+1 (512) 588 6950

Malware analysis. Forensic McBlue to the REVscue!

Home/Malware analysis. Forensic McB...
Malware analysis. Forensic McBlue to the REVscue!

Malware : software created to harm a computer or an entire network.

Goals: infiltrating networks, breaching sensitive data, disrupting operational services etc.

Check for : network connections(External and internal-lateral movement which is essentially a technique used to extend access to other hosts or applications), Registry key modifications(registry run keys for example), File manipulations.

Static and Dynamic analysis

Static analysis -> without executing malware code. Focuses on profiling the binary with its readable info, properties, program flow and strings.

Dynamic analysis -> Executes the malware in a safe environment such as a sandbox .

We’re gonna use tools : Detect It Easy and CAPA.

open sample malware with detect it easy to view architecture, packer(compresses, obfuscates, encrypts the binary)

Open CAPA : detects capabilities in executable files. Unpack using:

upx -d mysterygift 

Now run(after deleting cached viv file) :

capa mysterygift

What is the registry key abused by the malware?

This requires dynamic analysis :

Analyzing behavior of .exe : ProcMon (Process Monitor)tool: shows real time registry, file system, process/thread activity. ‘

Start ProcMon, and set filter to “Process Name is mysterygift.exe”.

You can see a lot here
Exclude the given entries in the task to get fewer operations

You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.

What is the registry key abused by the malware? and
What is the value written on the registry key based on the previous question?

Ans-> right click on the operation and check properties to find paths.

File modification:

again exclude and inspect

The two files : test.jpg and wishes.bat

Network connections :

Malware initiated requests with these domains

That’s it for this task , enough of images today. See you guys in the later part. Till then keep hackin!

Leave a Reply