PRACTICAL MALWARE ANALYSIS: BASIC DYNAMIC TECHNIQUES (LAB 3-03)

Tools Used:

  1. Regshot
  2. Proc Mon
  3. Inetsim
  4. Wireshark
  5. Process Explorer

Sample:

  1. Lab03-03.exe SHA256: ae8a1c7eb64c42ea2a04f97523ebf0844c27029eb040d910048b680f884b9dce

VirusTotal:

  • Detection Rate: 42/54
  • Analyzed on 31 Jan 2016
  • Compilation Date: 2011-04-08 17:54:23
  • View report here

Lab 3-3

Execute the malware found in the file Lab03-03.exe while monitoring it using basic dynamic analysis tools in a safe environment.

Questions

1. What do you notice when monitoring this malware with Process Explorer?

Lab03-03.exe spawn a new child svchost.exe. Then it exit leaving svchost with no parent.

lab03_03_svchost
svchost.exe with no parent

2. Can you identify any live memory modifications?

In svchost image vs memory we can see that the strings are very different from each other in which it shouldn’t be the case. In the memory we can see SetWindowsHookExA which highly suggest that the exe is probably doing keylogging. The malware is probably using a technique called process replacement to replace the then suspended svchost and once replaced with malicious code it then resume the thread.

We can also see familiar strings from Lab03-03.exe inside svchost which further reinforced that the current svchost might actually be Lab03-03.exe itself.

3. What are the malware’s host-based indicators?

Using proc mon, we set the filer to process name contains “svchost” and parent pid != 672 (services.exe). This will filter out the legitimate svchost from proc mon.

lab03_03_procmon
practicalmalwareanalysis.log

practicalmalwareanalysis.log is created in the same folder where the malware is residing. Inside the log file are all the keystrokes that the victim has entered.

4. What is the purpose of this program?

So far we can conclude that the program hide itself as a svchost in the system to avoid detection by the victim. It then log all keystrokes by the victim. Typically these types of malware would sent out the keystrokes to the server… we would need to go through the static code to see what are the other capabilities of this malware.

No registry changes of interest detected via regmon.

Advertisements
PRACTICAL MALWARE ANALYSIS: BASIC DYNAMIC TECHNIQUES (LAB 3-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s