ProDot Sandbox - AutoAnalysis

Quick Malware Analysis Toolkit. This repository contains quick setup notes to setup a malware analysis sandbox using a variety of tools and uses ProcDot to perform the analysis.

These instructions are very highlevel. You will need to adjust to work in your lab.

ProcDot

Requirements

Target OS (Windows 10/7)
graphviz - http://www.graphviz.org/
ProcDOT - http://www.procdot.com/
WinPcap - https://www.winpcap.org/
Windump - https://www.winpcap.org/windump/default.htm
ProcMon Sysinternals Suite https://docs.microsoft.com/en-us/sysinternals/
PSR - Problem Step Recorder (Built in Windows tool)

OPTIONAL: Python to run CSV_parser

The CSV_parser directory contains a python script that can help filter noise from the procmon CSV logs.

Installation

Download/extract tools to a common directory
- This example uses C:\Users\IEUser\Desktop\autoanalysis\tools\
Install WinPcap

Configuration

ProcDOT

Open ProcDOT and configure the following options

Note: More detailed installation information can be found here ProcDot

Path to windump/tcpdump

C:\Users\IEUser\Desktop\autoanalysis\tools\windump\WinDump.exe

Path to dot (Graphviz)

C:\Users\IEUser\Desktop\autoanalysis\tools\graphviz-2.38\release\bin\dot.exe

ProcMon

You need to adjust Procmon's configuration to be compatible with ProcDOT.

In Procmon

disable (uncheck) "Show Resolved Network Addresses" (Options)
disable (uncheck) "Enable Advanced Output" (Filter)
adjust the displayed columns (Options > Select Columns ...)
- to not show the "Sequence" column
- to show the "Thread ID" column

Quick Start

Run AutoAnalysis.bat as Administrator
Execute Malware
Stop AutoAnalysis
Analyze Results

Analyze with ProcDOT

Open procdot.exe

Monitoring Logs

Procmon: browse to procmon capture.csv Procmon: browse to pcap capture.pcap

Click ... in the Launcher button to analyze logs
Select the first relavant process
Click Refresh to build the graph
Proceed to analyze results

Analyst Tips

Tune logs

Consider filtering out unnecessary data from PCAP
Consider removing unnecessary procmon logs from the report
- CSV_parser contains a python script that can help filter the procmon CSV logs

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
CSV_parser		CSV_parser
logs		logs
tools		tools
.gitignore		.gitignore
AutoAnalysis.bat		AutoAnalysis.bat
LICENSE		LICENSE
readme.md		readme.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

ProDot Sandbox - AutoAnalysis

Requirements

Installation

Configuration

ProcDOT

ProcMon

Quick Start

Analyze with ProcDOT

Analyst Tips

About

Releases

Packages

Contributors 2

Languages

License

threatexpress/procdot_sandbox

Folders and files

Latest commit

History

Repository files navigation

ProDot Sandbox - AutoAnalysis

Requirements

Installation

Configuration

ProcDOT

ProcMon

Quick Start

Analyze with ProcDOT

Analyst Tips

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Languages

Packages