I began by having a fresh VMWare image of Windows XP. Tools which you should have ready before you start behavioral analysis:
Regshot
CaptureBat
ProcMon
ProcessExplorer
PEid
Begin by checking if ay packer is used by this malware, use PEid for this.
Packers and other protection mechanism have a long reputation of terminating the executable if it detects any analysis tools being used. To save time during analysis its good to take a snapshot just before we start the analysis.
- Run Regshot and take the first snapshot. Second snapshot will be taken after the malware runs
- Start Capturebat with the following switches -c-n-l > captureInfo
- Start ProcMon
- Start ProcessExplorer
Lets see the files we have obtained for analysis, check the file obtained from ProcMon. Filtering option in ProcMon is extremely helpful in analysis. I begin by using the filter "ProcessName is rep.exe" which will narrow down the activities performed by our malware.
We can see a lot of activity from the malware. I have a habit of viewing individual activities like 'File related activities' and then 'registry related activities'. This helps me focus on one kind of activity at a time.
Malware creates a Windows Service SVKP.sys. Lets check more about this services in CaptureBat analysis file. Opening this file in Excel has its advantages in terms of filtering capabilities in Excel.
When we examine the content of CaptureBat, we cant help but feel a little suspicious about the results. Oddly the file shows a very limited and subdued activity from the Malware. Also, there is no sign of SVKP service. Lets keep this in mind and work with other things that we have.
Lets see what the malware did in the Registry.
As we can see there are some entries about VMWare tools. This gives a hint that probably the Malware has capabilities to detect presence of VMWare or other Virtulization softwares. Why is this needed you ask ? This enables the malware to detect that analysts like us are studying it. So it changes its behavior when it finds this out.
In such cases its a good idea to remove VMWare entries from the Image and try running the Malware again. We will do the same. Open the snapshot we saved before and remove VMWare entries from its registry and take another snapshot so that we can revert to this 'VMWare free' snapshot later should the need arise.
CaptureBat stores the files which may have been removed by the Malware when it runs. Lets check if CaptureBat saved any file when Reptile ran. Aha ! as we saw earlier from the ProcMon entries, it had removed the executable from the Desktop. But CaptureBat has saved this file.
Its always a good habit to check the files which the Malware may have deleted. Sometimes we may miss this information from the analysis files we captured. So lets remove VMWare Tools from the registry of our virtual image and run the malware again.
We can remove VMWare entries from the registry as shown in the image above. Once that is done lets repeat the process again with running the malware and capturing its behavior with the tools mentioned earlier.
When we check the results of the tools this time, there is a considerable increase in the activity. Another thing to notice is that the executable is not removed from the desktop. Clearly showing that the malware has the capability to detect analysis tools (mainly VMWare). We will analyze this ability of the malware in Static Analysis so be sure to check the blog entry if you are interested how the malware detects presence of VMWare.
Checking the entries in RegShot we can see the entries modified in the registry.
Based on the initial behavioral findings we can say
- Malware has capabilities to detect presence of VMWare and other analysis tools
- Malware removes itself from the system in case it detects presence of analysis tools
- Malware copies itself as a service and an executable on the system in C:\Windows\ folder
ReplyDeleteA big thank you for the enlightening post .Your blog continues to be an excellent resource for enhancing our knowledge in this field. Great work!
E- Discovery software