Quick Malware Analysis Toolkit. This repository contains quick setup notes to setup a malware analysis sandbox using a variety of tools and uses ProcDot to perform the analysis.
These instructions are very highlevel. You will need to adjust to work in your lab.
- Target OS (Windows 10/7)
- graphviz - http://www.graphviz.org/
- ProcDOT - http://www.procdot.com/
- WinPcap - https://www.winpcap.org/
- Windump - https://www.winpcap.org/windump/default.htm
- ProcMon Sysinternals Suite https://docs.microsoft.com/en-us/sysinternals/
- PSR - Problem Step Recorder (Built in Windows tool)
OPTIONAL: Python to run CSV_parser
The CSV_parser directory contains a python script that can help filter noise from the procmon CSV logs.
- Download/extract tools to a common directory
- This example uses C:\Users\IEUser\Desktop\autoanalysis\tools\
- Install WinPcap
Open ProcDOT and configure the following options
Note: More detailed installation information can be found here ProcDot
Path to windump/tcpdump
C:\Users\IEUser\Desktop\autoanalysis\tools\windump\WinDump.exe
Path to dot (Graphviz)
C:\Users\IEUser\Desktop\autoanalysis\tools\graphviz-2.38\release\bin\dot.exe
You need to adjust Procmon's configuration to be compatible with ProcDOT.
In Procmon
- disable (uncheck) "Show Resolved Network Addresses" (Options)
- disable (uncheck) "Enable Advanced Output" (Filter)
- adjust the displayed columns (Options > Select Columns ...)
- to not show the "Sequence" column
- to show the "Thread ID" column
- Run AutoAnalysis.bat as Administrator
- Execute Malware
- Stop AutoAnalysis
- Analyze Results
- Open procdot.exe
Monitoring Logs
Procmon: browse to procmon capture.csv Procmon: browse to pcap capture.pcap
-
Click ... in the Launcher button to analyze logs
-
Select the first relavant process
-
Click Refresh to build the graph
-
Proceed to analyze results
Tune logs
- Consider filtering out unnecessary data from PCAP
- Consider removing unnecessary procmon logs from the report
- CSV_parser contains a python script that can help filter the procmon CSV logs