Persecure : my learning archive

,

Practical Malware Analysis : Lab 3-1

Tools used:

  • PEview
  • Procmon
  • Process explorer
  • Malcode Analyst Pack

Questions

1. What are this malware’s imports and strings?

The malware seems to be obfuscated.

Only kernel32.dll and ExitProcess function is imported

Check the strings

2. What are the malware’s host-based indicators?

Start up Process Explorer , ProcMon , ApateDNS and execute the malware.

We can see that the malware is running.

Observe the lower pane view in handles and a mutant is found

Observe the dll and we can see the following additional dlls.

Head to Procmon and filter out the malware with additional filters operations for WriteFile and Regsetvalue.

The malware writes a mutual file call vm32to64.exe which has the same bytes as the malware.

A registry is set to run the malware file

The malware is trying to connect to the webserver and sends the following data.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: