Malware : software created to harm a computer or an entire network.
Goals: infiltrating networks, breaching sensitive data, disrupting operational services etc.
Check for : network connections(External and internal-lateral movement which is essentially a technique used to extend access to other hosts or applications), Registry key modifications(registry run keys for example), File manipulations.
Static analysis -> without executing malware code. Focuses on profiling the binary with its readable info, properties, program flow and strings.
Dynamic analysis -> Executes the malware in a safe environment such as a sandbox .
We’re gonna use tools : Detect It Easy and CAPA.
open sample malware with detect it easy to view architecture, packer(compresses, obfuscates, encrypts the binary)
Open CAPA : detects capabilities in executable files. Unpack using:
upx -d mysterygift
Now run(after deleting cached viv file) :
capa mysterygift
What is the registry key abused by the malware?
This requires dynamic analysis :
Analyzing behavior of .exe : ProcMon (Process Monitor)tool: shows real time registry, file system, process/thread activity. ‘
Start ProcMon, and set filter to “Process Name is mysterygift.exe”.
You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.
What is the registry key abused by the malware? and
What is the value written on the registry key based on the previous question?
Ans-> right click on the operation and check properties to find paths.
File modification:
again exclude and inspect
Network connections :
That’s it for this task , enough of images today. See you guys in the later part. Till then keep hackin!