isarmadfarooq/Dynamic-Malware-Analysis-Report

GitHub: isarmadfarooq/Dynamic-Malware-Analysis-Report

一份基于FlareVM环境的恶意软件动态行为分析学术报告，系统展示了从沙箱搭建、样本执行到行为可视化的一整套分析流程与方法论。

Stars: 0 | Forks: 0

# 🦠 动态恶意软件分析报告 [![Made With](https://img.shields.io/badge/Made%20with-FlareVM-6E40C9?style=for-the-badge&logo=windows&logoColor=white)](https://github.com/mandiant/flare-vm) [![University](https://img.shields.io/badge/FAST--NUCES-Islamabad-0A66C2?style=for-the-badge&logo=academia&logoColor=white)](https://nu.edu.pk/) [![Program](https://img.shields.io/badge/MS%20Cybersecurity-2024--2025-0F6E56?style=for-the-badge&logo=shield&logoColor=white)]() [![Report](https://img.shields.io/badge/Report-DOCX-B7472A?style=for-the-badge&logo=microsoftword&logoColor=white)]() [![Academic](https://img.shields.io/badge/Purpose-Academic%20Only-F4B400?style=for-the-badge&logo=googlescholar&logoColor=white)]()

## 👤 作者

| | | |:---:|:---| | **Name** | Sarmad Farooq | | **Roll No.** | 25i-7722 | | **Program** | MS Cybersecurity (MSCY) | | **Institution** | FAST – National University of Computer & Emerging Sciences, Islamabad | | **Subject** | Malware Analysis | | **Academic Year** | 2024 – 2025 |

## 📖 概述动态分析——也称为**行为**或**运行时**分析——涉及在沙盒环境中执行恶意软件样本，并实时观察其与底层操作系统的每一次交互。与静态分析不同，这种方法绕过了混淆，直接揭示了恶意软件的真实操作意图。 **观察到的行为包括：** - 🔄 进程创建、注入和终止事件 - 📂 文件系统读取/写入/删除操作 - 🗝️ Windows 注册表修改（持久化、配置存储） - 🌐 网络连接尝试、DNS 查询和 C2 通信 - 💬 进程间通信和 API 调用 ## 📁 仓库结构 ``` 📦 malware-analysis-report ┣ 📄 Dynamic_Analysis_Report_Sarmad_Farooq_Professional.docx ┗ 📄 README.md ``` ## 🛠️ 工具与环境

| Tool | Developer | Role | |:---|:---|:---| | ![FlareVM](https://img.shields.io/badge/FlareVM-Mandiant-6E40C9?style=flat-square&logo=windows&logoColor=white) | Mandiant (FireEye) | Windows security distro for malware analysis | | ![FakeNet-NG](https://img.shields.io/badge/FakeNet--NG-Mandiant-0F6E56?style=flat-square&logoColor=white) | Mandiant (FireEye) | Simulates network services; captures C2 traffic | | ![Regshot](https://img.shields.io/badge/Regshot-Open%20Source-0A66C2?style=flat-square&logoColor=white) | Open Source | Registry before/after snapshot comparison | | ![System Informer](https://img.shields.io/badge/System%20Informer-Open%20Source-B7472A?style=flat-square&logoColor=white) | Open Source | Real-time process monitoring | | ![Procmon](https://img.shields.io/badge/Process%20Monitor-Microsoft-F4B400?style=flat-square&logo=microsoft&logoColor=white) | Microsoft Sysinternals | Full file, registry & network event logging | | ![ProcDot](https://img.shields.io/badge/ProcDot-CERT.at-E24B4A?style=flat-square&logoColor=white) | CERT.at | Behavioral dependency graph visualization | | ![MalwareBazaar](https://img.shields.io/badge/MalwareBazaar-Abuse.ch-444?style=flat-square&logoColor=white) | Abuse.ch | Malware sample source |

## 📊 分析方法

``` ┌─────────────────────────────────────────────────────────────────────┐ │ ANALYSIS PIPELINE │ │ │ │ [1] VM Snapshot → [2] Network Config → [3] Regshot 1st Shot │ │ ↓ ↓ │ │ [4] FakeNet-NG → [5] System Informer → [6] Execute Malware │ │ ↓ ↓ │ │ [7] Procmon Log → [8] Regshot 2nd Shot→ [9] Procmon Config │ │ ↓ ↓ │ │ [10] Export CSV ──────────────────────→ [11] ProcDot Graph │ └─────────────────────────────────────────────────────────────────────┘ ```

| Step | Action | Tool | Purpose | |:---:|:---|:---|:---| | 1 | Create VM Snapshot | VMware / VirtualBox | Clean forensic baseline | | 2 | Configure Network (Host-Only) | VM Settings | Isolate from real internet | | 3 | First Registry Snapshot | Regshot | Capture pre-execution state | | 4 | Launch Network Simulation | FakeNet-NG | Intercept C2 traffic | | 5 | Start Process Monitor | System Informer | Watch process tree | | 6 | Execute Malware Sample | `Sarmad_Malware.exe` | Trigger all behaviors | | 7 | Capture System Events | Procmon | Log all file/registry/network ops | | 8 | Second Registry Snapshot | Regshot | Generate registry diff | | 9 | Configure Procmon Export | Procmon | Prepare CSV for ProcDot | | 10 | Export Event Log | Procmon (CSV) | Structured artifact for analysis | | 11 | Visualize Behavior | ProcDot | Behavioral dependency graph | ## 📌 主要发现 | Category | Observations | |:---|:---| | 🔵 **Process Behavior** | Malware process identified in System Informer; full hierarchy documented via ProcDot | | 🌐 **Network Activity** | Outbound DNS queries and HTTP C2 connection attempts captured by FakeNet-NG | | 🗝️ **Registry Modifications** | Multiple keys added/modified — consistent with persistence and config storage | | 📂 **File System Operations** | Read/write/delete operations on system directories logged via Procmon filters | | 📈 **Behavioral Graph** | ProcDot confirmed the full execution chain and malware's operational objectives | ## ⚠️ 免责声明 ## 📚 参考资料 | Resource | Link | |:---|:---| | FlareVM | [github.com/mandiant/flare-vm](https://github.com/mandiant/flare-vm) | | FakeNet-NG | [github.com/mandiant/flare-fakenet-ng](https://github.com/mandiant/flare-fakenet-ng) | | Regshot | [sourceforge.net/projects/regshot](https://sourceforge.net/projects/regshot/) | | System Informer | [systeminformer.sourceforge.io](https://systeminformer.sourceforge.io/) | | Process Monitor | [Microsoft Sysinternals](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) | | ProcDot | [procdot.com](https://www.procdot.com/) | | MalwareBazaar | [bazaar.abuse.ch](https://bazaar.abuse.ch/) |

**FAST-NUCES 伊斯兰堡 · 网络安全系 · MS Cybersecurity 项目** ![Visitors](https://visitor-badge.laobi.icu/badge?page_id=sarmadfarooq.malware-analysis-report)

标签：DAST, FAST-NUCES, FlareVM, IP 地址批量处理, SSH蜜罐, 动态恶意软件分析, 嗅探欺骗, 学术项目, 安全报告, 恶意软件分析, 权限维持, 沙箱, 注册表修改, 网络安全, 运行时分析, 进程注入, 隐私保护