Malicious code analysis practice ——Lab03-01.exe Basic dynamic analysis

1. The experiment purpose

Comprehensive use of various analytical tools , analysis Lab03-01.exe Basic information of , And speculate its function .

2. Experimental environment （ Hardware 、 Software ）

VMware virtual machine （winxp）：
Hardware ： processor Intel Core i5-10210U CPU @ 1.60GHz 2.11 GHz
Software ：32 Bit operating system
kali virtual machine

3. The experimental steps （ Describe the operation process in detail , The key analysis needs to be attached with screenshots ）

（1） Static analysis

①MD5 value

②peid analysis

You can see Lab03-01.exe Has been shelled

③strings analysis

strings Lab03-01.exe

Found some registry information and a exe File and a possible domain name
Guess analysis may visit the website to download some Trojan files through the connection, or through vmx32to64.exe Download open some back doors ,, Therefore, the dynamic analysis focuses on the addition and deletion of registry modification information and files, as well as networking operations

（2） dynamic analysis

①regshot Registry analysis

Regshot Run after the first snapshot Lab03-01.exe

function Lab03-01.exe Record the second snapshot after

Click on compare After comparing the registry information twice, it is found that the new registry key value

Found in the self start item VideoDriver Key value is added in 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 76 6D 78 33 32 74 6F 36 34 2E 65 78 65, Replace it with the characters C:\WINDOWS\system32\vmx32to64.exe, explain VideoDriver The self starting item points to system32 In the catalog vmx32to64.exe

②process explorer analysis

open explorer The lower window of the DLLs Dynamic link library

function Lab03-01.exe After the discovery

stay Lab03-01.exe in ws2_32.dll and wshtcpip.dll Therefore, it indicates that there are network operations

③process monitor analysis

Get into Filter Add filter criteria to the window


It was predicted that the program would be downloaded during the previous static analysis vmx32to64.exe file , Gu Zai run Lab03-01.exe Can after ctrl+F Search directly vmx32to64.exe after

Found in windows\system32 Create a write under the path vmx32to64.exe File and in currentversion\run I created VideoDriver Key value of self starting item
Came to windows\system32 View under directory vmx32to64 file

View its MD5 Value found to be the same as Lab03-01.exe equally , So come to the conclusion Lab03-01.exe Copy yourself to windows\system32 Under the table of contents , In the above registry analysis VideoDriver The key value of the self starting item points to windows\system32 The next path vmx32to64.exe

④ApateDNS Network access analysis

Found that it visited www.practicalmalwareanalysis.com This web site
ApateDNS Refer to the article for virtual network configuration 《 Malicious code analysis practice —— Use Apatedns and Inetsim Simulate the network environment 》

4. The experimental conclusion

Lab03-01.exe To copy itself to system32 Under the table of contents , And start up automatically
And Lab03-01.exe Run to make access www.practicalmalwareanalysis.com website