Visiting hxxp:///3J6mS/ manually, gives us the download of an executable named 78406.exe. This is further verified when we look at the output in fiddler.įiddler has intercepted requests to those same 5 URL’s in the same order they were present in the PS code Step 2 – Finding a list of CnC URL’s Thus the de-obfuscated power shell code has five URL’s : Just drag the sample onto them.Looking at the command line information, it is observed that that an obfuscated script is passed to powershell as its argument.
Run them as so:ĭIE (Detect It Easy) and Exeinfo PE attempt to automatically detect packers. So does Portex, which also includes descriptions of what the various imports are used for. Peframe and pescanner.py are Linux alternatives to PEStudio that will show most, if not all, of the same things. But if you see something like UPX1 as the name of a section, it could indicate the use of a packer Windows executables are supposed to have sections like.A bunch of automated checks for features that may or may not indicate malicious intent.This shows you what Windows API features are included, such as networking and crypto, and gives a hint of what the sample can do.Just drag the sample into it, and it’ll analyse it.
PEStudio for Windows should be your first stop when looking for static properties.
You will want to determine if it is in fact malware and warrants more scrutiny, and if so, how bad is it and how can we detect and what can it do.įor strings you want to be looking for hostnames, filenames, registry keys, IP addresses, HTTP verbs etc. This is the first step of manually analysing a malware sample.
0 kommentar(er)
