Question Number 5: Are there any other files or host-based indicators that you could look for on infected systems? # Potentially used to exfiltrate data from the infected system. This malware appears to be traversing directories and copying files to/from source/destination. FindNextFile/FindFirstFile: Used to traverse directories in search of files.Since there’s an IP address amongst the strings too, it likely connects over the network by launching a process of itself. It also includes imports like WS2_32.dll which includes networking API calls. CreateProcess: Launch a process on the host.CreateMutex: Creation of a mutex on the host.Looking at the clear-text strings, we can see several libraries being mentioned.
Question Number 4: Do any imports hint at what this malware does? If so, which imports are they? # No strings appear to be obfuscated to thwart static analysis either. Although the PE files don’t import any libraries directly, we can still clearly see the imports in the strings. No, neither of the two appear to be packed or obfuscated. Question Number 3: Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators? # Scroll down in the Details tab and look for the Compilation Timestamp. Question Number 2: When were these files compiled? # Conversely, the DLL file matches 41 antivirus signatures.
Well, it’s been years since the first upload so we should expect some results.Īs of writing, the PE executable file (.exe) matches 50 antivirus signatures. Does either file match any existing antivirus signatures? # Question Number 1: Upload the files to and view the reports. I’ll be using the following tools/services for this chapter: Although there’s a unique set of tools used in the book, I’d be improvising and testing other tools which might achieve the same purpose. The first chapter of PMA was an introduction to Basic Static Analysis.
0 kommentar(er)
