Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions
In this chapter, we took a deep dive into the nitty-gritty of dynamic analysis and what we can really learn about malware and its behavior by simply giving it an environment to destroy. You were tasked with answering several questions about the NetWalker ransomware threat – the answers are as follows:
- PowerShell spawns
CSC.exeprocesses. Some research about these processes should tell you they're used for compiling executables from source code. - No – it doesn't attempt to download any secondary stages. The script contains everything it needs to compile its payload DLL at runtime!
- Yes, it does – PowerShell utilizes its malicious DLL to inject code into the already running
Explorer.exeprocess and encrypt the files. - The DLL is loaded by reflective loading. This can be inferred by the fact that it's spawned within an existing process and by looking at the...
