jascircles.blogg.se

9 Juli 2023 - 12:10
Pestudio
Allmänt
Pestudio






pestudio

It takes input from ProcMon and a pcpa file. There is a fantastic tool named ProcDOT which helps us to visualize actions taken by the specimen. We can see that it is trying to reach but since we are running it in an isolated environment, it cannot found it, but as learned from Part 1, we know how to get around this. We can analyze the pcap file in Wireshark. Below is a pcap file captured from CaptureBAT.

pestudio

40-45 secs, let’s terminate the process and observe what our tools have captured. Now after letting the malware run for approx. What is this file? Let’s take a look at its contents. We can see that for the specimen we see that a new file. Let’s launch the malware specimen and let’s observe the process monitor output. This will also generate a pcap which we can also analyze it with Wireshark. Take a 1 st shot of the system.Īlso, we are going to launch CaptureBAT to capture all transactions done from this malware sample.

pestudio

Tools we are going to use:īefore we are going to infect the system with malware, let’s capture the state using RegShot. Now with all that static analysis, we can start out behavioral analysis to see how the specimen is utilizing these IoCs. tells us lot of information about the nature of the specimen. For example, again we can see CryptDecrypt, CreateFile, CreateProcessA, etc. We can also use PEframe to find out suspicious IAT alerts which tell us all the DLLs it is importing and utilizing functions. Some interesting references here like CryptDecrypt which is an indicator that the specimen might deal with some encryption/decryption routines. We can also look at the embedded strings from PEstudio. It shows file is not signed by any certificate and modifies the registry. Let’s see the suspicious indicators from PEStudio. We can relate this to HTTP 1.1 in the embedded strings. InternetReadFile will read file referred by HttpOpenRequest. tmp file (may be a temporary file used by malware), Run registry settings, HTTP/1.1, InternetReadFile, sleep, etc. Straight away we can see important strings which referred to a. Below is an example for strings 2 in action It can also get strings over running processes.

pestudio

Strings2 extracts both ASCII and UNICODE by default and is an enhancement over strings.








Pestudio
0 kommentar(er)
Om Mig: