Yesterday I went to my internship. I learned how to do basic dynamic analysis on malware. First make sure you are in the virtual machine and that it is not connected to the internet. After that the next step is to open process explorer and Regshot. In Regshot take the first snapshot. Then open process monitor. After opening process monitor and quickly open the malware. After about a minute stop process monitor. Apply filters, such as the name of the executable and some operations like WriteFile and RegSetKey. Look for new executables (exe) created and find their location. If the exe. is created in HKLM\Software\Microsoft\Windows\CurrentVersion\run than the file will be started automatically when the computer starts up. This is a common place that malware creates new files. If you see that a file is created, find the file, hash it, and compare the hash to the hash of the original malware file. If they are the same the malware has copied itself. The next step is to take the second snapshot in Regshot, compare them and see what has changed. After doing so, check to see if the malware tries to connect to the network by using ApateDNS and Wireshark. Use ApateDNS to set up a fake network and to see what websites the malware tries to connect to. Then use Wireshark to see the ports it uses and to analyze the packets that the malware tries to send. You can also use another VM that uses Linux to listen in on what the malware is sending.

These are the basic steps in dynamic analysis. I will describe later what exactly each tool is used for.