Malware Forensics

Understanding the processes that malware starts and then takes control of after execution is made easier with the use of process monitoring. To determine the complete nature of a file or program, collect data about the processes that were operating prior to the malware’s execution, and contrast them with the processes that were operating following it, it is also essential to observe the child processes, associated handles, loaded libraries, functions, and execution flow of boot time processes. This technique helps quickly identify every process that the virus launches and cuts down on the amount of time needed to evaluate the processes. To find suspicious processes, malicious parent/child processes, malicious DLLs, and connections, use process monitoring tools like Process Monitor.

• Process Monitor
• Process Explorer

System Behavior Analysis: Monitoring Windows Services

Malware and other malicious programming are created by attackers to install and operate on a computer as services. Since most services serve processes and apps by operating in the background, malicious services can operate without user input or intervention and remain undetectable even when they are causing harm to the system. Windows services are spawned by malware, giving attackers remote access over the victim’s computer and the ability to send destructive commands. To conceal its services and processes, it might also use rootkit techniques to change the following registry keys.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

These malicious services are more harmful than executable code and typical malware because they operate as SYSTEM accounts or other privileged accounts, which grant more access than user accounts. To evade detection, attackers also attempt to hide their activities by renaming malicious services to seem like legitimate Windows services.

Using Windows service monitoring tools like Windows Service Manager (SrvMan), which can identify service modifications and search for questionable Windows services, investigators can track malicious services started by suspicious files during dynamic analysis.

• Windows Service Manager (SrvMan)
• Advanced Windows Service Manager

System Behavior Analysis: Monitoring Startup Programs

Malware can run harmful operations every time the machine boots up by changing system settings and inserting itself into the startup menu. To detect malware, it is necessary to manually scan for suspicious startup applications or use startup program monitoring solutions like Autoruns for Windows.

The steps to manually detect hidden malware are discussed below.

Step 1: Check Startup Program Entries in the Registry

When users log into a Windows operating system (like Windows 11), startup items including applications, shortcuts, folders, and drivers are configured to launch automatically at startup. The installed programs or drivers may add startup items, or the user may do it manually. Registry entries for Windows Explorer and Microsoft Edge startup settings may contain programs that launch at Windows 11 startup.

Windows Startup Settings

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Explorer Startup Settings

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\Shell Folders, Common Startup
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\User Shell Folders, Common Startup
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Startup
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup

Startup Program Monitoring Tool: Autoruns for Windows

Every startup monitor’s autostart locations are known by the Microsoft Autoruns application. It shows which programs are set up to execute when the system boots up, when you log in, and when you launch Windows built-in apps. Users can set Autoruns to display additional destinations, like toolbars, browser assistance objects, Winlogon notifications, explorer shell extensions, and autostart services, after this software is added to the Startup folder, Run, RunOnce, and other registry values.

The Hide Signed Microsoft Entries option in Autoruns allows the user to examine the autostart images set up for other accounts on the system and zoom in on third-party autostart images that are uploaded to the user’s system.

• HiBit Startup Manager (https://www.hibitsoft.ir)
• Autorun Organizer (https://www.chemtable.com)
• Quick Startup (https://www.glarysoft.com)

System Behavior Analysis: Monitoring Windows Event Logs

The process of log analysis yields information about events or actions that may reveal potential Trojan or worm attacks on the system. It assists in locating security flaws and acts as a main source of information. When logs are examined for various components, this procedure aids in the detection of zero-day backdoor Trojans and any potential attacks (failed authentication/login attempts). Web servers, authentication servers, firewall systems, and IDS/IPS are examples of components that can have their logs monitored. File types, ports, timestamps, and registry entries are also included in the logs. In Windows, the “Windows Logs” part of Event Viewer allows for the analysis of system, application, access, audit, and security logs.

