis Tools

- VMware can integrate with several analysis tools to enhance malware research. For
instance:
- Wireshark: Network traffic analysis tool used to capture and analyze network packets
during malware execution.
- IDA Pro: A disassembler tool that helps in reverse-engineering malware binaries.
- Sandboxing Tools: VMware VMs can be used in conjunction with sandboxing tools
that automatically execute malware in a controlled environment and generate reports on
its behaviour.
3. CPU-Z Fundamentals for Malware Analysis

3.1 Role of CPU-Z in System Profiling

- *System Diagnostics*: CPU-Z provides real-time data on system hardware, including
CPU type, core speed, cache memory, and RAM configuration. In malware analysis, such
information is vital for establishing a baseline of system behaviour before malware
execution.
- Use Case: Analysts can observe system changes during and after malware execution.
For example, certain types of malware may overclock the CPU, degrade performance, or
cause memory leaks. CPU-Z helps track these changes, providing clues about the
malware’s impact on the hardware.
3.2 CPU-Z Features in Malware Analysis
- CPU Tab: Provides detailed information about the CPU, including its type, clock speed,
and voltage. Malware that targets system resources (like cryptojacking malware) often
causes the CPU to run at high frequencies, which can be detected using CPU-Z.
- Cache Tab: Displays information about the CPU cache, which can be useful in
identifying cache-poisoning attacks or malware that manipulates the CPU cache to
perform side-channel attacks.
- Memory Tab: Shows the current RAM usage and configuration. If a malware sample is
designed to consume excessive memory (e.g., a DDoS botnet), this tab provides
immediate insight into how much memory is being used.
- SPD Tab: Contains information about the system's RAM modules. Malware that
tampers with system hardware might corrupt data in RAM, which could be detected by
comparing pre- and post-infection RAM behaviour.
3.3 Malware Behavior Observation with CPU-Z
- Tracking System Changes: CPU-Z is useful for monitoring the system’s performance in
real-time. Certain malware strains cause drastic changes in system behavior—like an
increased CPU workload or memory usage—that can be detected by observing the system
with CPU-Z before, during, and after malware execution.

- Example: A piece of malware that hijacks the CPU for cryptomining (cryptojacking)
will increase CPU frequency and usage. CPU-Z can be used to monitor these changes,
allowing analysts to detect resource-hogging behaviours.
 3. Impact of Oracle VM on Different Operating Systems for Malware
Analysis

3.1. Windows OS
Windows is the most targeted operating system by malware due to its widespread use.
Oracle VM supports Windows OS environments, allowing analysts to replicate various
Windows versions and configurations for malware testing. In a Windows VM, analysts
can examine how malware interacts with common applications, registry settings, and
network protocols native to Windows.

3.2. Linux OS
While Linux is less frequently targeted by malware compared to Windows, it is still
vulnerable, particularly in server environments. Oracle VM allows for the creation of
different Linux distributions, such as Ubuntu, CentOS, and Debian, making it a versatile
platform for malware analysis on Linux systems.

3.3. macOS
macOS, traditionally perceived as a more secure operating system, has seen an increase in
malware targeting in recent years. Oracle VM supports macOS environments, allowing
security researchers to analyze malware that specifically targets Mac systems. While
macOS is less flexible in terms of customization compared to Linux, Oracle VM still
provides a safe and isolated environment to study Mac-specific malware, such as adware,
ransomware, and spyware.

4. Comparative Study: VMware vs. CPU-Z vs. Oracle VM in Malware

Analysis

4.1 VMware's Strengths

- VMware is primarily focused on system virtualization and provides a sandboxed
environment where malware can be executed without affecting the host system.
- It allows for complete system simulation, enabling the analysis of malware behaviours
in isolated environments, including network interactions and multi-stage attacks.
- VMware offers snapshot functionality, ensuring that analysts can quickly revert to a
clean state after the system is infected.

4.2 CPU-Z’s Strengths

- CPU-Z is designed for hardware diagnostics, providing detailed and real-time
information about the system’s CPU, memory, and motherboard.
- It is best suited for system profiling and resource monitoring, making it an essential tool
for tracking how malware impacts system performance at a hardware level.
- CPU-Z is more lightweight and specific compared to VMware and is valuable in cases
where malware interacts directly with system hardware or tries to degrade performance.

4.3 Oracle VM’s Strengths

 Security: The isolation provided by Oracle VM ensures that even if malware executes
harmful actions, it cannot spread to the host machine or other networked devices. This
makes it ideal for studying highly destructive malware like ransomware.
 Reversibility: With snapshotting, Oracle VM allows for quick recovery after malware
execution. This feature is invaluable when testing multiple variants of malware or
different stages of the same malware family.
 Cross-Platform Analysis: Oracle VM supports multiple operating systems, giving
analysts the ability to test malware across different platforms in a single environment.
This capability is crucial as malware authors increasingly target multiple OSs.

5. Conclusion

-Oracle VM is an invaluable tool for malware analysis across various operating systems,
including Windows, Linux, and macOS. Its ability to create isolated environments,
coupled with features like snapshotting and customizable network configurations, makes
it ideal for studying malware behaviour safely and efficiently. However, performance
overhead and anti-VM techniques can present challenges that analysts must address.
Despite these hurdles, Oracle VM remains a core component of modern malware analysis
strategies, enabling researchers to protect real-world systems from emerging threats.

- Both VMware and CPU-Z are critical tools in malware analysis but serve different
purposes. While VMware provides a safe and isolated environment to execute and
observe malware, CPU-Z helps monitor the hardware resources during and after
infection.

- Together, these tools offer a comprehensive understanding of how malware behaves in

virtual environments and how it impacts system performance and hardware resources.

References

1. Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2008). A survey on automated
dynamic malware analysis techniques and tools. ACM Computing Surveys (CSUR),
44(2), 1-42.
2. Sun, Q., Liu, J., & Wang, Z. (2018). A study on the use of virtual machines for
malware analysis. IEEE Transactions on Dependable and Secure Computing, 15(2),
265-278.
3. Oracle Corporation. (2023). Oracle VM VirtualBox User Manual. Available
from: https://www.oracle.com
- VMware Documentation: [https://www.vmware.com](https://www.vmware.com)
- CPU-Z User Manual: [https://www.cpuid.com/softwares/cpu-
z.html](https://www.cpuid.com/softwares/cpu-z.html)