Analyzing calc.exe and Network Activity

1. Analysis of calc.exe Process

Initial Observations:
- The process creation for calc.exe involves several preliminary operations, such as initiating the program and loading libraries.
- Focus on searching for specific file names related to the sample, such as badfile.exe, to trace its creation and usage.
TCP Connections:
- Look for TCP connections before the badfile.exe creation. This indicates data was received, which was then stored in badfile.exe.

2. Network Traffic Analysis with Wireshark

Setup:
- Use the loopback interface with FakeNet instead of the Ethernet interface.
Capturing Traffic:
- Run the sample and capture network traffic with Wireshark.
Analyzing Traffic:
- Filter HTTP Traffic:
  - Go to Statistics > Protocol Hierarchy and focus on HTTP traffic.
  - Apply filter to show only HTTP packets.
- Inspect Requests:
  - Follow the HTTP stream to view GET requests and identify URLs from which data was downloaded.
  - Example: Find GET requests for files like evil.exe from specific domains (e.g., abadsite.com).

3. Using AutoRuns for Persistence Detection

Setup:
- Open re_test_dlx.doc and enable content if needed.
AutoRuns Analysis:
- Check Persistence:
  - Look for entries such as a registry run key pointing to badfile.exe.
  - This indicates that the malware has set up persistence, ensuring it runs at login.
- Identify Trigger Points:
  - AutoRuns lists potential persistence mechanisms that malware might use, which helps in identifying how the malware maintains its presence.

calc.exe Process: Focus on tracking the creation and operations of related files, like badfile.exe, and monitor network activities that reveal data sources.
Wireshark: Use it to detect and analyze network traffic, identifying any URLs or network addresses involved in data downloads.
AutoRuns: Check for persistence mechanisms to determine how malware ensures it runs on system startup.

Last updated 9 months ago

1. Analysis of calc.exe Process

Initial Observations:
- The process creation for calc.exe involves several preliminary operations, such as initiating the program and loading libraries.
- Focus on searching for specific file names related to the sample, such as badfile.exe, to trace its creation and usage.
TCP Connections:
- Look for TCP connections before the badfile.exe creation. This indicates data was received, which was then stored in badfile.exe.

2. Network Traffic Analysis with Wireshark

Setup:
- Use the loopback interface with FakeNet instead of the Ethernet interface.
Capturing Traffic:
- Run the sample and capture network traffic with Wireshark.
Analyzing Traffic:
- Filter HTTP Traffic:
  - Go to Statistics > Protocol Hierarchy and focus on HTTP traffic.
  - Apply filter to show only HTTP packets.
- Inspect Requests:
  - Follow the HTTP stream to view GET requests and identify URLs from which data was downloaded.
  - Example: Find GET requests for files like evil.exe from specific domains (e.g., abadsite.com).

3. Using AutoRuns for Persistence Detection

Setup:
- Open re_test_dlx.doc and enable content if needed.
AutoRuns Analysis:
- Check Persistence:
  - Look for entries such as a registry run key pointing to badfile.exe.
  - This indicates that the malware has set up persistence, ensuring it runs at login.
- Identify Trigger Points:
  - AutoRuns lists potential persistence mechanisms that malware might use, which helps in identifying how the malware maintains its presence.

calc.exe Process: Focus on tracking the creation and operations of related files, like badfile.exe, and monitor network activities that reveal data sources.
Wireshark: Use it to detect and analyze network traffic, identifying any URLs or network addresses involved in data downloads.
AutoRuns: Check for persistence mechanisms to determine how malware ensures it runs on system startup.

Last updated 9 months ago