===Information gathering===
1. Run command prompt as Administrator. Start > Type "cmd" > Right-click "Run as Administrator".
Change directory to your preferences:
C:\Windows\system32> cd c:\User\<User>\Desktop
- cd: Change directory
C:\Users\user\Desktop> mkdir suspect
- mkdir: Make directory (folder)
2. Some WMIC commands trick:
# Obtain all the running processes and output to a file
C:\Users\user\Desktop\suspect> wmic process list full > process.txt
# Obtain all the registered services and output to a file
C:\Users\user\Desktop\suspect> wmic service list full > service.txt
# Obtain all the startup program and output to a file
C:\Users\user\Desktop\suspect> wmic startup list full > startup.txt
3. Collect network information:
# Obtain DNS cache and output to file
C:\Users\user\Desktop\suspect> ipconfig /displaydns > dnscache.txt
# Obtain live current connection
C:\Users\user\Desktop\suspect> netstat -abno > netstats.txt
- a: Displays all connections and listening ports.
- b: Displays the executable involved in creating each connection or listening port.
- n: Displays addresses and port numbers in numerical form.
- p: Displays the owning process ID associated with each connection.
Sample triage script to collect information. *Note: You are require to Run as Administrator
If you execute or run the file, you should see three new files as below:
===Analysis gathered information===
1. Analyze any weird/ abnormal DNS from your dnscache file. Image below showed example for chrome:
* Note: You may verify the domain/ IP address at VirusTotal
2. Check the suspected domain/ IP addresses in netstats file. Example as below:
1. Analyze any weird/ abnormal DNS from your dnscache file. Image below showed example for chrome:
2. Check the suspected domain/ IP addresses in netstats file. Example as below:
3. Obtain the Process ID from netstats and obtain the executable file location.
4. Go to the malicious process file location. Calculate the hash using HashMyFile and submit to VirusTotal for validation. You may upload the file to VirusTotal or submit to dedicated AntiVirus if it does not contain sensitive information.
*Note: It can be clean due to no sample was analyzed by AntiVirus*
Example of using HashMyFile
5. If you confirm it is malware, terminate the process and delete it.
Terminate through Task Manager:
Terminate through Command Prompt:
C:\Users\user\Desktop> taskkill /pid <malicious process ID>
The process ID is 520.
6. Remove the malware artifact from registry key and service:
Check the extracted startup program file. Look for suspicious program.
Example:
#Delete the registry key.
C:\Users\user\Desktop> reg delete <malicious reg key full path> /v <value name>
#Stop and delete the service.
C:\Users\user\Desktop> sc stop <malicious service name>
C:\Users\user\Desktop> sc delete <malicious service name>
7. Restart your PC and run everything again to check does the malware has been removed.
4. Go to the malicious process file location. Calculate the hash using HashMyFile and submit to VirusTotal for validation. You may upload the file to VirusTotal or submit to dedicated AntiVirus if it does not contain sensitive information.
*Note: It can be clean due to no sample was analyzed by AntiVirus*
Example of using HashMyFile
5. If you confirm it is malware, terminate the process and delete it.
Terminate through Task Manager:
Terminate through Command Prompt:
C:\Users\user\Desktop> taskkill /pid <malicious process ID>
The process ID is 520.
6. Remove the malware artifact from registry key and service:
Check the extracted startup program file. Look for suspicious program.
Example:
#Delete the registry key.
C:\Users\user\Desktop> reg delete <malicious reg key full path> /v <value name>
#Stop and delete the service.
C:\Users\user\Desktop> sc stop <malicious service name>
C:\Users\user\Desktop> sc delete <malicious service name>
7. Restart your PC and run everything again to check does the malware has been removed.
End of Just another Malware Analysis Guide (1) - Simple and easy
No comments:
Post a Comment