exe husk
GDIProcs Detects hidden process by looking in GDISharedHandleTable
Although they are not particularly useful for this malware, you may find these tools
useful in the future. For example, if the malware you are analyzing tries to send e-mails,
connect to an IRC server, or flood a web server, these tools can safely stimulate the
malware and extract vital information.
Norman Sandbox Technology
We have saved the best for last. As you saw earlier in the Nepenthes section, we set up
Nepenthes to automatically report binaries to the Norman Sandbox. The Norman
Sandbox site receives the binary and performs automated analysis to discover files contained,
registry keys modified, network activity, and basic detection of known viruses.
The Sandbox actually simulates the execution of the binary in a sandbox (safe) environment
to extract the forensic data. In short, sandboxes do everything we did, and more, in
an automated fashion and provide us with a report in seconds. The report is quite
impressive and offers unprecedented ???first pass??? information that will tell us some basic
data about our captured binary within seconds.
As expected, after the earlier output from Nepenthes, we got the following e-mail
from sandbox@eunet.
Pages:
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897