This tool is rather
noisy and picks up hundreds of file changes by a seemingly idle Windows system. Therefore
be sure to clear the tool prior to executing the binary, and ???stop capture??? about
10 seconds after launching the tool. Once you find the malware process in the logs, you
may filter on that process to cut out the noise. In our case, after running the binary and
scrolling through the logs, we see two files written to the hard drive: intrenat.exe and
sync-src-1.00.tbz.
The number of file changes that a single binary can make in seconds can be overwhelming.
To assist with the analysis,we will save the output to a flat text file and parse through
it manually.
By searching for the CREATE tag, we were able to see even more placements of the file
sync-src-1.00.tbz.
2334 3:12:40 PM 7e3b35c870d3bf2:276 CREATE C:\sync-src-1.00.tbz
SUCCESS
Options: OverwriteIf Access: All
2338 3:12:41 PM 7e3b35c870d3bf2:276 CREATE C:\WINDOWS\sync-src-1.00.tbz
SUCCESS Options: OverwriteIf Access: All
2344 3:12:41 PM 7e3b35c870d3bf2:276 CREATE C:\WINDOWS\System32\sync-src-
1.00.tbz SUCCESS Options: OverwriteIf Access: All
2351 3:12:41 PM 7e3b35c870d3bf2:276 CREATE
C:\DOCUME~1\Student\LOCALS~1\Temp\sync-src-1.00.tbz SUCCESS
Options: OverwriteIf Access: All
2355 3:12:41 PM 7e3b35c870d3bf2:276 CREATE C:\Documents and
Settings\Student\sync-src-1.
Pages:
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894