??? Save a snapshot with VMware.
??? Execute the suspect binary.
??? Inspect the tools for system changes from the baseline.
??? Interact with binary to fake DNS, e-mail, and IRC servers as required.
??? Revert the snapshot and repeat the process.
For the rest of this section, we will describe common tools used in live analysis.
NOTE We had to place an .exe file extension on the binary to execute it.
Regshot
Before executing the binary, we will take a snapshot of the registry with Regshot.
After executing the binary, we will take the second snapshot by clicking the 2nd shot
button and then compare the two snapshots by clicking the cOmpare button. When the
analysis was complete, we got results like this:
From this output, we can see that the binary will place an entry in the registry HKLM\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
The key name Gremlin points to the file C:\WINDOWS\System32\intrenat.exe. This
is a method of ensuring the malware will survive reboots because everything in that registry
location will be run automatically on reboots.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
514
FileMon
The FileMon program is very useful in finding changes to the file system. Additionally,
any searches performed by the binary will be detected and recorded.
Pages:
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893