![]() ![]() If this shows nothing, either your virus does not persist, or you may need to use one of the further methods to identify it. Then, after the virus is run, use Autoruns again, and use the compare functionality to easily highlight any differences in the list. In your Windows snapshot, take a baseline of the system in the clean state and save this in your “Analysis Ready” snapshot. SysInternalsįor persistence, the SysInternals Autoruns tool is a great place to start. The main host-centric things you need to know are what files the malware drops or changes, any registry modifications it made, what process it runs as, and how it persists. Once you become more familiar with analysis, you can deep dive into the more specific tools for use cases and equip your analysis VMs with these capabilities as well. Tools for host analysis are numerous, so to make it easy, I’ll highlight only a few of the main tasks here. Unlike the network portion of this analysis, which is generally going to be the same for most malware, there are a multitude of ways to go about identifying host changes. A new post will be posted every Thursday until they’re all posted. This is the first post in a wonderfully enlightening series of five. Intro to Malware Dynamic Analysis: Part 5 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |