SysAnalyzer – Automated Malcode Analysis System

SysAnalyzer Main UI - Automated Malcode Analysis System xploitlab

Are you curious is there a malware on your system machine ?, because sometimes the computer is rise in temperature or slow without doing game or run a heavy program. If something like that happen in your computer, you have to worried about a malware issues on the system. But, don’t worry you can check and analyze malcode or malware in your system with tool called “SysAnalyzer“.

Overview

SysAnalyzer is an open source application that was designed to give malcode analysis an automated tool to quickly collect, compare, and report on the actions a binary took while running on the system.

A full installer for the application is available and can be downloaded here . The application supports windows 2000 – windows 10. Including x64 support.

The main components of SysAnalyzer work off of comparing snapshots of the system over a user specified time interval. The reason a snapshot mechanism was used compared to a live logging implementation is to reduce the amount of data that analysts must wade through when conducting their analysis. By using a snapshot system, we can effectively present viewers with only the persistent changes found on the system since the application was first run.

While this mechanism does help to eliminate allot of the possible noise caused by other applications, or inconsequential runtime nuances, it also opens up the possibility for missing key data. Because of this SysAnalyzer also gives the analyst the option to include several forms of live logging into the analysis procedure.

Run

When first run, SysAnalyzer will present the user with the following configuration wizard:

SysAnalyzer Configuration - Automated Malcode Analysis System xploilab

The executable path textbox represents the file under analysis. It can be filled in either by

  • Dragging and dropping the target executable on the SysAnalyzer desktop icon
  • Specifying the executable on the command line
  • Dragging and Dropping the target into the actual textbox
  • Using the browse for file button next to the textbox

For files which must open in a viewer such as DOC or PDF files, specify the viewer app in the executable textbox, and the file itself in the arguments textbox.

there are handful of options available on the screen for optional live logging components such as full packet capture, API logger, and sniff hit. you can also run it as another user.

These options are saved to a configuration file and do not need to be entered each time. Note that users can also select the “Skip” link in order to proceed to the main interface where they can manually control the snapshot tools.

note that the API logger option is generally stable but not entirely so in every case. I generally reserved this option for when I need more information than a standard analysis provides.

Once these options are filled in and the user selects the “Start button” the options will be applied, a base snapshot of the system taken, and the executable launched.

Note: SysAnalyzer is not a sandboxing utility. Target executables are run in a fully live test on the system. If you are testing malicious code, you must realize you will be infecting your test system.

SysAnalyzer’s is designed to take snapshots of the following system attributes:

  • Running processes
  • Open ports and associated process
  • Dlls loaded into explorer.exe and Internet Explorer
  • System Drivers loaded into the kernel
  • Snapshots of certain registry keys
  • Run time file modifications
  • Scheduled tasks
  • Mutexes

Help Videos


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

one + twenty =