Scribd
Upload
19 views11 pages

Practical 2

1) The document describes using various tools like PEview, BinText, Process Explorer, Wireshark, and Process Monitor to analyze a keylogger malware sample named key.exe. 2) Dynamic analysis revealed that the malware created a log file called log.txt to record keystrokes, created a new executable in the Windows directory, and added itself to the Run registry key to achieve persistence and automatically run at startup. 3) The malware was identified as a keylogger based on strings found referencing keyboard keys like #SHIFT# that it records keystrokes to log.txt.

Uploaded by

tafadzwavictor.chipere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views11 pages

Practical 2

1) The document describes using various tools like PEview, BinText, Process Explorer, Wireshark, and Process Monitor to analyze a keylogger malware sample named key.exe. 2) Dynamic analysis revealed that the malware created a log file called log.txt to record keystrokes, created a new executable in the Windows directory, and added itself to the Run registry key to achieve persistence and automatically run at startup. 3) The malware was identified as a keylogger based on strings found referencing keyboard keys like #SHIFT# that it records keystrokes to log.txt.

Uploaded by

tafadzwavictor.chipere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Basic Dynamic Analysis

Task 1. Basic Static Analysis


Downloading and Extracting the Sample
Using Firefox, download this file:

key.7z from Google classroom

You need 7-zip to extract the file. If you don't have it installed, download and install the 64-
bit version from:

https://www.7-zip.org/

Right-click the key.7z file and click 7-Zip, "Extract Here". Enter a password of malware

The sample appears, named key.exe.

Using PEview
Open key.exe in PEview.

As shown below, if you expand "SECTION .rdata" and click "IMPORT Address Table", one of
the three DLL's imported is advapi32.dll.

As you scroll you will see functions such


as WriteConsoleW, GetConsoleWindow, WideCharToMultiByte, and GetStringType which
assist us in identifying what the exe is doing.

The other two DLLs are kernel32.dll, and user32.dll.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 1


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Using BinText
Examine the strings in key.exe and find these items, as shown below.

• log.txt -- A txt file


• key.exe -- The program name
• C:\windows\vmx32to64.exe -- An interesting file

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 2


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Scroll up and find the key definitions, including #SHIFT# and #CAPS_LOCK#, as shown
below. These look like strings used by a keylogger.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 3


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Task 2. Preparing for Dynamic Analysis


Dynamic analysis is simple: run monitoring tools, then run the malware, and let it have its
way with our virtual machine. This is a sloppy technique, trusting a system that is being
infected, but it usually works.

We will use these three programs to see what the malware does:

1. Process Explorer
2. Wireshark
3. Process Monitor

Install and Run Process Explorer

Download Process Explorer from https://docs.microsoft.com/en-


us/sysinternals/downloads/process-explorer

Extract the zip file and open procexp64

Process Explorer shows currently running processes, with far more detail than Task
Manager. It doesn't keep a log of them, so it's harmless to leave running.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 4


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Install and Run Wireshark


Go to https://www.wireshark.org/index.html#download and save/run the Windows
Installer (64-bit) file.

Install Wireshark with the default options

Start Wireshark and begin capturing packets from the interface that goes to the Internet, it
should be "Ethernet".

There will be a lot of traffic at the start because you are running RDP from your host machine
to the Windows cloud machine.

To filter out the RDP traffic, enter this into the Wireshark command line, replacing
192.168.10.10 with your host machine IP address:

!(ip.addr == 192.168.10.10)

Note: To get the ip of your host machine, Google search "What's My IP?

Once that command is entered, you can stop and start the capture again by clicking the red
box and the blue fin above the command line. Close any open web browsers to limit the
traffic.

Note: For this project, no web requests will be made by the malware, but it's a good idea to
monitor network traffic when running malware.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 5


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Install and Start Process Monitor


Process Monitor logs all the events in Windows Event Viewer, which will typically be
hundreds of thousands of events. Don't leave it running for too long or it will use up all the
RAM and crash.

It's best to start Process Monitor last, so you can exclude all the harmless processes the other
tools are using.

Go to https://docs.microsoft.com/en-us/sysinternals/downloads/procmon and download /


extract Process Monitor.

Launch Process Monitor. If a Security Warning box pops up, allow the software to run.

Agree to the license.

You see Process Monitor, with a lot of visible events, as shown below.

Excluding Harmless Processes


In Process Monitor, right-click the name of one of the visible processes, such as explorer.exe,
and click "exclude 'lsass.exe'", as shown below:

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 6


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Repeat the process until all current processes are hidden, as shown below.

There were a lot of processes to ignore, around 15 to 20.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 7


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Running the Malware


In File Explorer, right-click key.exe and choose Run as Administrator.

RUN THE MALWARE AS ADMINISTRATOR!


If you run it without Administrator privileges, the persistence mechanism will fail and you
won't be able to find flag 221.3 below.

Wireshark
No unusual traffic appears in Wireshark, because this sample doesn't use the Internet. Close
Wireshark.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 8


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Viewing the Running Malware in Process Explorer


In Process Explorer, in the top pane, find key.exe and click it.

Find the name of the exe covered in green in the image below. That is the flag.

Viewing the Running Malware in Process Monitor


Go to ProcMon and scroll until you get to key.exe. You can view the steps the malware is taking.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 9


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

This malware creates an executable file in the Windows directory.

The malware also creates persistence by modifying the run registry key for the current user (HKCU =
HKEY_CURRENT_USER). The programs referenced in this key will be executed when the user logs in.

Find the path of that key and take note of it.

The flag is the text covered in green.

Test out the keylogger


Open notepad and type some text.

In File Explorer, go to the folder where key.exe is, find log.txt and open it. You see the
captured keystrokes, as shown below.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 10


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Dynamic Analysis

Persistence Mechanism
In Process Explorer, right click key.exe and choose Kill Process.

This stops the keylogger for the current session. However, the malware has written itself into
the registry, so it will start back up at the next reboot.

Restart the machine and reconnect through RDP.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 11


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]

You might also like