PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-03)

Tools Used

  1. IDA Pro

Sample:

  1. Lab12-03.exe SHA256: 9b683d2fda7ca7adcc043e4412271009a0e115ca55f9a718c385a3f46b57ae6b

VirusTotal:

  • Detection Rate: 15/55
  • Analyzed on 2016-03-13
  • Compilation Date: 2011-03-16 05:57:55
  • View report here

Lab 12-3
Analyze the malware extracted during the analysis of Lab 12-2, or use the file
Lab12-03.exe.
Questions
1. What is the purpose of this malicious payload?

The use of SetWindowsHookExA with WH_KEYBOARD_LL as the id which suggests that this is a keylogger.

keylog
Figure 1. SetWindowsHookExA

2. How does the malicious payload inject itself?

It uses Hook injection. Keystrokes can be captured by registering
high- or low-level hooks using the WH_KEYBOARD or WH_KEYBOARD_LL hook
procedure types, respectively.
For WH_KEYBOARD_LL procedures, the events are sent directly to the process
that installed the hook, so the hook will be running in the context of the
process that created it. The malware can intercept keystrokes
and log them to a file as seen in the figure below.

log
Figure 2. Log to practicalmalwareanalsysis.log

3. What filesystem residue does this program create?

As answered in question 2. The malware will leave behind a log file containing the keylogs; practicalmalwareanalsysis.log.

Advertisements
PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s