Scribd
Upload
14 views

Malware Assignment 126

The document provides steps to analyze a malware sample through dynamic analysis. It describes running tools like ProcMon, ProcessExplorer and FakeNet to monitor the malware's behavior and network activity. Comparing before and after system snapshots with RegShot reveals changes like new processes, registry keys and files added or modified by the malware.

Uploaded by

vesebe5369
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

Malware Assignment 126

The document provides steps to analyze a malware sample through dynamic analysis. It describes running tools like ProcMon, ProcessExplorer and FakeNet to monitor the malware's behavior and network activity. Comparing before and after system snapshots with RegShot reveals changes like new processes, registry keys and files added or modified by the malware.

Uploaded by

vesebe5369
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Malware Assignment

Malware Dynamic Analysis


Ananya
AnamikaPandit
Jain
RA2111030010126
RA2111030010098
T1 -Cyber
T1- Cyber security
Security
Malware 1

Step 1:- Run The VMware.

Step 2 :- You will see a file with extension (.dat), open that file in (CFF Explorer).

Their you can check the file header, their you can see that file is not a (.dat) file is
a executable file which is (.exe), So we found out that our file is a executable file
which is a malware.

Step 3:- Know Run the ProcMon tool, To see list of all process run on the system.

Then Disable the event capture by clicking on magnifying glass, and then clear
existing
events.

Step 4:- Run the ProcessExplorer tool.

It can provide valuable insight into the processes currently running on a system.

Step 5:- Run the FakeNet tool.

FakeNet is a tool that aids in the dynamic analysis of malicious software. The tool
simulates a network so that malware interacting with a remote host continues to run
allowing the analyst to observe the malware's network activity from within a safe
environment.

Step 6:- Run the 1st shot in RegShot Tool


Step 7:- Rename the sample to Filename.exe.

Know we can be able to see the real file logo and what type of function that file
really do and made for. Then execute the file and Wait for few minutes for
malware behavior.

Step 9:- Run the 2nd shot in RegShot Tool.

Step 10:- Press the Compare button to Compare the results of the two shot.

After that we get the compare file in .txt format.


~res.txt :-

Regshot 1.8.2
Comments:
Datetime:2024/4/16 11:04:08, 2024/4/16 11:17:11
Computer:SIVA, SIVA
Username:,

