Presented by Monnappa in SecurityXploded cyber security meet. visit: http://www.securitytrainings.

2.  Execute malware in a controlled/monitored environment
 Monitors file system, registry, process and network activity
 Outputs the results in mutiple formats
 Examples of Sandboxes
◦ Cuckoo Sandbox
◦ ThreatExpert
◦ Anubis
◦ CWSandbox

3. To determine:
 The nature and purpose of the malware
 Interaction with the file system
 Interaction with the registry
 Interaction with the network
 To determine identifiable patterns

4. Reports
Controller
Reports Artifact
s
PCAPS
Host Machine Analysis Machine (VM)
Launch
Sample
Samples
Submit
Monitoring tools

5.  Automates static, dynamic and Memory analysis using open source tools
 Written in python
 Can be run in sandbox mode or internet mode
 In sandbox mode it can simulate internet services (this is the default mode)
 Allows you to set the timeout for the malware to run (default is 60 seconds)
 Stores final reports, pcaps, desktop screeshot , and malicious artifacts for
later analysis

6.  Takes sample as input
 Performs static analysis
 Reverts VM to clean snapshot
 Starts the VM
 Transfers the malware to VM
 Runs the monitoring tools ( to monitor process, registry, file system,
network activity)
 Executes the malware for the specified time

7.  Stops the monitoring tools
 Suspends the VM
 Acquires the memory image
 Performs memory analysis using Volatility framework
 Stores the results (Final reports, destkop screenshot, pcaps and malicious
artifacts for later analysis)

9. Prolaco.exe drops two files on “Googlxe.exe” and “Rundll45.exe” on the filesystem

10. Prevents the security products from running by looking for the security products and deleting its registry
key value

11. The malware sends spam invitation mails to the some of the organizations

12. Process id 1080 sends the spam, but the rootkits hides that process from the process listing using DKOM technique

13. Hides the process from process explorer

14. Comparing the process listing using Volatility’s “pslist” and “psscan” plugin, shows the hidden process
prolaco.exe (pid 1080)
pslist psscan

15. Dumping the hidden process from memory and submitting to VirusTotal confirms the presence of malicious hidden
process