The logs are located on the following paths:

• System logs: Start → Windows Administrative Tools → Event Viewer → Windows Logs → System
• System Security logs: Start → Windows Administrative Tools → Event Viewer → Windows Logs → Security
• Application Logs
• Start → Windows Administrative Tools → Event Viewer → Applications and Services Logs

Key Event IDs to Monitor

While performing runtime analysis, investigators need to look at specific event IDs and corelate the event descriptions to any anomalous activities to understand the behavior of the malware. The following are a few of the significant event IDs:

Event ID 4688

Malicious programs often include an .exe file into the filesystem to compromise a machine. Event ID 4688, which is generated whenever a new process is initiated, can help forensic investigators look for suspicious process names or process paths upon malware execution. Malicious process names are often misspelled, such as “scvhost.exe” instead of “svchost.exe,” or “iexplorer.exe” instead of “explorer.exe.” Any Windows process running from an unusual path should also be investigated, such as C:\Windows\svchost.exe instead of C:\Windows\System32\svchost.exe

Event ID 5156

When Windows Filtering Platform permits a program to connect to another process on the same computer or any other distant computer via UDP or TCP ports, this event is created. This event ID may be crucial for identifying the attack’s source during dynamic malware investigation. Investigators can use the event description to identify the following details:

• Application name: This is the complete path or name of the malicious software that connects to an internal or external IP address.
• Direction: Indicates if an outgoing or inward connection is permitted.
• Destination address: It is the IP address the connection was received from.
• Destination port: This is the port number that any distant computer can use to establish a connection.

Event ID 7045 and 4657

Any new installation is often a planned event. By developing a persistent malicious service that runs even after the system is rebooted, an attacker may attempt to keep control of the compromised system. By altering specific registry keys, the attacker can also produce a persistent malware mechanism that allows them to add the malicious payload to the list of programs that are run when the system reboots, including Windows starter programs. As a result, any unexpected service installation or unusual registry key changes found using event IDs 4697 and 4657 oughts to be taken seriously and investigated further.

Event ID 4660 and 4663

Malware may try to access, alter, or remove any files and folders from the compromised system after it has been executed. Thus, event ID 4660, which is produced upon the deletion of any object—whether it is a kernel, file system, or registry object—should be watched by investigators. Investigators must follow event 4663, which verifies whether access permissions were used along with the name and type of the object, account name, and process name that accessed the item, as this event ID lacks the name of the deleted object. Other access request data, such ReadAttributes, WriteAttributes, READ_CONTROL, etc., can also be tracked by tracking event IDs 4663.

Event IDs 7036 and 7040

To stay persistent on the target machine, any malicious program may also turn off essential Windows protection services like Windows Defender, Windows Firewall, or antivirus software. An investigator would be able to search for any such suspicious activity by keeping an eye on events 7036 and 7040.

System Behavior Analysis: Monitoring Scheduled Tasks

Using Windows Task Scheduler, attackers create malware that will remain dormant and activate on a specified date or occasion. To identify malware, such as logic bombs that can execute various triggers, investigators must look for scheduled tasks.

To view a list of all the system scheduled tasks, investigators can utilize command-line applications like Windows Task Scheduler and Schtasks.

System Behavior Analysis: Monitoring Files and Folders

Malware can alter system files and folders to store data there. You should be able to locate the files and folders that the virus generates as an investigator and examine them to gather any pertinent data that may be stored. These files and folders might also have dangerous strings or secret computer code that the infection would plan to run on a predetermined timetable.

Using the “openfiles” command, which shows the list of open files, investigators must also look for any files that were opened remotely by the malware or an attacker.

To find malware, investigators should also look at prefetch files, clipboard information, etc. Prefetch files are created by Windows when a program is first launched. This file assists in locating running programs, related files, DLLs, processes, and services. To find out whether the attacker used apps like CCleaner to remove activity history, investigators should examine prefetch files. Additionally, prefetch files offer a timeline that aids investigators in determining the precise moment the malicious programs were run. To view prefetch files, use programs like WinPrefetchView.

Use programs like PA File Sight, Tripwire File Integrity and Change Manager, and Netwrix Auditor to search for questionable files and directories to find any Trojan horses that may have been installed and system file changes.

Perform Network Behavior Analysis

Monitoring network communications is an important part of dynamic malware analysis as it can exhibit the malware’s operations over network properties. The secret to stopping malware’s propagation and reducing hazards may lie in understanding how it enters the network. Investigators should thus keep an eye on the network environment while the virus is operating to observe how it interacts with the network properties.

Network Behavior Analysis: Monitoring Network Activities

The technique of recording network data and closely examining it to find malware activities is known as network analysis or monitoring. It assists in identifying the kind of data or network packets or traffic that are sent over the network.

Malware uses the network for several purposes, including spreading, downloading harmful content, sending private files and data, giving attackers remote control, and more. In addition to manipulating the victim computer’s network configuration to call out a certain URL, IP address, or domain name, some malware groups—such as Trojan horses, worms, and bots—wait for additional instructions from the attacker. Therefore, methods that can identify malware artifacts across networks should be used by investigators.

