Saturday, 20 December 2014

Malware Analysis of very basic EXE file


Going one step ahead we will start with analyzing simple EXE file and lets figure out what this is all about.

For the moment, very basic thing to understand about compiling, linking you can refer below diagram:

1. Source code written in computer language [ C,C++ ] is present in Source Code file which we save it as .c, .cpp
2. Compiler job is to take this file as input and create Object Code file.
3. Linker job is to add references to external Library Files include those in code and create executable.

In order to reduce programmers work of wring code to get basic functionality, Library files are created.

Ex. You would not want to rewrite code in C programming language for creating a process, creating a file, creating a service etc. for which Microsoft has already created DLL files containing functions which can be imported by programmer and will be used to perform the same tasks.

Every executable contains multiple function call, library imports and we will shortly analyse those in order to conclude that file is performing some malicious activities.

Lets start with a sample .exe file "mfc7sys.exe" which I think is a suspicious file by looking at task manager.

By Looking at process explorer we will get path / registry locations

Lets go ahead and check what's there at registry location and directory path :

Looking at above screenshots its clear that this programs entry is present in registry "RUN" means this program will start at boot.

There are 2 files, exe and dll, it seems EXE is using "mfc7sys.dll" file for XYZ functionality which is yet to explorer.

Now its clear that program is trying to receive keyboard inputs, using "SetWindowsHookEx" and which is most popular way of keyloggers and spywares.

Looking at above screenshots you will see program is using create file, copy file, write file calls and now purpose of this program seems clear that its a type of Keylogger.

Taking closer look at process monitor you will observe txt file created with same process name.

Captured keystrokes are stored in this text file :

We can also perform simple string analysis of this "mfc7sys.dll" and result is same :

Hope this article is helpful.


No comments:

Post a Comment