Example of a complete analysis

Static analysis

Loading the file into PEID

Loading the file into PEID

List of sections

Here we can see that there are resources inside the binary.

List of sections

Strings in the binary

The svchost.exe string in a binary is not usual.

Strings in the binary

Extracting resources

Extracting resources

Note that the extracted resource contains a lot of 0x41. Perhaps a xor is performed to hide the resources.

DependencyWalker Imports

DependencyWalker Imports

Dynamic analysis

Procmon in capture

procmon before capture

Regshot 1/2

Before launching the binary, you need to do a first shot with RegShot to get a fingerprint of the Windows registry and see which ones have been modified.

regshot 1st shot

Regshot 2/2

Here we have all registry that have been modified or added during the process execution.

Regshot comparison

Process explorer

On the process explorer capture, we can see that after we started the malware, a new process called svchost.exe was also started.

process explorer

Comparing strings

When comparing strings present in the binary and strings present in memory, we can see that they are not the same.

Strings in the binary

Strings in memory look like keyboard keys. There is also a log file name. Could it be a keylogger?

Strings in memory

Execution

During the execution, we can see that the svchost.exe process is created and that nothing is going through the network (the wireshark window stays empty).

malware execution

While our infected svchost.exe continues to run, let's relaunch procmon and filter on the infected PID. And let's write to a notepad. We can see some operations such as CreateFile, WriteFile, CloseFile...

procmon keylogger

You can find the path where the registered keyboard keys are located.

log file path

Content of the created log file.

log file content