HANDS ON DYNAMIC ANALYSIS 🧑‍💻

Download the following

• Any one malware sample https://zeltser.com/malware-sample-sources/
• Regshot for viewing before malware attack and after malware attack
• procomon for viewing Suspicious activities of malware
• process hacker for viewing Suspicious activities of malware
• Wireshark for viewing which server the malware is connected and steals the data and send it to the malware author

Walkthrough analysis

• Open the tabs of Process Hacker, Wireshark , Regshot 👍
• Click to Wireshark "Ethernet"
• Click to "1st shot"

• it will take some time for 1st regshot
• After its completion open Procmon 👍

• Now, Go to files Extract the malware sample you downloaded
• Rename it to (filename.exe) exe means it can execute 👍
• then Right click the file and click Run it as an administrator
• Wait 4 to 5 minutes and check the activities of Malware

Investigation of process activities 🔍

Open "Wireshark" and "process hacker" and capture the activities by clicking those buttons👇

Click to the "Process tree" on process hacker 👇

Mark the points

we have to find processes of malware activities like you can see here or catch any thing that looks like malware As we can see that Malware processes running powershell``conhost``schtasks.exe it means if malware starts processing a task scheduler which is schtasks.exe then it will download another malware at certain conditions were if we try to delete it then it will download again and hide itself this is called PERSISTENCE

• when a new process created you can see its under in which the process is running were ( new process called child process and the process under the process created called parent process)
• the scheduled task named "Updates\VbxFiQYCyFDgGL" has been created. However, the information of the scheduled task except for its name is in the XML file located at the following path:

“C:\Users\Amanda\AppData\Local\Temp\tmpCCF2.tmp”.

You can see it on windows task scheduler👍

Mark the points

Open up your windows task scheduler >>> Updates 👍 you can see that new malware🔍 for more Double click it Go to Triggers you see ( at log on ) and Go to actions you see ( Start a program ) You can see in the screenshot that the malicious software named “VbxFiQYCyFDgGL.exe” prepared by the attacker will run when this scheduled task runs.

This is how we have detected the scheduled task that the attacker added.

Investigation of Network Activities 🔍

We have to investigate that the malware which steals our data transfer to which author by these networks (sometime it works sometimes its not)

Open Wireshark 🦈 And here we need to search for 3 things :

• SMTP (simple mail transfer protocol) email
• http (hypertext transfer protocol) website
• DNS (domain name system) server

You can see that it have a DNS server and querying domain 5gw4d.xyz which is suspicious 👍 and lets track the domain by its IP address ( you can copy the ip address in Destination sectiom

Paste the Ip address here - https://ip-geolocation.whoisxmlapi.com/api Or you can use - https://www.abuseipdb.com/

Investigation of Registry 🔍

Registries in Windows are like organized storage areas for important system and application settings. Attackers can exploit them to sneak in malicious software and make it start up whenever the computer boots, helping them steal data and maintain control over the system.

Open Regshot and click 2nd shot Because we want to compare 1st shot and 2nd shot like before malware amd after malware what things have done in our virtual box 👍 after that click "compare" down below 2nd shot

Open up regshot and find these keywords :

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

when the operating system started windows keep application running so resgistry means the data storage of any specific apps the user uses and thats taken advantage by the attackers and adding their own malicious registry keys

When we look at the registry, For example

• we check a specific area called "XYZ\Software\WOW3452Node\Microsoft\Windows\CurrrentVersion\Uninstall." Here, applications leave behind information about how they can be uninstalled. Attackers sometimes install their own software and hide it here. So, it's smart to check this area to find any sneaky apps installed by attackers.

Investigation of file activities 🔍

we can analyse it by two ways

The malware files can be hidden and located in folders:

• Type Windows + R

• 

• Search %TEMP% (if it not have then try these two)

• shell:startup or shell:common startup

  

• Or you can use procmon by finding

• C:\Users\Username\Appdata\Roaming\directory Have under an .exe file

• Or C:\Users\Username\Appdata\Roaming\logdata To find these go to procomon >>> process tree >>> right click the malware.exe file >>> Add process and children to include filter

Now you can see only file activities of malware 👍 in which we cannot find such activities running 😅

Investigation results

• It query to the DNS server 5gw4d.xyz✅
• After Execution of malware it runs a file VbxFiQYCyFDgGL.exe✅
• The malware runs powershell``conhost``schtasks✅
• It uses registry keys to steal data✅
• It uses persistence✅