- Proc Mon
- Process Explorer
- Lab03-03.exe SHA256: ae8a1c7eb64c42ea2a04f97523ebf0844c27029eb040d910048b680f884b9dce
- Detection Rate: 42/54
- Analyzed on 31 Jan 2016
Compilation Date: 2011-04-08 17:54:23
- View report here
Execute the malware found in the file Lab03-03.exe while monitoring it using basic dynamic analysis tools in a safe environment.
1. What do you notice when monitoring this malware with Process Explorer?
Lab03-03.exe spawn a new child svchost.exe. Then it exit leaving svchost with no parent.
2. Can you identify any live memory modifications?
In svchost image vs memory we can see that the strings are very different from each other in which it shouldn’t be the case. In the memory we can see SetWindowsHookExA which highly suggest that the exe is probably doing keylogging. The malware is probably using a technique called process replacement to replace the then suspended svchost and once replaced with malicious code it then resume the thread.
We can also see familiar strings from Lab03-03.exe inside svchost which further reinforced that the current svchost might actually be Lab03-03.exe itself.
3. What are the malware’s host-based indicators?
Using proc mon, we set the filer to process name contains “svchost” and parent pid != 672 (services.exe). This will filter out the legitimate svchost from proc mon.
practicalmalwareanalysis.log is created in the same folder where the malware is residing. Inside the log file are all the keystrokes that the victim has entered.
4. What is the purpose of this program?
So far we can conclude that the program hide itself as a svchost in the system to avoid detection by the victim. It then log all keystrokes by the victim. Typically these types of malware would sent out the keystrokes to the server… we would need to go through the static code to see what are the other capabilities of this malware.
No registry changes of interest detected via regmon.