Scribd
Upload
99 views18 pages

SYSTEMBC RAT Malware Analysis

The document analyzes a piece of malware found to be a root access trojan. Static analysis tools like PEstudio, FLOSS, and VirusTotal were used to analyze the file before running it. Dynamic analysis tools like Procmon, Regshot, and Wireshark were used to monitor the malware's behavior after running it in the FLARE VM. The malware was found to create a malicious executable, make registry changes, and attempt connections to 9 malicious IP addresses. The analysis confirmed the software is malicious based on the observed network activities and other suspicious behaviors.

Uploaded by

ekrma d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views18 pages

SYSTEMBC RAT Malware Analysis

The document analyzes a piece of malware found to be a root access trojan. Static analysis tools like PEstudio, FLOSS, and VirusTotal were used to analyze the file before running it. Dynamic analysis tools like Procmon, Regshot, and Wireshark were used to monitor the malware's behavior after running it in the FLARE VM. The malware was found to create a malicious executable, make registry changes, and attempt connections to 9 malicious IP addresses. The analysis confirmed the software is malicious based on the observed network activities and other suspicious behaviors.

Uploaded by

ekrma d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

SYSTEMBC ROOT ACCESS

TROJAN MALWARE
ANALYSIS

EKRMA ELNOUR
Outlines
[Link]
SETTING UP THE

INTRODUCTION VMs, and Tools


ENVIRONMENT
definition of malware and RAT
The VMs and Network configuration.
02
01 03

DYNAMIC ANALYSIS
STATISTICAL ANALYSIS Analysis after running the malware CONCLUSION
Analysis before running the malware summary of the process and findings

05
04 06

1
Introduction
RAT

Malware
01 MALWARE
malicious software is intrusive software that

is designed to damage and destroy

computers and computer systems. Malware

is a contraction for .

02 RAT
Root Access Trojans used to infect computer

systems to gain high privilege access as

know as “Root” or Administrator privilege.

3
Tools
these are the main tools used during the

analysis process
REMnux VM
INetsim
Virus-total
FLARE VM
Wireshark
RegShot
proc_watch

8
Setting-up the Environment

FLARE VM installed on Windows 10 x64 base system.


REMnux VM installed both at VMware Workstation 16 Pro 16.2.2 .
VMware virtual network card with host-only and IP’s of [Link] for

FLARE VM isolating the two machines from the host system.


REMnux VM
The static and dynamic analysis was
INETsim software configured on the REMnux and connection tested INETsim was used here to simulate

done on this machine. internet service


two snapshot were taken as a recovery point for the FLARE one for

Memory Memory
4 GB the windows 10 and one after configuring the FLARE. 2 GB
Disk Disk
60 GB 60 GB
Processors Processors
2 cores (from Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 2.81 GHz) 2 cores (from Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 2.81 GHz)
Network Network
NAT (IP address [Link]- Default Gateway [Link]) NAT (IP [Link])

6
STATISTICAL ANALYSIS
calculate the hash and upload

PEstudio was used to get

to Virus total and found to be

general information about the

malicious file reported as

file
network trojan.

01 02 03 04
the PEstudio show that there

FLOSS tool was used to search


are 36 indicators of malicious

for network related strings


use in this file some of them

different suspicious strings


already found in the FLOSS

found mainly related to network


search but here they are

activities. confirmed

14
DYNAMIC ANALYSIS
a registry shot has been taken
process monitoring software

before and after and showed


proc_watch showed new lunch

malware creating key value for


of malicious executable "kexvi"

task schedule. .

05 06 07 08
Process Monitor has been

Wireshark network captured

lunched to monito has shown

multiple connection attempts to

repeated lunching attempts and

9 different malicious IP's


network activities.

[Link] - [Link] - [Link] - [Link] - [Link] - [Link] - [Link] - [Link] - [Link]


Virus-total Results
FLOSS Results
PEstudio: Header information
PEstudio: Blacklisted functions
REGshot- Results
Proc_wathch Results
Process Monitor Results
Wireshark Results
Conclusion

The software tested during the writing of this report found to have malicious.

The malware has been first compiled on Fri Sep 13 [Link] 2019 UTC.
55
malware creates an executable in the path C:\ProgramData\trcn\ [Link] this

file is the launcher for the connection through the network

55 security vendors and 2 sandboxes

The nine IP’s that has been reported as malicious. flagged this file as malicious

The later part of the behavior had not been tested due to the environment

restrictions, in more sophisticated environment needed.

5
References [Link]

d-malware-protection/[Link]
[Link]
[Link]
[Link]

You might also like