updating all

dynamic.md

@@ -7,4 +7,23 @@ title: Dynamic Analysis
 
 # Section 6: Dynamic Analysis #
 
+## LAB 3
+Dynamic analysis is a deeper analysis of the program to understand hidden functionality not understood statically. The static analysis will serve as a guide for stepping through the program in a debugger.
+
+Open the unpacked malware into the **x64dbg** debugger and **IDAfree**.
+
+### Rebasing the disassembler
+
+Typically programs start at **004010000** but your debugger might start the program at a different address. You will need to rebase the program's address in the disassembler. In x64dbg, scroll up to find the very first address, this is the address that you will need to rebase. Edit->Segements->Rebase Program.
+![alt text](https://securedorg.github.io/images/dyn2.png "Victim and Sniffer")
+
+### Finding the starting point
+
+You will need to sync the debugger and disassembler addresses so you can follow along in both. Let's start with the function offset **xxxx1530**.
+* In IDA, open the functions tab and look for function xxxx1530. Where xxxx should match your rebase address ( If rebase is 01901000, then 01901530 ).
+* In x64dbg, CTRL+G to jump to a specific address xxxx1530.
+
+![alt text](https://securedorg.github.io/images/dyn3.png "IDAmain")
+![alt text](https://securedorg.github.io/images/dyn4.png "x64dbg Jump")
+
 [Section 5 <- Back](https://securedorg.github.io/RE101/section5)

static.md

@@ -23,7 +23,7 @@ When you open the executable in IDA, you will notice large section of non-disass
 
 ![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")
 
-Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
+Because UPX is a common packer, there are many tools that offer unpacking for UPX. Open the executable in PE Explorer which will unpack the binary automatically. Save the file with a name to identify it as unpacked.
 
 ![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")
 

triage.md

@@ -83,6 +83,18 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
 ![alt text](https://securedorg.github.io/images/triage3.png "Imports")
 5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash
 6. Open the file in **BinText** and record any interesting strings
+7. Quick Detonation
+The point of the quick detonation is to capture the filesystem, registry, and connection activity. The VMs are set up in such a way that the Victim VM's internet traffic is captured by the Sniffer VM.
+![alt text](https://securedorg.github.io/images/triageVMs.gif "Victim and Sniffer")
 
+On the **Sniffer VM** open the terminal and run `sudo wireshark` to get Wireshark sniffing the traffic from the Victim VM. Be sure InetSim is still running, see the fundamentals Section 1 on how to start up InetSim.
+
+On the **Victim VM** open the SysInternals **procmon.exe** and **procexp.exe** so that we can monitor filesystem and process events.
+![alt text](https://securedorg.github.io/images/triageVMs2.gif "Victim and Sniffer")
+
+Go ahead and detonate the the malware.
+
+On the **Sniffer VM** look for an HTTP request. Right click and Follow->TCP Stream. I will display the HTTP get request that was sent by the malware.
+![alt text](https://securedorg.github.io/images/triageVMs3.gif "Victim and Sniffer")
 
 [Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)