Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: 3. Basic Dynamic Analysis
Дальше: Running Malware

shows the table of contents for a PDF report generated by running a file through GFI Sandbox’s automated analysis. The malware report includes a variety of details on the malware, such as the network activity it performs, the files it creates, the results of scanning with VirusTotal, and so on.

, as follows:

  • The Analysis Summary section lists static analysis information and a high-level overview of the dynamic analysis results.

  • The File Activity section lists files that are opened, created, or deleted for each process impacted by the malware.

  • The Created Mutexes section lists mutexes created by the malware.

  • The Registry Activity section lists changes to the registry.

  • The Network Activity section includes network activity spawned by the malware, including setting up a listening port or performing a DNS request.

  • The VirusTotal Results section lists the results of a VirusTotal scan of the malware.

Malware sandboxes do have a few major drawbacks. For example, the sandbox simply runs the executable, without command-line options. If the malware executable requires command-line options, it will not execute any code that runs only when an option is provided. In addition, if your subject malware is waiting for a command-and-control packet to be returned before launching a backdoor, the backdoor will not be launched in the sandbox.

The sandbox also may not record all events, because neither you nor the sandbox may wait long enough. For example, if the malware is set to sleep for a day before it performs malicious activity, you may miss that event. (Most sandboxes hook the Sleep function and set it to sleep only briefly, but there is more than one way to sleep, and the sandboxes cannot account for all of these.)

Other potential drawbacks include the following:

sss
sss

© RuTLib.com 2015-2018