Analyzing calc.exe and Network Activity

1. Analysis of calc.exe Process

• Initial Observations:

  • The process creation for calc.exe involves several preliminary operations, such as initiating the program and loading libraries.

  • Focus on searching for specific file names related to the sample, such as badfile.exe, to trace its creation and usage.

• TCP Connections:

  • Look for TCP connections before the badfile.exe creation. This indicates data was received, which was then stored in badfile.exe.

2. Network Traffic Analysis with Wireshark

• Setup:

  • Use the loopback interface with FakeNet instead of the Ethernet interface.

• Capturing Traffic:

  • Run the sample and capture network traffic with Wireshark.

• Analyzing Traffic:

  • Filter HTTP Traffic:

    • Go to Statistics > Protocol Hierarchy and focus on HTTP traffic.

    • Apply filter to show only HTTP packets.

  • Inspect Requests:

    • Follow the HTTP stream to view GET requests and identify URLs from which data was downloaded.

    • Example: Find GET requests for files like evil.exe from specific domains (e.g., abadsite.com).

3. Using AutoRuns for Persistence Detection

• Setup:

  • Open re_test_dlx.doc and enable content if needed.

• AutoRuns Analysis:

  • Check Persistence:

    • Look for entries such as a registry run key pointing to badfile.exe.

    • This indicates that the malware has set up persistence, ensuring it runs at login.

  • Identify Trigger Points:

    • AutoRuns lists potential persistence mechanisms that malware might use, which helps in identifying how the malware maintains its presence.

Summary

• calc.exe Process: Focus on tracking the creation and operations of related files, like badfile.exe, and monitor network activities that reveal data sources.

• Wireshark: Use it to detect and analyze network traffic, identifying any URLs or network addresses involved in data downloads.

• AutoRuns: Check for persistence mechanisms to determine how malware ensures it runs on system startup.