• Trying to understand a program (or in our case, a piece of malware), by running it
• Monitoring the sample's activity


• Examples:
  • System activity
  • Registry edits
  • Network activity
  • Dynamic unpacking
  • Running DLLs
  • Sandboxing

• Processes
• Memory
• Handles
• Mutants (mutexes)

• Persistence
• HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
• Evasion/Stealth mechanisms

• Monitor for network behaviour rather than system level
• Close vs. Open environment
• Hosts file vs. local DNS server
• INetSim

• When static just does not work
• Involves debugging which is a more advanced technique

• (mostly for) Automated analysis
• Not our focus... but lots of research going on
• Online services

• RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>
• https://support.microsoft.com/en-us/kb/164787
• 32-bit Windows: C:\Windows\System32\rundll32.exe
• 64-bit Windows: C:\Windows\SysWOW64\rundll32.exe

• You can run JS with rundll32.exe
• rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";alert('foo');
• Some malware have used this in registry for persistence

• A safe setup is even more important for dynamic analysis
• Make sure to take snapshots

• Go hand in hand, however...
• Dynamic analysis can bring additional information from a sample that static analysis couldn't
• Unpack samples that use unknown packers
• How the malware is acting rather than what it's composed of

• Process Explorer
• Process Monitor (Procmon)
• RegShot
• Running DLLs with rundll32.exe
• Wireshark
• TcpDump
• ApateDNS
• Netcat

• In software engineering, debugging is basically used to find bugs in code
• Run the code gradually (e.g. breakpoints), and find out what is happening


• In malware analysis, used for reversing purposes, i.e. have a deeper understanding of the malicious code
• Debug the sample to understand what it's doing
• Find hidden features / possible arguments / etc.
• Can also be used to manually unpack (find OEP)

Dynamic view (≠ looking at decompiled/disassembled code)

• Register values
• Memory addresses
• Zero flags
• Arguments

Ability to alter behaviour

• Conditional jumps/zero flags
• Variables
• Arguments

User-Mode vs. Kernel debugging

• User-Mode is more used to debug a specific executable
• Kernel-Mode is more specific to low level device drivers closer to hardware, and is more complicated to perform

Debug program before vs. while it's running

Stepping

• Single-stepping
• Stepping-over
• Stepping-into

Breakpoints

• Software
• Hardware (limited amount)
• Conditional (software)

Tools

• OllyDbg (+ plugins)
• IDA Pro
• WinDbg
• GDB

Pros

• Speed up analysis
• Fast
• Saves time

Cons

• Can miss details
• Can be fooled

Open Source vs. Commercial

• Cuckoo
  • Open source
  • Active development
  • Python-based
  • Can do lots of stuff

• Egele, M., Scholte, T., Kirda, E., & Kruegel, C. (2012). A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys (CSUR), 44(2), 6.
• Yan, L. K., & Yin, H. (2012). Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12) (pp. 569-584).
• Kruegel, C. (2014, August). Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware. In Proc. BlackHat USA Security Conference.