- Use PEView to open the dll file, under SECTION .rdata, look for Export Address Table. Take a screenshot of what you found. Does it suggest how the malware can be installed? Highlight the field that could install the malware.
- Use string.exe to see interesting strings such as service, registry, imports, etc. Take screenshots.
- Find rundll32.exe under C:\Windows\system32. You can temporarily copy it to the same folder of the malware. Use Regshot to take a Regshot of registry before running the malware.
Key in: rundll32.exe Lab03-02.dll, installA. Take another Regshot and compare. What keys are added? What values are added?
- We can see the malware can be started as services. According to the Registry analysis, what is the service name? Try if you can start/stop services in Command Prompt (cmd):
Net start/stop serviceName
Take both screenshots of service start and stop.
- Open Process Explorer -> Find -> Find Handle or DLL -> Lab03-02.dll. Which process the malware is injecting ? Find the PID by taking a screenshot. Then try to kill that process in Process Explorer. Does the system allow you kill it? Take a screen shot of the results.
Perform static and dynamic analysis of Lab03-03.exe
- Use string.exe – anything strange? What do you see? Are there any registry related strings?
- CompareRegShot of Registry before and after running the program.
- Before clicking the program, make sure you have a layout like the windows like:
Soyou can see which process is created once clicking. Describe what you see after clicking it. Which process is deleted? Which process is created? (It happens quickly so watch closely.)
A .log file will be generated in the same directory. Open the browser to browse some random websites you like. Then open the file again. According to the content being added, can you conclude what the program does?
- Right click on the created malicious process, go to Properties -> String -> Select the Memory radio button down at the bottom. Can you see the name of the file being created in strings (of the process)? You will also see some strings like keyboard entries. Take a screenshot of everything you found.
- Find the PID of the malicious process in Process Explorer and open ProcMon, set a Filter -> PID=xxx (what you found in Process Explorer on the VM), press Include-OK. Then open a browser to browse a website. Go back to ProcMon, what events does ProcMon capture? Take a screenshots. The answers should validate what you have seen.