Sunday, 14 May 2017


Regshot is a dynamic malware analysis tool that allows an analyst to perform before and after snapshots of the Windows Registry. Typically, this is used to capture a snapshot of the system prior to executing malware and then immediately afterwards.

The goal is to identify any changes to the registry that the malware made. This may give more indication as to what the malware is capable of, if any additional files are dropped, or any other Indicators of Compromise (“IOCs”).
 In some cases, the Windows Registry can be thought of as simply another storage location. There are multiple malware families that use the Windows Registry for storage, evasion, and hiding in plain sight Often times the paths, keys, and/or values that are stored by some malware are dynamically generated. For this reason, when performing dynamic analysis, knowing the changes that happened to the registry help zero in on the changes.
 Malware may make a lot of changes to a system as it executes. Simply running malware in a sandbox, without monitoring various system components, doesn’t do much.

 In Regshot there are also ANSI and Unicode versions. The primary difference between these two is that you can use Regshot to generate a hive file — the version you run will determine the encoding of the output.

 Regshot has very simple steps:
  1. Take a 1st shot of the system’s registry now.
  2. Do something to the system.
  3. Take 2nd shot of the system’s registry again.
  4. Once both shot has been taken place, the ‘Compare’ button 
       will become available to compare 1st and 2nd shot.
There are options to save the changes as either a text or HTML file. When taking registry shots, the user is presented with the options Shot, Shot and Save, or Load. 
 These are some of the greatest options available in Regshot.

  * Shot will simply take a shot of the current system’s registry. 
      The calculations of taking this are provided at the bottom of the GUI.

  * Shot and Save will take the same shot of the registry, and also save it to an 
  encoded file (either ANSI or Unicode)

  * Load allows you to load a previously-taken Regshot hive for either the before or 
    after position.
  If you haven’t saved any files, Regshot will popup a text editor with the changed 
 registry keys within. 
 Loading a Previous Hive

    I didn’t want to move on before briefly talking about the feature of loading a previous hive in Regshot. This is a powerful capability that allows you to extend the functionality of Regshot simply beyond ad-hoc dynamic analysis. For example, if you deploy gold images 
within your network, consider taking a shot right before deployment. User gets infected?
Compare, and find the malware!
For development purposes, take a shot and see what installing your application 
does to the system. You might be surprised at what footprints you’re leaving behind!

When discussing Regshot’s ability to take a before and after of the Registry, wouldn’t it be awesome if we could do the same for a folder? Well, Regshot can! In the Scan dir option box, we can enter a path to monitor. If the analyst had a suspicion about their malware dropping or altering files, you could place a directory under watch and see what changes were made.

No comments:

Post a Comment