Basic Malware Analysis 2
Starting with some fundamental static and dynamic analysis.
I take the malware from this repo.
HuskyHacks/PMAT-labs: Labs for Practical Malware Analysis & Triage (github.com)
Basic Static Analysis
String analysis is the first stage in the static analysis process. Although tedious or time-consuming, string analysis is crucial for static analysis.For this stage, Floss or PEstudio are useful tools. For this task, PEstudio will be my preference.
“Werflt.exe” is an executable file that I can see. This seems familiar, but further research is definitely necessary.
It appears to be a legitimate application, yet our executable file calls it “C:UsersPublicwelflt.exe.”
Basic Dynamic Analysis
We will use a few tools at this point to understand binary behavior.Procmon will definitely assist us in discovering the type of conduct that this suspicious binary demonstrates.
Here, there is a lot of activity. To see better and more helpful results, we must apply filters.
The operation also includes a “Create File” phase, and we add a binary name. We can determine whether this binary adds a new payload to our environment in this way.
The executable file “C: \Users\Public\werflt.exe” is the same.To determine what kind of payload that is, we will execute this binary.If this binary opens, TCPview will enable us to determine the type of connection that is being established.
WeFault.exe appears to be legitimate, so why does it open a port on “8443”? Let’s monitor this port to observe what kind of connection port 8443 will send to us.
The final tool we’ll use is called “Process Hacker.” This tool helps in system resource and parent/child process monitoring.
BINGO!!! We see that this werflt.exe opens a reverse shell connection on port 8443. Important detail is , this “werflt.exe” looks like legit binary in Process Hacker.
Stay tuned for more analysis
