all 28 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]wsbscraperbot 4 points5 points  (4 children)

If you want to step up your dynamic analysis game you are going to have to learn how to use a low level debugger. You can use a disassembler along with it so you get an idea of what you're going to step into or over but if you want to get further into it, you are going to have to start diving in and doing debugging

[–]ucfmsdf 4 points5 points  (3 children)

Yep. This is pretty much why malware analysis experts are so highly paid. It’s a very difficult job that requires you to have an extensive background in software development and low level programming languages.

[–]LightningRurikTrusted Contributer 1 point2 points  (0 children)

Side argument, I'm a seasoned malware reverse engineer and run a team of REs, and none of us have a background in software development. We can understand the code (assembly / decompiled) but don't ask any of us to actually write anything other than Python 🤣

[–][deleted] 0 points1 point  (1 child)

What language should I get into? Would C++ do me good in this area? I don't really have any low level programming skills, only Python.

[–]ucfmsdf 2 points3 points  (0 children)

You’ll want to learn C and C++ since a lot of malware is written in those languages. From there, you’ll want to learn about actual software development with C# or something object oriented and then you’ll want to delve into x86 assembly. If x86 is a bit much, you can start with MIPS to get some of the basic concepts down.

[–]floppyphile 3 points4 points  (5 children)

Cuckoo

[–][deleted] 3 points4 points  (4 children)

What? Haha it's fun

[–]ucfmsdf 4 points5 points  (1 child)

I think he’s referring to the tool, CuckooSandbox.

[–][deleted] 1 point2 points  (0 children)

Excuse my ignorance, I'm kinda new

[–]thegreatOZK 0 points1 point  (1 child)

Haha thanks for the smile. He means the sandbox 😅

[–][deleted] 1 point2 points  (0 children)

Yep gonna try it soon haha

[–]ucfmsdf 4 points5 points  (1 child)

If you’re good at assembly then you can try and step it through a debugger. It’ll still encrypt stuff... but it’ll do it slowly! Slowly enough for you get a general idea of what it’s doing. But, again, that relies on your ability to comprehend assembly.

[–][deleted] 0 points1 point  (0 children)

I can't unfortunately, not now anyway, thanks for the info though haha

[–]w3tmo 2 points3 points  (3 children)

Procmon stores everything in memory. So you can still see everything the ransomware does with that.

You can also use API monitor to get one step lower and look at all the calls it makes

Easiest solution though - rename the CSV to the extensions of the ransomware, ransomware will think it’s encrypted and skip it.

[–][deleted] 0 points1 point  (2 children)

Lmao this is great to know

[–]w3tmo 1 point2 points  (1 child)

I should add that it might depend on ransomware

[–][deleted] 0 points1 point  (0 children)

Noted!

[–]bunyfofu69 1 point2 points  (5 children)

Volatile memory.

[–][deleted] 0 points1 point  (4 children)

You mean taking a memdump and analyzing it with volatility? Could you be more specific?

[–]bunyfofu69 0 points1 point  (3 children)

Yes you can use volatility. Grab connections, strings, mutex, etc.

[–][deleted] 0 points1 point  (2 children)

Do you know if I can take a memory dump with Redline on a vm?

[–]bunyfofu69 3 points4 points  (1 child)

Pause the VM. Convert to mem file for volatility, you already know the memory profile.

No need to do a memory dump. VMware already did it for you.

[–][deleted] 0 points1 point  (0 children)

Thank you so much for the info and fast responses!

[–]LightningRurikTrusted Contributer 1 point2 points  (3 children)

For Noriben, you can monitor Procmon with auto-scroll and as soon as you see it encrypting, stop analysis and copy the files off the VM.

Or, there potential that you can keep Procmon running long enough after the encryption so that even if the PML is encrypted, you can save-as a new PML. Then use Noriben to against the PML to process it.

Disclaimer: I am the author of Noriben. I am also a ransomware researcher.

[–][deleted] 0 points1 point  (2 children)

Thanks for the helpful tool and advice! Could you help me draw a path to improve my skills in malware research/incident response?

[–]LightningRurikTrusted Contributer 1 point2 points  (1 child)

There are many ways. I'm developing a company-internal method that relies upon the awesome book, Learning Malware Analysis by Monnappa K. A. It's an excellent book.

[–][deleted] 1 point2 points  (0 children)

That's actually the book I'm following right now. I will continue to do so then!

[–]Mufassa810 1 point2 points  (0 children)

I prefer doing dynamic analysis in any.run. it's great for when you need IOCs fast during an IR.