CaptureBat - Dynamic Malware Analysis Tool

As I mentioned in one of my previous posts about tools for Dynamic Malware Analysis, CaptureBat is a very essential tool for this purpose. This tool shows us verbose output of the things happening at the registry, file and processes level.

Starting off with Capture Bat
One of the easiest ways to go through the information captured by this tool is to copy the output in a text file for easy reference

But this limits the overall efficiency as it can geta little cumbersome to go through the captured data of a malware which was running for about 5 minutes or so. Its always good to have a way in which we can categorize, search and filter the contents to our liking. Guess what, we already have a way...Excel.

Efficiency through Excel
We can export the captured data into an excel sheet and take benefit of the excellent filtering capabilities. T start off, simply capture the data in a normal CaptureBat file and import it into excel.

When Importing into Excel choose file type as 'Delimited'.






As of now I have observed that choosing the options 'Tab', 'Space' and ':' in 'Other' works best for me.



Once done, we get the output in an Excel as shown below.



We can use filters to narrow down on the type of operation we want to check. For instance we can choose to only see the 'write' operations performed.

Dynamic Malware Analysis Tools

It would not be wrong to say that every malware has its personality. Not that we want to start treating malwares like living things but the comparison is justified based on the different ways a malware behaves. To study a part of this dynamic behavior we will be using some tools

Autorun
This tool is used to check what is running at system. This helps in understanding if a malware has set itself to run at startup

Process Explorer
This tool can be used as an alternative to Task Manager as well as checking the processes, threads as well as DLLs curently loaded on the system


Process Monitor
This tool can be used to keep an eye on the events happening on the system. This tool monitors Registry, file level, network processes, thread changes happening on the system

ListDLL
Used to display DLLs loaded on the system

TCPView
Lists active TCP/UDP endpoints

WinObj
Shows windows object namespace

BinText
Can be used to extract text present ina a particular executable

RegShot
Allows us to take two snapshots of the system recording registry level changes between the two. These can then be compared with each other to understand the changes which were introduced once the malware ran

CaptureBat
Captures events happening on the system at the file, registry, processes and network level

HandleDiff
Detects changes to handle tables of processes

WireShark
Capture incoming as well as outgoing traffic from a particular machine

MalcodeAnalysisPack
Package which contains applications which have been proven useful for analysis purposes

Remnux
Lightweight Linux distro for assisting malware analysts in reverse engineering malicious software

This is not an exhaustive list, but these are some of the tools which would be used most frequently for the purpose of malware analysis. I will provide examples and detailed use for some of these tools shortly

Virtual Machine for Android reverse Engineering A.R.E. Released

The Honeynet Project has released Android Reverse Engineering (A.R.E.) Virtual Machine. The Android Reverse Engineering (A.R.E.) Virtual Machine, put together by Anthony Desnos can be used for reverse engineering Android Apps. A.R.E. combines the latest Android malware analysis tools in a readily accessible toolbox.
Tools currently found on A.R.E. are:

• Androguard
• Android sdk/ndk
• APKInspector
• Apktool
• Axmlprinter
• Ded
• Dex2jar
• DroidBox
• Jad
• Smali/Baksmali

Download Here

I will shortly put up a tutorial for analysis of Android App using the same VM.