Network traffic monitoring, statistical analysis, and manual traffic review help investigators in detecting any privilege malware escalation activities over the networked computers.

For network activity monitoring, investigators can execute the malware on the forensic workstation and monitor the following aspects:

• IP addresses going from and connecting to the workstation
• Ports being opened on the workstation
• List of DNS entries recorded on the workstation

Network monitoring tools such as Capsa Network Analyzer, and Wireshark, can be used to monitor and capture live network traffic to and from the victim’s system during the execution of the suspicious program. This helps in understanding the malware’s network artifacts, signatures, functions, and other elements.

Monitoring IP Addresses

Investigators must take the following actions to ascertain whether a file that is suspected of being malware is attempting to call out any remote or malicious IP addresses:

1. On the Windows forensic workstation, they must launch the Wireshark application, which will show all network activity.
2. They must run the file suspected of being malware on the workstation while Wireshark is running in the background.
3. They should then keep an eye on the network’s real-time traffic to look for any unusual activity.
4. It should be noted as unusual if they discover any distant or unknown IP addresses that the workstation is attempting to connect to.
5. Lastly, they should check the IP address that was acquired using internet virus detection programs to see if it is malicious.

Network Behavior Analysis: Monitoring Port

Malware programs corrupt the system and open system input/output ports to establish connections with remote systems, networks, or servers to accomplish various malicious tasks. These open ports can also create backdoors for other types of harmful malware and programs. Open ports act as communication channels for malware. They open unused ports on the victim’s machine to connect back to the malware handlers. Finding such viruses will help in identifying the suspicious ports.

As an investigator, you can also determine whether malware is trying to access a particular port during dynamic analysis by installing port monitoring tools such as TCPView and Windows command-line utility tools such as netstat. These port monitoring tools provide details such as the protocol used, local address, remote address, and state of the connection. Additional features may include process name, process ID, remote connection protocol, etc.

Network Behavior Analysis: Monitoring DNS

DNS is used by malicious applications to connect to the C2 server, which is configured by the criminal. To evade detection by reverse engineers, malware employs Domain Generation Algorithms, or DGAs, and quickly makes several DNS queries to several domains to establish a connection with its C2.

By altering the DNS server settings on the system, malicious software like DNSChanger gives attackers command over the DNS server that is utilized on the victim’s computer. The attackers can then take control of the websites that the victim attempts to access via the Internet, force him or her to visit a phony website, or obstruct their online browsing.

To determine whether the malware is attempting to reach a particular domain name, investigators should examine the DNS entries stored on the workstation (sometimes referred to as the DNS cache) during runtime analysis. By entering ipconfig /flushdns at the command prompt and hitting Enter, they must remove DNS cache entries from the workstation. They can then detect the malicious domain name by running the virus.

Examining DNS Entries

Investigators must take the following actions to determine whether the virus is attempting to contact any domain name:

1. They must first use the Windows forensic workstation
2. To run the suspect file. They must then type the command ipconfig /displaydns into the workstation’s command prompt. All the entries kept in the DNS cache, including all current and attempted visits to websites, FTP servers, etc., will be seen by doing this.
3. Next, they can identify any suspicious or unrecognized domain name from the DNS cache list.
4. After execution, they can use hybrid analysis to further investigate any questionable or unknown domain names to determine whether they are malicious.

Network Behavior Analysis: Monitoring Browser Activity

Malware can download harmful files via connecting to C&C servers, rogue websites, and other DNS servers through browsers. To find malicious traffic and the location of the system, investigators must examine suspicious browsing activity.

Investigators can look for any surfing activity that may have taken place over ports 80, 443, or 8080, which are used by browsers to connect to the C&C servers. Additionally, investigators can monitor web traffic at firewalls, look at web caches, and filter web traffic by URL and harmful strings in web logs. To keep an eye on user browsing behavior, employ network monitoring tools like Colasoft Portable Network Analyzer and Wireshark.

Perform Ransomware Analysis

An essential component of forensic inquiry is ransomware analysis, which aims to comprehend the workings of a specific ransomware, including its encryption methods, infection pathways, and any potential flaws that could be used for decryption or mitigation. Both static and dynamic analytic techniques are frequently used in this kind of analysis. Use tools for ransomware analysis, such BlackCat (ALPHV).