1. Gather the hash value of the malware.
2. Activate monitor tools (in an order that is tailored to capture the maximum information)
3. Run the malware in the host-only virtual machine, under the observation of some dynamic tools (such as Process Explorer and TCPView)
4. Don't kill the process unless it is terminated by itself.
5. Wait for a few minutes. If the process is terminated by itself, at least wait for another 1-2 minutes.
6. Pause the monitoring tools (in a reverse order of their start ups)
7. Observe logs and suspicious entries. (Write down all identified information and revisit the logs if new traces are found)
8. Exercise your judgements to interpret your findings. (This is an art)
9. Based on the above findings, call up additional tools (such as: Process Explorer, WinObj or VMmap) to inspect the possible artifacts in the process or memory and keep screen captures for the new findings.
10. Terminate the process if it is still running.
11. Call up the tools again to re-examine the possible artifacts in the registry, process or memory.
12. Write down all MAC times and hash values for all add, deleted and modified files and copy these files to a "file" folder.
13. Back up all logs, screen captures to "data" folder for further reference.
14. Zip these folders with password and copy to the host machine before rollback your virtual machine.
15. Further analyze your logs by the helps of the search capability from an editor or import into Excel if they are CSV format for further searching.
16. Never inspect the "file" folder in your host machine.
17. Finally, document all your findings and prepare a formal report.
Of course, I did not cover on how to mode the network to response the malware's requests and I am assuming these procedures will be carried out after the studying of pcap file contained in the CaptureBAT log.
Sunday, August 7, 2011
Subscribe to:
Posts (Atom)