Analisis Ransomware Cryptolocker Menggunakan Metode Surface Analysis, Runtime Analysis Dan Static Code Analysis Untuk Mendukung Investigasi Malware Forensics
Abstract
One of the new malware that appears these last few years is Ransomware, starting in the first quarter of 2014 one type of ransomware known by the name Cryptolocker. Researchers CTU assume Cryptolocker will be the largest ransomware and most damaging on the internet. Up to the year 2017 is cryptolocker, still release the latest variant. In this study analyzes malware cryptolocker with three methods of malware analysis i.e. surface analysis, runtime analysis and static code analysis to support the malware forensic. On the analysis of malware with the method of surface analysis testing against malware by means of scanning by antivirus, followed by hashing on malware, and detection packages/obfuscated continued with the analysis of the Portable Executable and analysis with malware sandbox.While the malware analysis with runtime analysis methods the first step is setting up the environment for malware then run malware, further testing is performed to find out the changes to the registry, to know the DNS activity, and data communication networks,and on analysis of malware with Static Code Analysis method of testing done to find the relationship of the use of the linked libraries and function then do a search string as a work step instructions from
malware, as well as perform debugging on malware to search deeper into the behavior of malware.From this research obtained information about the characteristics of malware in attacking the system.On malware analysis with the method of surface analysis, malware has the ability to self protection with wrapped packed, on the analysis of malware with the Runtime methods of Analysis, malware changes registry, monitor activity on a file system, process and thread that was going on, have the connections performed by malware against a server malware, and on analysis of static code can provide information not previously found
by other methods, that the malware was able to shelter from surveillance computer security system and turn it off like turning off the firewall, and antivirus.