Automating Malware Analysis Cycle

Cycle for analyzing malware is a process that allows any person to have a ready environment for testing malwares, the general steps for creating an automated sandbox will allow you to be ready as you have any new binary that you are looking to analyze, sources for these malicious files can be honeynet, infected webpages or just even pdf files.

First of all you start by creating a system baseline this will allow you to select on which system you are going to analyze the malware (names, hashes, and timestamps), registry contents, memory contents and other important information value that by executing malware they can be changed.

1.    Begin in a clean state, this step to prepare the machine that you are going to work with if you are using virtual machine or physical machine you need to be sure that it is clean and as the baseline configuration.

2.    Transfer the malware, for the malware transfer you can share it on an isolated network or using VMware’s copyFileFromHostToGuest function , also possible to use PsExec a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.

3.    Pre-execution tasks, this step include setting the environment, checking the network and performance of the machine or even starting some static analysis of the suspicious file.

4.    Execute malware, here you just run the malware directly on the testing platform using the command line.

5.    Post-execution tasks, This step is to take the important changes and evidence on the machine like taking screenshot , running some live tools like process monitor etc…

6.    Acquire and analyze RAM, this step involves suspending the VM and accessing its memory file on the host’s file system. If you’re working with physical systems, this step involves dumping memory to a file or straight across the network to your host/analysis machine.

7.    Analyze the hard drive this is the final step when you will compare the testing machine with the baseline. changes includes files, registry hives, event logs, application logs …

The cycle here can be changed according to your project and what malware you are going to analyze, especially from the technical prospective, but main steps should match the path


Figure from Malware Analyst’s Cookbook: