In
this series of posts, I’m continuing the Open Security Training materials, with
this set of post being more focused on the Malware Analysis class.
You may find
reviewing the material from Open Security more beneficial. However, if you do
choose to stick with this I hope you find it helpful.
In this post, we
will be learning about the persistence mechanism used by IMWorm. We will
leverage Sysinterals Autoruns to expand our understanding of IMWorm’s
persistence.
To make this
analysis a bit easier, I first executed Autoruns and saved the output via the “File”
-> “Save” menu to a file called “Before_IMWorm.arn”.
Once I had the
saved file, I then executed the IMWorm executable and compared the new Autoruns
output to this saved file. To achieve this, I first hit “Refresh”/”F5” within
Autoruns. Then from the “File” -> “Compare” menu item, I selected the file “Before_IMWorm.arn”
which was previously created. Once opened, this produced the output shown
below:
As shown above, the registry
entry ‘"HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon"
/V UserInit’ has the value of “C:\WINDOWS\system\lsass.exe”. Additionally we
see the file “msconfig.exe” has been created in the "c:\Documents and
Settings\All Users\Start Menu\Programs\Startup".
Let’s try to hunt these down:
First when I tried to open “regedit” to verify the key, I was unable to do so and I believe this has something to do with “IMWorm”. The error I got was “Registry editing has been disabled by your administrator” as shown below:
First when I tried to open “regedit” to verify the key, I was unable to do so and I believe this has something to do with “IMWorm”. The error I got was “Registry editing has been disabled by your administrator” as shown below:
As
a result of this error, I instead leverage the “reg query” command line tool.
This produced the result as follows
The example above demonstrates why
it is extremely important to know and use more than one tools to solve your problems.
Next up I attempted to leverage
Autoruns to “Jump to Image”. However, Autoruns exited and I was unable to open
it. Looking for the file directly under Windows Explorer, I was also unable to
find it. Trying to enable the option to show hidden files and file extension, I
noticed those options were not available. I assumed once again, this is IMWorm
doing its thing.
As a result, I had to go
back into the command line with some more command line Kung Fu. At this point I
did a “dir” on the folder in question as shown below:
Ooooops!! Loos like nothing is there. Let’s take another shot at this looking for hidden files. This time we execute the same command except we append “/A H” to the output above as shown below:
At this point we
recognize the file was “hidden” from the default “dir” output.
From above, we see
that IMWorm is leveraging both the registry “Run” key and the “Startup” folders
for persistence purposes.
References:
Open Security Training
Open Security Training
No comments:
Post a Comment