--------------------------

Keys added:1
-------------------------------

HKU\S-1-5-21-1202660629-926492609-839522115 1005\Software\Microsoft\Exchange
-------------------------------
Values deleted:1
--------------------------------
HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\No Drive TypeAutoRun:
0x00000091
----------------------------------
Values added:28
----------------------------------
HKLM\SYSTEM\ControlSet001\Control\Session Manager\Pending FileRename Operations:
5C 3F 3F 5C 63 3A 5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 6E 65 74 6D 65 65 74 69
6E 67 5C 4F 4C 44 31 34 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 70 72 6F 67 72 61 6D 20
66 69 6C 65 73 5C 77 69 6E 64 6F 77 73 20 6E 74 5C 4F 4C 44 31 36 2E 74 6D 70 00 00 5C
3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 70 63 68 65 61 6C 74 68 5C 68 65 6C 70 63 74
72 5C 62 69 6E 61 72 69 65 73 5C 4F 4C 44 31 38 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C
70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 69 6E 74 65 72 6E 65 74 20 65 78 70 6C 6F 72 65
72 5C 4F 4C 44 31 41 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRename
Operations: 5C 3F 3F 5C 63 3A 5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 6E 65 74 6D
65 65 74 69 6E 67 5C 4F 4C 44 31 34 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 70 72 6F 67
72 61 6D 20 66 69 6C 65 73 5C 77 69 6E 64 6F 77 73 20 6E 74 5C 4F 4C 44 31 36 2E 74 6D
70 00 00 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 70 63 68 65 61 6C 74 68 5C 68 65
6C 70 63 74 72 5C 62 69 6E 61 72 69 65 73 5C 4F 4C 44 31 38 2E 74 6D 70 00 00 5C 3F 3F
5C 63 3A 5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 69 6E 74 65 72 6E 65 74 20 65 78
70 6C 6F 72 65 72 5C 4F 4C 44 31 41 2E 74 6D 70 00 00 00
HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-
11D0-9888- 006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq
Frggvatf\Fvin\Qrfxgbc\Qrzb Fnzcyrf\Frg
HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\Shell NoRoam\Bags\72\Shell\ScrollPos1437x757(1).x:
0x00000000 HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell\ScrollPos1437x757(1).y:
0x00000000
HKU\S-1-5-21-1202660629-926492609-839522115-1005\Software\Microsoft\Windows\Shell
No Roam\Bags\72\Shell\Sort: 0x00000000 HKU\S-1-5-21-1202660629-926492609-
839522115-1005\Software\Microsoft\Windows\Shell NoRoam\Bags \72\Shell\SortDir:
0x00000001
HKU\S-1-5-21-1202660629-926492609-839522115-1005\Software\Microsoft\Windows\Shell
NoRoam\Bags 72\Shell\Col: 0xFFFFFFFF HKU\S-1-5-21-1202660629-926492609-
839522115-1005\Software\Microsoft\Windows\Shell NoRoam\Bags \72\Shell\Collnfo: 00 00
00
00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD OF 00 04 00 20 00 10 00 28 00 3C 00
00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 B4 00 60 00 78 00 78 00 00 00 00 00 01 00
00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-1202660629-
926492609-839522115-1005\Software\Microsoft\Windows\Shell
NoRoam\MUICache\C:\Documents and
Settings\Siva\Desktop\Demo Samples\Set 1\1\00a78b0e4bac5345c7a59caaa7a7ed4a.exe:
"GoRC Resource Compiler"
-----------------------------------
Values modified:11
-----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: E1 65 56 5B 6D A5 6E 36 F7 4F EF
A5 4D B3 14 BD 62 60 38 AC 1A A4 85 CO 4D 46
15 C5 C7 29 AF 49 A3 5A 22 88 51 BB D2 D5 DD C1 9C 11 AC 2E 7F F9 6F 59 E1 25 C5 A9
8A 5C D2 OF 76 8B 11 40 35 97 8E 90 DC E2 FB 93 68 97 FA 4A C3 F9 10 25 D5 FO
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 2F 7A 2C E1 F2 84 CC A2 FA OF
A6 B9 02 B2 98 15 A1 AB 24 F6 F3 81 15 6E 24 70 FA 06 56 2C 67 FO A7 07 66 96 C8 13 8D
OF A7 E5 C7 5A E4 74 C7 10 22 B9 68 8E B8 E7 81 C5 6C 50 1C EA 9D 1C 25 FB B5 ED 97
C5 34 20 92 5E 52 F7 73 D3 OD 77 3F 9D
HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden:
0x00000001
HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden:
1005\Software\Microsoft\Windows\Shell NoRoam\Bags\71\Shell\MinPos1437x757(1).y:
0xFFFF8300 HKU\S-1-5-21-1202660629-926492609-839522115-
1005\Software\Microsoft\Windows\Shell No Roam\Bags\71\Shell\MinPos1437x757(1):y:
0Xffffffff
------------------------------
Files added:27
------------------------------
.exe
E:\RECYCLER\WinrRarSerialInstall.exe
E:\autorun.inf
E:\zPharaoh.exe
-------------------------------
Files deleted:2
-------------------------------
C:\Documents and settings\Siva\Desktop\Demo Samples\Set
1\1\00a78b0e4bac534c7a59caaa7a7ed4a.dat
C:\WINDOWS\SoftwareDistribution\Datastore\logs\temp. edb
-----------------------------------
Files [attributes?] modified:58
------------------------------------
C:\WINDOWS\system32\wbem\Logs\wmiprov.og
C:\WINDOWS\WindowsUpdate.log
------------------------------------
Folders added:5
-------------------------------------
C:\ Documents and Settings \Siva Application Data \tazebama
C:\WINDOWS\LastGood
C:\ WINDOW\LastGood \pchealth
C:\WINDOWS\LastGood\pchealth\helpctr
C:\ WINDOWS\LastGood\pchealth\helpctr\binaries
--------------------------------------
Total changes:133
--------------------------------------
Step 10: - Finally observe the malware behavior in ProcMon, ProcessExplorer andFakeNet.

Conclusion:- In first malware (Malware 1) we see that its is a executable file which try to
connect on the (port 80) from the Attacker system. As we can see in ProcessExplorer tool
there is a exe file with name (tazabama.d/_) which is execute and run when we click or
execute over malware 1 and try to do different malicious work which we can see in ~res.txt
file.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy