Scribd
Upload
6 views32 pages

Forensic Analysis of Malicious Files

The document outlines a security practice exercise focused on analyzing a potentially malicious file suspected of containing a Trojan virus. It details a step-by-step methodology using various tools such as Virus Total, PEiD, and IDA Pro to investigate the file's characteristics, dependencies, and malicious behavior. Additionally, it includes a second exercise involving network monitoring and registry changes during the execution of the file.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views32 pages

Forensic Analysis of Malicious Files

The document outlines a security practice exercise focused on analyzing a potentially malicious file suspected of containing a Trojan virus. It details a step-by-step methodology using various tools such as Virus Total, PEiD, and IDA Pro to investigate the file's characteristics, dependencies, and malicious behavior. Additionally, it includes a second exercise involving network monitoring and registry changes during the execution of the file.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Mariano Gálvez University of Guatemala

Faculty of Information Systems Engineering

Master's in Information Security

Methodologies for forensic computer analysis

Ing. Emilio Marroquín Guevara

Task 7

Security practice week #7

Sindy Paola Batz García 1293-15-07254

Yosselin Karina Yos Arias 1293-15-14950

Abner Gabriel Juárez Hernández 1293-16-22542

Heber Ariel Ramos Felipe 1293-06-19348

Christian Alessandro Paredes Barenos 1293-15-00354

Evening Daily Plan

Section "B"

26 de agosto de 2021
INDEX
Objective
Exercise 1......................................................................................................................... 3
EXERCISE 2 ................................................................................................................. 25
Objective
Conduct an analysis on a file that is suspected to be of malicious origin and may
contain a Trojan type virus, for this various tools will be used that
They will facilitate the analysis and will be able to follow the trail that the file leaves when affecting certain

processes, functions or tasks in the operating system.

Exercise 1
FIRST STEP: download the file to be analyzed from the mega repository
[Link]

SECOND STEP: use the Virus Total page for file analysis
Unknown that was previously downloaded, in the [Link] the
file to be analyzed.
When analyzing the file with the Virus Total tool, it can be seen that it has
malicious Trojan-type files.
In the details, you can see the type of file uploaded, the hash, and a small line.
timestamp of when the file was modified
Here we can see the headers and the hashes of the types of files contained.
Additionally, the dlls that the file uses are displayed.
In the relationships, the IPs consumed by the file are shown.
To discover what program is hidden in the file from the previous exercise and that
To execute the malicious processes, we will use another tool called PEiD.

THIRD STEP: load the file 'Unknown' into the PEiD tool.
FIFTH STEP: as can be seen only text files (.txt) were detected that
demonstrate that the file does not contain anything obscured.

Upon seeing that the file is not encrypted, the headers must be analyzed, for this you
will use the PEView tool.

SIXTH STEP: open the file '[Link]'.


SEVENTH STEP: Select the header 'IMAGE_FILE_HEADER' and display
main characteristics of the file.

Now we will analyze the header 'IMAGE_SECTION_HEADER.text' to see if it


find something hidden or encrypted, but there is nothing relevant.

Continuing with the analysis and in search of any alteration in the file, we will review
the header 'IMAGE_OPTIONAL_HEADER' but it can be seen that it doesn't exist either

some alteration.
Continuing with the analysis in the PEView tool, we review the 'SECTION' section.
.IDATA. In the 'IMPORT Directory Table' you can see the dlls that are called to execute the
file.
Now that the DLLs could be detected, we must continue with the analysis and search in the
data chains, for this we will use the Strings tool that we downloaded from
[Link] tool has to
add it to the main disk, in our case the C disk, and at the path C:\Windows\System32 paste
the files needed to run the tool from the CMD
EIGHTH STEP: we run the strings program in the CMD and analyze the file
[Link]

When running the strings program, all the strings found in the
file.
In order to have all these found strings, they will be saved in a text file for later use.
analysis using the command strings [Link] > [Link]

When analyzing the strings of the file, malicious strings to routines have to be searched for.
Reviewing the strings, a call to GetLastActivePopup is found, which functions to
Every time a new window is activated, Windows checks if it has an owner. If it is
thus, register the newly activated window as the last active popup window of that
owner. And GetActiveWindow which returns an identifier for the currently active window
active of your program. This only works with windows created by your application, in others
words, will not find the active window of other programs. If your program is in
in the background, the function will obtain the window that would be active if the program were
active.

With the above findings, it is necessary to search for all processes and dependencies that are
calls, for that the Dependency Walker tool is used
NINTH STEP: we load the file '[Link]' and it will display everything
associated dependencies.

By analyzing the [Link] in the internal [Link] we can find memcpy that
executes a copy of a certain number of bytes to a certain location, this behavior is
properly a Trojan that is found within the file.
Within this same DLL are the libraries linked to the OS that execute everything.
the actions that are malicious.

TENTH STEP: After finding the previously mentioned malicious type DLLs,
needs to know how much damage they can cause to the system, for that the
tool "IDA Pro" and we will load the file [Link]
ELEVENTH STEP: We select the 'OUT View-A' tab and select the view of
Texto del elemento que se muestra en dicha pestaña.
We can see that assembly language routines are being shown.
TWELFTH STEP: By selecting the Imports tab, you can see all the functions.
that were imported into the file.

THIRTEENTH STEP: We filter the functions with the word 'Local'


As can be seen with the file, the attacker obtains the system time, if available.
free space, release of local files and threads.

FOURTEENTH STEP: Now we will filter with the word 'Delete' to analyze the function
"DeleteEnhMetaFile" by double-clicking to open it.
As can be observed, all the programming code is present and thus it can be analyzed.
to see what this trojan can do.

EXERCISE 2
FIRST STEP: For this analysis we will need the ApateDNS tool, we start it with the
Start Server button.
SECOND STEP: Then we release the DNS with the command 'ipconfig /flushDNS'
THIRD STEP: We run Process Monitor downloaded from here
[Link]

FOURTH STEP: We use the filter and add the file name "[Link]" and the type
of process "Process Name"
SEVENTH STEP: We use the "netcat" tool to capture everything that goes through the
port 80, for this we use the command '[Link]-l -p 80'

EIGHTH STEP: With the tool 'Regshot' we are going to log the changes that are being
hitting in the OS Registry. We click on 1st Shot.
NINTH STEP: we execute the file 'Unknown'

TENTH STEP: We return to the tool 'Regshot' and click on '2nd shot'.
With this we can compare the before and after of each execution and select 'Compare'

It shows us a file with all the changes made in the system.


Process Monitor shows all the details of the services, processes, and functions that were
activity due to malware.

You might also like