Dynamic Analysis

• Dynamic Analysis
  • Lab Environment Setup
  • System Call Tracing
    • strace (Linux)
    • ltrace (Linux)
  • Network Traffic Analysis
    • What to Look For
    • FakeNet-NG / INetSim
  • Filesystem and Registry Monitoring
    • Before-and-After Comparison (Linux)
    • Process Monitor (Windows)
  • Sandbox Analysis
    • Any.run
    • Hybrid Analysis (Falcon Sandbox)
    • Limitations of Sandboxes
  • Comparing Static and Dynamic Results
  • Useful Resources

Dynamic analysis means executing a sample and observing its behavior. It is more dangerous than static analysis but reveals things that static analysis cannot — particularly obfuscated or encrypted behavior that only manifests at runtime.

Always analyze in an isolated VM. Always take a snapshot before executing a sample.

Lab Environment Setup

Before running anything:

1. Revert to your clean baseline snapshot
2. Disable the VM’s network adapter (or switch to host-only with no internet route)
3. Take a new “pre-execution” snapshot
4. Open monitoring tools before launching the sample

System Call Tracing

strace (Linux)

strace intercepts system calls between a process and the kernel. Every file access, network connection, and process creation is a syscall.

$ strace -f -tt -e trace=file,network,process,ipc \
    -o strace_output.txt ./sample

Key flags:

• -f — follow child processes (forks, execs)
• -tt — timestamp each call
• -e trace= — filter by syscall category
• -o — write output to a file

Interesting syscalls to watch for:

Syscall	What it means
open/openat	file access
connect	outbound network connection
execve	launching a new process
ptrace	debugging or injection
mmap with PROT_EXEC	allocating executable memory
unlink	deleting files (often self-deletion)

ltrace (Linux)

ltrace intercepts library function calls. It complements strace by showing higher-level behavior:

$ ltrace -o ltrace_output.txt ./sample

Watch for: strcmp, strcpy, malloc, fopen, system, popen, crypto functions.

Network Traffic Analysis

Start Wireshark before running the sample, capturing on all interfaces:

$ sudo wireshark &

Or capture headlessly and analyze afterward:

$ sudo tcpdump -i any -w capture.pcap &
$ ./sample
$ kill %1
$ wireshark capture.pcap

What to Look For

• DNS queries: what domains does the sample resolve? C2 domains often have high entropy or use DGA patterns.
• TCP/UDP connections: destination IP, port, and protocol. Port 443 with unexpected certificates is suspicious.
• HTTP traffic: use “Follow HTTP Stream” to reconstruct requests. Look for beacon patterns (regular intervals, similar sizes).
• TLS: examine the ClientHello for unusual cipher suites or SNI fields. If you see TLS with a self-signed cert, extract it.

FakeNet-NG / INetSim

These tools simulate network services (DNS, HTTP, SMTP) so that malware “succeeds” in connecting even when no real internet is available. This often causes the malware to proceed past its connectivity checks and reveal more behavior.

$ sudo inetsim

Run FakeNet-NG on a Windows analysis VM to capture simulated responses.

Filesystem and Registry Monitoring

Before-and-After Comparison (Linux)

$ touch /tmp/baseline
# run the sample
$ find / -newer /tmp/baseline -not -path "/proc/*" 2>/dev/null

Process Monitor (Windows)

On Windows analysis VMs, Process Monitor (ProcMon) from Sysinternals records every file, registry, and network event with full context. Filter by process name to focus on your sample.

Sandbox Analysis

Online sandboxes provide automated dynamic analysis with detailed behavioral reports.

Any.run

Any.run is an interactive sandbox: you can click inside the running VM, which helps with samples that wait for user interaction. The free tier supports Windows and Linux analysis.

• Submit via the web UI or API
• Review the “Process Tree” view for process hierarchy
• Check the “Network Activity” tab for DNS, HTTP, and TCP streams
• Download the PCAP for local analysis in Wireshark

Hybrid Analysis (Falcon Sandbox)

Hybrid Analysis provides CrowdStrike’s Falcon sandbox results. It maps behavior to MITRE ATT&CK techniques automatically.

Limitations of Sandboxes

• Sandboxes are fingerprinted — sophisticated malware detects them and stays dormant
• Time-limited: behavior that triggers after 24 hours won’t be captured
• No human interaction by default: some malware requires clicks or specific user state
• Network filtering may hide C2 communication

Comparing Static and Dynamic Results

A good analysis uses both approaches together:

Observation	Method that found it
Import of VirtualAllocEx	Static (IAT)
Allocation at 0x140000 during execution	Dynamic (strace/debugger)
Encoded string resolved to evil.example.com	Static (FLOSS) + Dynamic (DNS query)
Self-deletion after execution	Dynamic (strace unlink call)

Discrepancies between static and dynamic findings often indicate anti-analysis evasion.

Useful Resources

• The Art of Memory Forensics — Ligh et al.
• Any.run blog — analysis walkthroughs
• MITRE ATT&CK — behavior-to-technique mapping
• MalwareBazaar — sample repository with sandbox results