A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University
Total Page:16
File Type:pdf, Size:1020Kb
Dakota State University Beadle Scholar Masters Theses & Doctoral Dissertations Spring 3-2019 A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University Follow this and additional works at: https://scholar.dsu.edu/theses Part of the Information Security Commons, and the Systems Architecture Commons Recommended Citation Wright, Dallas, "A Malware Analysis and Artifact Capture Tool" (2019). Masters Theses & Doctoral Dissertations. 327. https://scholar.dsu.edu/theses/327 This Dissertation is brought to you for free and open access by Beadle Scholar. It has been accepted for inclusion in Masters Theses & Doctoral Dissertations by an authorized administrator of Beadle Scholar. For more information, please contact [email protected]. A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL A dissertation submitted to Dakota State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Cyber Operations March 2019 By Dallas Wright Dissertation Committee: Dr. Wayne Pauli Dr. Josh Stroschein Dr. Jun Liu ii iii Abstract Malware authors attempt to obfuscate and hide their execution objectives in their program’s static and dynamic states. This paper provides a novel approach to aid analysis by introducing a malware analysis tool which is quick to set up and use with respect to other existing tools. The tool allows for the intercepting and capturing of malware artifacts while providing dynamic control of process flow. Capturing malware artifacts allows an analyst to more quickly and comprehensively understand malware behavior and obfuscation techniques and doing so interactively allows multiple code paths to be explored. The faster that malware can be analyzed the quicker the systems and data compromised by it can be determined and its infection stopped. This research proposes an instantiation of an interactive malware analysis and artifact capture tool. iv Declaration I hereby certify that this dissertation constitutes my own product, that where the language of others is set forth, quotation marks so indicate, and that appropriate credit is given where I have used the language, ideas, expressions or writings of another. I declare that the dissertation describes original work that has not previously been presented for the award of any other degree of any institution. Signed, _____________________________ Dallas Wright v Table of Contents A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL ............................................... i Abstract .......................................................................................................................................... iii Declaration ..................................................................................................................................... iv Table of Contents ............................................................................................................................ v List of Tables ............................................................................................................................... viii List of Figures ................................................................................................................................ ix CHAPTER ONE ............................................................................................................................. 1 Introduction ................................................................................................................................. 1 Problem Relevance ..................................................................................................................... 2 Problem Statement ...................................................................................................................... 3 Purpose Statement ....................................................................................................................... 3 Primary Research Questions ....................................................................................................... 4 Hypotheses .................................................................................................................................. 5 Theoretical Framework ............................................................................................................... 5 Research Design.......................................................................................................................... 6 Introduction Summary ................................................................................................................ 7 CHAPTER TWO ............................................................................................................................ 8 Literary Review .......................................................................................................................... 8 Review of Literature ................................................................................................................... 8 Literary Review Summary ........................................................................................................ 14 CHAPTER THREE ...................................................................................................................... 16 Application Design and Specifications ..................................................................................... 16 vi Research Approach ................................................................................................................... 16 Assumptions and Limitations ................................................................................................... 17 Malware Samples ...................................................................................................................... 18 Iterative Development ............................................................................................................... 19 Data Analysis ............................................................................................................................ 20 Application Overview ............................................................................................................... 24 Technical Specifications ........................................................................................................... 31 Major Functional Requirements ............................................................................................... 34 Application Design Summary ................................................................................................... 43 CHAPTER FOUR ......................................................................................................................... 44 MACT Evaluation ..................................................................................................................... 44 MACT Example Use................................................................................................................. 49 Preliminary Functional Testing................................................................................................. 53 Testing Process ......................................................................................................................... 54 Bypassing Anti-analysis Techniques with MACT ................................................................... 56 MACT Testing .......................................................................................................................... 59 MACT Malware Evaluation Case Studies ................................................................................ 60 Sample 1 – PUA .................................................................................................................... 60 Sample 2 - Trojan .................................................................................................................. 64 Sample 3 - PUA ..................................................................................................................... 68 Sample 4 - Worm ................................................................................................................... 74 Sample 5 - Ransomware ........................................................................................................ 82 Sample 6 - PUA ..................................................................................................................... 89 Sample 7 - Backdoor ............................................................................................................. 96 Sample 8 - Trojan ................................................................................................................ 101 vii Sample 9 - Virus .................................................................................................................. 104 Sample 10 - Worm ............................................................................................................... 111 Testing Summary .................................................................................................................... 114 CHAPTER FIVE ........................................................................................................................ 118 Conclusions and Recommendations ....................................................................................... 118 Overview ................................................................................................................................