Persecure : my learning archive

Practical Malware Analysis : Lab 3-1

Tools used:

  • PEview
  • Procmon
  • Process explorer
  • Malcode Analyst Pack

Questions

1. What are this malware’s imports and strings?

The malware seems to be obfuscated.

Only kernel32.dll and ExitProcess function is imported

Check the strings

2. What are the malware’s host-based indicators?

Start up Process Explorer , ProcMon , ApateDNS and execute the malware.

We can see that the malware is running.

Observe the lower pane view in handles and a mutant is found

Observe the dll and we can see the following additional dlls.

Head to Procmon and filter out the malware with additional filters operations for WriteFile and Regsetvalue.

The malware writes a mutual file call vm32to64.exe which has the same bytes as the malware.

A registry is set to run the malware file

The malware is trying to connect to the webserver and sends the following data.

Create a website or blog at WordPress.com