We can see that the sample is listening on Figure 7 INetSim default GUI binary TCPViewįiltered by the process name again. However if you do download the actual binary you shouldĪlso perform additional analysis on the sample. Figure 6 mscordll.exe payload in the Startup folderĮxe isn’t actually downloaded but it’s simulated on INetSim so the defaultīinary will launch. Virtual machine and opened Process Monitor prior to launching the sample,įigure 5 File creation evidence in Process MonitorĪ file called mscordll.exe was dropped in the Startup folder. Launch on start up which is a sign of persistence. To the packet analysis and initial static analysis the malware attempts to dropĪ payload at AppData\Roaming\Microsoft\Windows\Start Figure 4 Capturing packets in Wireshark Notable packets Malware while connected to the simulated network provides no popup message. Up INetSim and turned on Wireshark to capture the packets. Launching the sample with a simulated network This is quite common as malware is rarely obvious. Sample without INetSim running and the following message popped up: Figure 3 NO SOUP FOR YOU pop up message Figure 2 FLOSS string results Notable strings HTTP to attempt to get some network based indications and found a lot of Gather more information and exported the results to a. Figure 1 Hashes that came with the malware sample Strings The hashes were available with the malware sample, and according to VirusTotal 26 vendors flagged this file as malicious. Through a full mostly dynamic analysis of a remote access trojan (RAT) from
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |