Usually we carry out the analysis of malware under virtual environment or using sandbox. Malware analysis is quite helpful in
detecting malicious file as well as the behavior and the attack vectors being used in the file. It’s dangerous to run the malware on a daily routine system. So its clear now that we will prefer virtual environment for the analysis. Today we will just share a few utilities that can be useful in quick and handy analysis of malware and malicious file.
Process Explorer: During malicious file analysis, its quite necessary to observe malicious processes, the port being used etc. Microsoft’s Process Explorer is a handy utility that replaces the built-in Windows Task Manager and helps in monitoring malicious process. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
Capture BAT: Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is
able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the file operates. Capture BAT provides a powerful mechanism to exclude event noise that naturally occurs on an idle system or when using a specific application.It offers a powerful way to observe in real time how local processes read, write, or delete registry entries and files.
Regshot: Malicious file can make changes into the registry. RegShot is a handy little tool that enables you to view the exact changes made in the Windows registry entries, by comparing the “before” and “after” registry log files.The user interface of RegShot is pretty standard. You can select the type of format of the compare log file (text or HTML document), set the output destination path, and optionally scan a particular directory or add a comment into the log file.
QuickUnpack: It is a quite useful utility for the analysis of malicious file. QuickUnpack tries to bypass all possible scramblers/obfuscators and restores redirected import. This help in analyzing the malicious file, whether the file has been obfuscated or code has been scrambled. Its operation is quite helpful that makes easy to reveal AV bypass techniques as well.
Wireshark: The packet god Wireshark is an essential utility in malicious analysis of files. It helps in the analysis of network communication being made by the malware such as DNS resolution requests, bot traffic, or downloads. This also helps in analyzing the malicious traffic, and sometimes results in locating the C&C server of such malicious files.
Hope these quick utilities may help you in a quick analysis of malicious files. Use virtual environment during analysis to stay safe and secure! Contact us today for our Malware Analysis Service.